New privacy provisions

New private sector provisions in the Privacy Act 1988 (Cth) (the Privacy Act) regulating the way many private sector organisations collect, use, keep secure and disclose personal information come into effect on 21 December 2001. Organisations may choose to be bound by a privacy code approved by the Privacy Commissioner (the Commissioner). If they are not bound by a privacy code the National Privacy Principles (NPPs) in the legislation will apply to them.

The NPPs aim to ensure that organisations that hold information about people handle that information responsibly. They also give people some control over the way information about them is handled.

Organisations covered by the legislation will need to consider how they are to implement the provisions. For more information refer to Information Sheet 12 - 2001 Coverage of and Exemptions from the Private Sector Provisions.

The way an organisation approaches compliance will vary depending on a number of factors, including:

• the nature of the organisation's business;
• the organisation's size;
• the kind of information the organisation collects, uses and discloses;
• how the organisation stores and secures information;
• the expectations of the individuals who deal with the organisation;
• whether the organisation transfers personal information overseas; and
• the reputation the organisation wishes to promote.

Developing a privacy plan

Developing a privacy plan is a good place to start. A privacy plan could include the following.

Appoint a privacy officer

An organisation could appoint a privacy officer to be responsible for developing and implementing a privacy policy that suits the organisation's business and complies with the law.

The privacy officer would be the first point of contact in the organisation when privacy issues arise either internally or from outside the organisation. The privacy officer could also be responsible for ensuring that the organisation's privacy policy and procedures are fully implemented and working effectively. Other activities could include:

• formulating, coordinating and implementing a privacy policy plan. This plan could include conducting or coordinating a privacy audit and undertaking risk assessment; and
• promoting the plan to all relevant parties.

Become familiar with the NPPs

The next step is for relevant members of the organisation to familiarise themselves with the NPPs. The NPPs are legally binding rules set out in Schedule 3 of the Privacy Act. They regulate the way private sector organisations must collect, use, keep secure and disclose personal information. For more information, refer to the Guidelines to the National Privacy Principles, or if you provide health services, the Guidelines on Privacy in the Private Health Sector.

Conduct a privacy audit

A privacy audit is a useful way of working out what sort of personal information the organisation collects, holds, uses and discloses. A privacy audit is a key feature in any privacy plan.

Audit questions could include:

• What personal information does the organisation collect? Is any of the information sensitive information? (Refer to section 6 of the Privacy Act.)
• How does the organisation collect this information? (Common ways in which organisations collect personal information include standard forms, customer surveys, loyalty programs or online interaction.)
• Where and how does the organisation store this information? (Organisations may keep personal information stored in a single database or it may be spread across the organisation in a number of sites.)
• Who has access to the personal information held by the organisation and who actually needs to have that access?
• Does the organisation have measures to protect the personal information it holds from unauthorised access?
• Why does the organisation collect the personal information? Does the organisation need it for a function or activity?
• Are individuals likely to be aware that the organisation is collecting this information?
• How does the organisation use the information?
• Does the organisation disclose the information to anyone outside the organisation?
• Does the organisation contract out any functions or activities involving personal information? o Does the organisation take any privacy measures to protect this information?
• Does the organisation make individuals aware of the intended uses and disclosures of that information?
• Is the information accurate, complete and up-to-date?
• Does the organisation transfer information overseas?

If the organisation is small it may be able to conduct its own audit. If the organisation is large, has complex information handling practices or holds large amounts of sensitive information, it may need to consider getting expert help with the audit.

Compare practices with requirements in the NPPs

The next step could be to run through each of the NPPs and think about how the organisation's information handling practices measure up against them. A plan can then be developed to address any areas that do not comply with the NPPs.

Consult relevant people to develop the plan

Good privacy practice often depends on the context in which personal information is handled and the expectations of the individuals dealing with an organisation. Talking with staff and individuals who deal with the organisation about their privacy expectations and thinking about ways to address their concerns will give an organisation a sound basis for a privacy plan.

It may also be helpful to work with an industry association or other industry participants when developing a privacy policy. Organisations may find that their industry body has already thought about many of the privacy issues that arise in the industry and consultation could help avoid 'reinventing the wheel'.

Many organisations could consider getting outside help or advice on privacy matters such as special legal advice or help with a privacy audit. External advice could be a way of objectively testing whether the organisation meets the requirements of the privacy legislation.

Joining the Privacy Connections Network would also be helpful. The Network is a group of people from across all sectors of the Australian community and business connected through the Office of the Privacy Commissioner. The purpose of this network is to exchange, discuss and develop good privacy practices and solutions. Organisations can access: http://www.privacy.gov.au/business/privacyconnections/ for more information on the Privacy Connections Network.

Have an effective complaints handling process

A privacy plan could include a process for handling privacy complaints. It is always better if an organisation can resolve complaints directly than to have an outside regulator get involved. Having an effective complaints handling process is an important part of managing privacy risks within an organisation. It helps an organisation to:

• identify (and address) any systemic or ongoing compliance problems;
• increase consumer confidence in the organisation's privacy procedures;
• build the good reputation of the organisation; and
• address complaints quickly and effectively.

Training staff

The way an organisation's staff handle personal information is just as important as the technology the organisation has in place to manage and secure the information. A privacy plan could include a program to train staff on privacy procedures and the organisation's privacy policies.

Office of the Privacy Commissioner ISBN 1 - 877079 - 23 - 5 Privacy Hotline 1300 363 992 (local call charge)