The Office of the Australian Information Commissioner (OAIC) is providing this self-assessment checklist to assist service providers in considering their privacy obligations under the Data Retention Scheme.
Pursuant to legislative amendments introduced by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth), service providers must retain certain telecommunications data for a period of two years. This legislation also requires all service providers that collect and retain telecommunications data under the Data Retention Scheme to comply with the Privacy Act 1988 (Cth) in relation to that data. Since October 2015, the Data Retention Scheme has operated in an implementation period to allow service providers to prepare for compliance with the scheme. The implementation period will end in April 2017.
The OAIC’s preferred regulatory approach is to facilitate compliance with privacy obligations and to work with entities to ensure best privacy practice and prevent privacy breaches. We have previously published a resource to inform service providers about their privacy obligations under the Data Retention Scheme.
Why use the checklist?
The self-assessment checklist will help your organisation:
- identify how to meet these privacy obligations
- identify how to improve your existing privacy management framework
- identify potential areas of privacy risk
- mitigate these risks by improving compliance with the Privacy Act, in light of the Data Retention Scheme.
For example, this may include creating or updating your organisation’s policy documentation or changing some of your organisation’s business processes for handling personal information. The checklist may also assist you in regularly reviewing your organisation’s privacy management framework and practices.
How to use the checklist
Each question in the checklist prompts a ‘yes’ or ‘no’ answer. Alongside each question, there is guidance on how to interpret the question, including some links to relevant OAIC resources. There are also some examples of answers that may be suitable for certain questions, and some key terms are defined in footnotes throughout.
Where your organisation has answered ‘yes’ to a question, you should generally be able to point to a policy or procedural document from your organisation that supports your response. For example, if you answer that your organisation has access controls to protect the personal information you hold, you should be able to refer to written policies or business rules that explain what those access controls are. If you are unable to identify a document that supports your response, you should consider creating one for your organisation, or updating existing documentation to ensure that your organisation’s privacy management is up to date.
Some questions may not apply to your organisation directly. For example, if your organisation is small, there may not be a specific privacy officer role. However, you could interpret the question as asking whether there is someone responsible for overseeing the privacy responsibilities within your organisation.
We are open to discussing this checklist and/or your organisation’s responses with you. Should you wish to do so, please contact us.
1 – Overall privacy management
Does your organisation have someone responsible for overall privacy management?
e.g. the Chief Information Officer is accountable to the CEO for privacy matters and reports on privacy matters fortnightly
Organisations should appoint key roles and responsibilities for privacy management, including a senior member of staff with overall accountability for privacy. Small-sized service providers may have one person occupying this role at the same time as other management roles.
2 – Day-to-day privacy management
Does your organisation have someone to manage privacy issues on a day-to-day basis?
e.g. we have a privacy officer who is involved in the development of new information handling processes / we have a member of staff who has privacy compliance written into their KPIs
Depending on the size of their operations, organisations should have one or more staff responsible for managing privacy, including a key privacy officer. These staff should be responsible for handling internal and external privacy enquiries, complaints, and access and correction requests. Small-sized service providers may have one person occupying this role at the same time as other operational roles.
3 – Privacy reporting
Does your organisation record and report on privacy risks and issues?
e.g. we have a privacy risk register to record any issues / management reviews the risk register / we include privacy issues as a standing agenda item in team meetings
Organisations should facilitate effective reporting mechanisms at all levels, and have an established process for reporting privacy risks to management.
Your organisation may also have done, or be considering doing, a privacy impact assessment of your business systems and processes operating under the Data Retention Scheme. The Guide to undertaking privacy impact assessments may be useful.
4 – Privacy training
Does your organisation integrate privacy into training and induction processes for staff?
Are staff provided with regular and clear guidance on how to handle personal information in their day-to-day work?
e.g. all new staff are inducted to privacy and privacy training is provided annually to staff. Privacy resources are published on the intranet for staff to access and a privacy officer is available to answer enquiries from staff.
5 – Privacy policies
6 – Consumer access to personal information
Does your organisation have processes for receiving and responding to privacy enquiries, complaints or requests for access to personal information from consumers?
e.g. we ensure that the information about how to make a privacy complaint is easy to find. Privacy complaints are then identified and directed to the appropriate staff. We regularly review the issues raised by privacy complaints.
The OAIC’s Handling privacy complaints resource provides information to help your organisation address a privacy complaint.
