Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy agency resource 3: Information Privacy Act 2014 — Checklist for ACT agencies

pdfPrintable version208.88 KB

The Information Privacy Act 2014 (ACT) (Information Privacy Act) commences on 1 September 2014. The Information Privacy Act replaces the Privacy Act 1998 (Cth) as in force on 1 July 1994 (and as modified by the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth)), which previously applied to ACT agencies.

The Information Privacy Act regulates the handling of personal information by ACT public sector agencies (ACT agencies). It also regulates contracted service providers (including subcontractors), but only to the extent they perform obligations under a government contract (ACT contractors).

If your agency is an ACT agency or you are an ACT contractor, you will need to understand the obligations set out in the Information Privacy Act. Use the checklist below to help understand the main changes you may need to make.  The checklist is not intended to be a comprehensive list of obligations under the Information Privacy Act and is not a substitute for an ACT agency or contractor determining its full obligations under the Act.

Most of the requirements set out below are outlined in the Territory Privacy Principles (TPPs) in the Information Privacy Act. The TPPs are reproduced in Privacy Fact Sheet 42 — Australian Capital Territory Privacy Principles.

More information about the Information Privacy Act is available at Australian Capital Territory Privacy.

Checklist of changes in the Information Privacy Act
The change Relevant part of the Information Privacy Act Consider Action Complete?
There are some changes to what constitutes 'personal information' and 'sensitive information' under the Information Privacy Act. 'Personal information' is defined in section 8 of the Information Privacy Act and 'sensitive information' is defined in section 14 of the Information Privacy Act Do we handle 'personal information' or 'sensitive information'? Review information holdings to determine whether 'personal information' or 'sensitive information' is handled.
If 'yes', ensure that TPPs are complied with.
 

ACT agencies must not enter into a government contract unless it contains measures to ensure that the contracted service provider (or subcontractor) does not do an act or engage in a practice that breaches a TPP or TPP that binds the agency.

ACT contractors can be liable for an act or practice under a government contract that breaches a TPP or binding TPP code, as this is taken to be an 'interference with an individual's privacy'.

Section 21 — privacy protection requirements for government contracts.

'Government contract' is defined in Dictionary to the Information Privacy Act

Section 11(2) — meaning of interference with individual's privacy

What services are provided to the ACT agency under a government contract?

ACT agencies should review practices, procedures and systems for entering new government contracts

 

ACT agencies must take reasonable steps to implement new practices, procedures and systems that will ensure compliance with the new TPPs and any TPP Code that binds the agency. This may include training staff or establishing procedures to identify and manage privacy risks.

TPP 1 — Open and transparent management of personal information

What reasonable steps do we need to take to implement new practices, procedures and systems that will ensure compliance with the new TPPs and any binding TPP Codes?

Review practices, procedures and systems to ensure compliance with the new TPPs and any binding TPP Codes.

Working through the actions in the rest of this checklist will assist ACT agencies to meet their obligations under this TPP.

 

ACT agencies should have an up to date TPP privacy policy that is reviewed regularly. The new laws set out some requirements for privacy policies, including requirements for content and availability.

TPP 1 — Open and transparent management of personal information

Do we have a privacy policy? If so, is it up to date? Does it cover the matters listed in TPP 1.4? Is it freely available?

Review or draft TPP privacy policy. Refer to the OAIC's Guide to Developing an APP Privacy Policy.

Make TPP privacy policy available in an appropriate form and for free.

 

ACT agencies must take reasonable steps to implement practices, procedures and systems that will ensure the agency can handle privacy inquiries and complaints from individuals.

TPP 1 — Open and transparent management of personal information

What reasonable steps do we need to take to ensure we have practices, procedures and systems in place for handling privacy inquiries and complaints?

Review practices, procedures and systems for handling privacy inquiries and complaints.

 

ACT agencies must give individuals the option to interact with their agency anonymously or by using a pseudonym. You may not have to do this if an exception applies in relation to a particular matter.

TPP 2 — Anonymity and pseudonymity

How can we ensure that individuals can interact with our ACT agency anonymously or by using a pseudonym? Is it impracticable to allow this for particular transactions? Are we required or authorised by or under an Australian law or an order of a court/tribunal to deal with individuals who have identified themselves for particular transactions?

