Don't Leave Privacy to Chance... Take Steps to Protect Personal Information

Steps for organisations and agencies

This document is designed to assist your organisation or agency in considering ways in which it can protect other people's personal information. It also provides a broad overview of some of the rights afforded to individuals and obligations required of organisations and Australian and ACT Government agencies under the Privacy Act 1988 (Cth). As such, the information contained in this document is not comprehensive. If you have queries about anything in this document, or any privacy related issue, please visit our website at www.privacy.gov.au or call our Privacy Enquiries Line on 1300 363 992.

1. Only collect information that is necessary.
2. Do not collect personal information about an individual just because you think that information may come in handy later.
3. Tell people what you are going to do with the personal information you collect about them.
4. Consider whether you should be using personal information for a particular purpose.
5. Consider whether you need to disclose personal information.
6. If people ask, give them access to the personal information you hold about them.
7. Keep personal information secure
8. Don't keep information you no longer need or are no longer required to retain.
9. Keep personal information accurate and up to date.
10. Consider making someone in your organisation or agency responsible for privacy.

1.    Only collect information that is necessary.

Make sure individuals know what personal information your organisation or agency collects and why. Consider whether each piece of information is necessary for any of the functions or activities of the organisation or agency and whether the information is required in the circumstances. It may be the case that in some circumstances you can carry out your activities without collecting personal information, allowing individuals to interact with your organisation anonymously.

For organisations see: www.privacy.gov.au/materials/types/infosheets/view/6583#a

For Australian and ACT Government agencies see: www.privacy.gov.au/materials/types/infosheets/view/6541#a

2.     Do not collect personal information about an individual just because you think that information may come in handy later.

You should only collect information that is necessary at the time of collection, not information that may become necessary or useful at a later date. If the need arises later, collect the information then.

For organisations see: www.privacy.gov.au/materials/types/infosheets/view/6583#a

For Australian and ACT Government agencies see: www.privacy.gov.au/materials/types/infosheets/view/6541#a

3.    Tell people what you are going to do with the personal information you collect about them.

You should let individuals know why you need to collect the information, how you plan to use it and if you intend disclosing it. You should provide details about how they can contact you and, if they want to, how they can gain access to their personal information.

For organisations see: www.privacy.gov.au/materials/types/infosheets/view/6583#a

For Australian and ACT Government agencies see: www.privacy.gov.au/materials/types/infosheets/view/6541#b

4.    Consider whether you should be using personal information for a particular purpose.

Organisations often begin using personal information for a secondary purpose unrelated to the main purpose they collected the information. Unless you have consent from the individual concerned or authorisation under law, you should normally only use personal information if it is related to the purpose you collected it for and within the reasonable expectations of the individual.

For organisations see: www.privacy.gov.au/materials/types/infosheets/view/6583#b

For Australian and ACT Government agencies see: www.privacy.gov.au/materials/types/infosheets/view/6541#j

5.     Consider whether you need to disclose personal information.

In some cases, organisations and agencies disclose personal information that they do not need to disclose or disclose information without thinking about whether the disclosure is authorised. Consider whether you can achieve your purpose without disclosing personal information. It is often best practice to seek consent from the individual concerned if you wish to disclose their personal information for a reason beyond the reason for which you collected it. The Privacy Act allows disclosures in some circumstances.

For organisations see: www.privacy.gov.au/materials/types/infosheets/view/6583#b

For Australian and ACT Government agencies see: www.privacy.gov.au/materials/types/infosheets/view/6541#k

6.     If people ask, give them access to the personal information you hold about them.

Organisations and Australian and ACT Government agencies have a general duty to provide individuals with access to their personal information. You should be as open as possible by providing individuals with access to their own personal information in the form they request. If you wish to deny an individual access to personal information you should provide reasons, consistent with the Privacy Act, as soon as you can. Agencies should also be mindful of their obligations under the Freedom of Information Act 1988 (Cth) which also provides some grounds for denying access.

For organisations see: www.privacy.gov.au/materials/types/infosheets/view/6583#f

For Australian and ACT Government agencies see: www.privacy.gov.au/materials/types/infosheets/view/6541#f

7.     Keep personal information secure.

It is important that you keep personal information safe and secure from unauthorised access, modification or disclosure and also against misuse and loss. The steps you should take should be proportionate to the sensitivity of the information you hold. Methods might include checking that all personal information has been removed from computers before you sell them, installing firewalls, cookie removers and anti-virus scanners on work IT systems, keeping hard copy files in properly secured cabinets, training staff in privacy procedures and allowing file access to staff on a 'need to know' basis only. You could also regularly monitor your information handling practices to ensure they are secure and consider the adequacy of existing security measures. Depending on the size of the organisation and the information it collects, you may wish to consider having an external privacy audit conducted.

For organisations see: www.privacy.gov.au/materials/types/infosheets/view/6583#d

For Australian and ACT Government agencies see: www.privacy.gov.au/materials/types/infosheets/view/6541#d

8.     Don't keep information you no longer need or are no longer required to retain.

If you no longer need personal information and there is no law that compels you to retain the information, then destroy it. You should shred, pulp or destroy the paper on which the personal information is recorded, place the files in a security garbage bin and securely delete any electronic record or file from computer systems to ensure it cannot be retrieved.

For organisations see: www.privacy.gov.au/materials/types/infosheets/view/6583#d

For Australian and ACT Government agencies see: www.naa.gov.au/recordkeeping/disposal/disposal.html

9.     Keep personal information accurate and up to date.

Personal information can change. This is why you need to take reasonable steps to keep the personal information your organisation or agency holds current. If the personal information of someone changes amend your records to reflect those changes and make sure both hard copy and electronic files are updated. If you know that some personal information is likely to change regularly, then periodically go through the files to ensure the records are accurate and up to date.

For organisations see: www.privacy.gov.au/materials/types/infosheets/view/6583#c

For Australian and ACT Government agencies see: www.privacy.gov.au/materials/types/infosheets/view/6541#h

10.     Consider making someone in your organisation or agency responsible for privacy.

This could be a designated person (often called a Privacy Contact Officer or Chief Privacy Officer) who is aware of your organisation or agency's responsibilities under the Privacy Act and who is willing and able to handle complaints and enquiries about the personal information handling practices of your organisation or agency. The person may also be responsible for implementing a complaints handling process, staff training program and promoting Privacy Act compliance.

For organisations see: www.privacy.gov.au/materials/types/infosheets/view/6561

For Australian and ACT Government agencies see: www.privacy.gov.au/Advice-for-PCOs/