APP 12 contains some minimum access requirements, including the time period for responding to an access request, how access is to be given, and that a written notice, including the reasons for the refusal, must be given to the individual if access is refused.
7 – Disclosure of personal information to law enforcement
Does your organisation have processes in place to respond to requests for access to personal information from law enforcement agencies?
A limited group of enforcement and security agencies are authorised to obtain telecommunications data, including personal information, in certain circumstances. The Attorney-General’s Department’s data retention website contains some guidance on service provider obligations under the data retention scheme.
8 – ICT security
Does your organisation have ICT security processes and controls in place to protect personal information?
e.g. we have processes and controls regarding:
The OAIC’s Guide to securing personal information sets out a number of ICT security steps that organisations should consider taking to protect the personal information they hold.
Organisations should take particular note of their processes for encrypting personal information. Encryption is a specific security requirement under the data retention scheme.
9 – Access security
Does your organisation have access controls in place to protect personal information?
e.g. we have an access control policy which applies to everyone handling personal information.
Access security and monitoring controls help your organisation protect against internal and external risks by ensuring that personal information is only accessed by authorised persons.
To minimise this risk, your organisation should, when possible, limit internal access to personal information to those who require access to do their job. Your organisation should use mechanisms to identify that users requesting access to your systems are authorised users.
The OAIC’s Guide to securing personal information has more information about access security.
10 – Data breach response
Does your organisation have a data breach response plan?
e.g. we have a data breach response plan document / we have a wider crisis management plan, which includes how to respond to a data breach
The OAIC’s Guide to developing a data breach response plan will help your organisation to develop its data breach response plan.
The OAIC’s Data breach notification — A guide to handling personal information security breaches also provides guidance to assist your organisation respond effectively to data breaches.
11 – Accuracy of personal information
Does your organisation have processes in place to ensure that personal information you hold is accurate and kept up-to-date?
e.g. we have processes regarding:
12 – De-identification or destruction of personal information
Does your organisation have processes in place to ensure that personal information is de-identified or destroyed once it is no longer in use (after the mandatory retention period)?
e.g. we have processes regarding:
The OAIC’s Guide to securing personal information sets out steps organisations can take to destroy or de-identify personal information.
13 – Reviews of privacy practices
Did your organisation undertake any reviews to assess the compatibility of your personal information handling processes with the Data Retention Scheme?
e.g. we have reviewed our processes to ensure the encryption of personal information, and to protect it from unauthorised interference or unauthorised access, under s 187BA of the Telecommunications (Interception and Access) Act 1979 (Cth)
14 – Feedback on privacy practices
Does your organisation have channels for customers and staff to provide feedback on privacy issues related to the Data Retention Scheme?
e.g. we have a suggestion box / feedback form
Your organisation should facilitate accessible channels for reporting issues and providing feedback on your privacy management of the retained data.
15 – Process improvement
Has your organisation incorporated any review findings or feedback to improve personal information handling practices under the Data Retention Scheme?
e.g. we have devised a plan of actions to address the recommendations made in a recent privacy impact assessment on our new business processes under the Data Retention Scheme.
Your organisation may have reviewed and updated your public facing policy documents to reflect any changes to your practices brought about by the Data Retention Scheme, and any subsequent feedback.
16 – Monitoring
Does your organisation monitor and address new security risks and threats that may be relevant to the personal information you hold?
Your organisation can keep informed of issues and developments in privacy law and changing legal obligations by subscribing to the OAIC’s news email list for updates. Your organisation can also participate in privacy seminars, including the OAIC’s webinars.
Organisations should monitor and address new security risks and threats. Subscribe to the Stay Smart Online Alert Service and follow the steps it suggests for ensuring online security, including implementing software updates and patches. The Australian Cyber Security Centre and CERT Australia also provides guidance on cyber security issues.
 Senior: someone in a prominent position within the organisational structure.
 Accountability: being responsible for a process or outcome.
 Personal information: information or an opinion about an identified individual or an individual who is reasonably identifiable.
 Privacy risks: the risks associated with not managing, collecting, using, or securing personal information in accordance with the Privacy Act.
 Processes: outlines for the measures, steps, and procedures used in achieving outcomes or responding to events.
 APPs: Australian Privacy Principles. Found in the Privacy Act.
 Data breach: when personal information held by an organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.
 De-identification: personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.
 Governance: the structure, system, or manner of controlling something.