- Advice Summaries
- Case Notes
- Codes of Conduct
- Compliance Notes
- Fact Sheets
Information Sheet (Private Sector) 2 - 2001: Preparing for 21 December 2001
New privacy provisions
New private sector provisions in the Privacy Act 1988 (Cth) (the Privacy Act) regulating the way many private sector organisations collect, use, keep secure and disclose personal information come into effect on 21 December 2001. Organisations may choose to be bound by a privacy code approved by the Privacy Commissioner (the Commissioner). If they are not bound by a privacy code the National Privacy Principles (NPPs) in the legislation will apply to them.
The NPPs aim to ensure that organisations that hold information about people handle that information responsibly. They also give people some control over the way information about them is handled.
Organisations covered by the legislation will need to consider how they are to implement the provisions. For more information refer to Information Sheet 12 - 2001 Coverage of and Exemptions from the Private Sector Provisions.
The way an organisation approaches compliance will vary depending on a number of factors, including:
- the nature of the organisation's business;
- the organisation's size;
- the kind of information the organisation collects, uses and discloses;
- how the organisation stores and secures information;
- the expectations of the individuals who deal with the organisation;
- whether the organisation transfers personal information overseas; and
- the reputation the organisation wishes to promote.
Developing a privacy plan
Developing a privacy plan is a good place to start. A privacy plan could include the following.
Appoint a privacy officer
- promoting the plan to all relevant parties.
Become familiar with the NPPs
The next step is for relevant members of the organisation to familiarise themselves with the NPPs. The NPPs are legally binding rules set out in Schedule 3 of the Privacy Act. They regulate the way private sector organisations must collect, use, keep secure and disclose personal information. For more information, refer to the Guidelines to the National Privacy Principles, or if you provide health services, the Guidelines on Privacy in the Private Health Sector.
Conduct a privacy audit
A privacy audit is a useful way of working out what sort of personal information the organisation collects, holds, uses and discloses. A privacy audit is a key feature in any privacy plan.
Audit questions could include:
- What personal information does the organisation collect? Is any of the information sensitive information? (Refer to section 6 of the Privacy Act.)
- How does the organisation collect this information? (Common ways in which organisations collect personal information include standard forms, customer surveys, loyalty programs or online interaction.)
- Where and how does the organisation store this information? (Organisations may keep personal information stored in a single database or it may be spread across the organisation in a number of sites.)
- Who has access to the personal information held by the organisation and who actually needs to have that access?
- Does the organisation have measures to protect the personal information it holds from unauthorised access?
- Why does the organisation collect the personal information? Does the organisation need it for a function or activity?
- Are individuals likely to be aware that the organisation is collecting this information?
- How does the organisation use the information?
- Does the organisation disclose the information to anyone outside the organisation?
- Does the organisation contract out any functions or activities involving personal information? o Does the organisation take any privacy measures to protect this information?
- Does the organisation make individuals aware of the intended uses and disclosures of that information?
- Is the information accurate, complete and up-to-date?
- Does the organisation transfer information overseas?
If the organisation is small it may be able to conduct its own audit. If the organisation is large, has complex information handling practices or holds large amounts of sensitive information, it may need to consider getting expert help with the audit.
Compare practices with requirements in the NPPs
The next step could be to run through each of the NPPs and think about how the organisation's information handling practices measure up against them. A plan can then be developed to address any areas that do not comply with the NPPs.
Consult relevant people to develop the plan
Good privacy practice often depends on the context in which personal information is handled and the expectations of the individuals dealing with an organisation. Talking with staff and individuals who deal with the organisation about their privacy expectations and thinking about ways to address their concerns will give an organisation a sound basis for a privacy plan.
Many organisations could consider getting outside help or advice on privacy matters such as special legal advice or help with a privacy audit. External advice could be a way of objectively testing whether the organisation meets the requirements of the privacy legislation.
Joining the Privacy Connections Network would also be helpful. The Network is a group of people from across all sectors of the Australian community and business connected through the Office of the Privacy Commissioner. The purpose of this network is to exchange, discuss and develop good privacy practices and solutions. Organisations can access: http://www.privacy.gov.au/business/privacyconnections/ for more information on the Privacy Connections Network.
Have an effective complaints handling process
A privacy plan could include a process for handling privacy complaints. It is always better if an organisation can resolve complaints directly than to have an outside regulator get involved. Having an effective complaints handling process is an important part of managing privacy risks within an organisation. It helps an organisation to:
- identify (and address) any systemic or ongoing compliance problems;
- increase consumer confidence in the organisation's privacy procedures;
- build the good reputation of the organisation; and
- address complaints quickly and effectively.
The way an organisation's staff handle personal information is just as important as the technology the organisation has in place to manage and secure the information. A privacy plan could include a program to train staff on privacy procedures and the organisation's privacy policies.
About Information Sheets
Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.)
Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.
Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.
Organisations may also wish to consult the Commissioner's guidelines and other information sheets.
Office of the Privacy Commissioner ISBN 1 - 877079 - 23 - 5 Privacy Hotline 1300 363 992 (local call charge)