Implement practices, procedures and systems to enable your agency to allow individuals to interact with you anonymously or by using a pseudonym, unless an exception applies in relation to a particular matter.

 

There are new rules that apply to collection practices and notices when collecting personal information and/or sensitive information. These rules include prescriptive requirements about the content of notices.

TPP 3 — Collection of personal and sensitive information

TPP 5 — Notification of collection

Do we collect personal and/or sensitive information? Do we ensure that sensitive information is collected in accordance with the higher protections in TPP 3.3? How and what matters do we notify individuals about when collecting their personal or sensitive information?

Review collection practices, procedures and systems, including collection notices.

 

There are new rules on how to deal with unsolicited personal information, including when this information must be destroyed or de-identified.

TPP 4 — Dealing with unsolicited personal information

Do we receive unsolicited personal information? What are our practices, procedures and systems for dealing with unsolicited information?

Review practices, procedures and systems for dealing with unsolicited information.

 

There are new rules on when personal information and sensitive information can be used or disclosed.

TPP 6 — Use or disclosure

For what purposes do we use and disclose personal information and sensitive information?

Review practices, procedures and systems for the use and disclosure of personal information and sensitive information.

 

Where an ACT agency discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the does not breach the TPPs. Exceptions apply.

 There are new rules about an ACT agency's accountability for personal information that it has disclosed to overseas recipients.

TPP 8 — Cross border disclosure

Section 22 — deemed breach in relation to acts and practices of overseas recipients of personal information

Do we send personal information overseas? Do we have appropriate arrangements with overseas recipients to ensure that personal information that is disclosed overseas is handled in accordance with the TPPs?

Review practices, procedures and systems for sending personal information overseas (this may include reviewing outsourcing agreements).

 

ACT agencies must take reasonable steps to ensure that the personal information that they collect, use or disclose is up to date, complete and accurate (personal information used or disclosed must also be relevant, having regard to the purpose of the use or disclosure)

TPP 10 — Quality

What reasonable steps do we need to take to ensure that the personal information we collect, use or disclose is up to date, complete and accurate and relevant for the purpose of the use or disclosure?

Review practices, procedures and systems for ensuring personal information collected, used or disclosed is up to date, complete and accurate and relevant for the purpose of the use or disclosure.

 

ACT agencies must take reasonable steps to protect the personal information they hold from misuse, interference (this may include introducing measures to protect against computer attacks), loss and from unauthorised access, modification or disclosure

TPP 11 — Security

What reasonable steps do we need to take to ensure that the personal information we collect is protected from misuse, interference, loss and from unauthorised access, modification or disclosure?

Review practices, procedures and systems for ensuring personal information is protected from misuse, interference, loss and from unauthorised access, modification or disclosure (refer to the OAIC's Guide
to information security – April 2013
).

 

ACT agencies are required to take reasonable steps to destroy or de-identify personal information if it is no longer needed for any authorised purpose, subject to some exceptions

TPP 11 — Security

What reasonable steps do we need to take to ensure personal information is destroyed or de-identified when it is no longer needed for any authorised purpose? Do any exceptions apply to the information we hold?

Review practices, procedures and systems for ensuring personal information is destroyed or de-identified when it is no longer needed.

 

There are new rules on how ACT agencies are to respond to requests for access to and correction of personal information (including timeframes, the manner in which access is to be given, when written reasons are required and charging).

There are also  new rules about when an ACT agency should correct personal information, even if it has not received a request from an individual.

TPP 12 — Access

TPP 13 — Correction

What are our processes for responding to requests from individuals for access to and correction of personal information?

What are our processes for identifying and correcting personal information that is inaccurate, out of date, incomplete, irrelevant or misleading?

Review practices, procedures and systems for correcting personal information and/or responding to requests from individuals for access to and correction of personal information (including timeframes for responding, the manner in which access is given, the provision of written reasons and charges for access and correction).

 

For further information

telephone: 1300 363 992
email: enquiries@oaic.gov.au
write: GPO Box 5218, Sydney NSW 2001
Or visit our website at www.oaic.gov.au