An agency may wish to survey clients for a number of purposes e.g. to test acceptance of proposed information products, to follow'up on the impact of new initiatives, to assess client satisfaction with services, or for longitudinal research.

Is it possible under the Information Privacy Principles (IPPs) in the Privacy Act 1988 (Cth) to conduct these types of activities with current clients? What is the best, most privacy enhancing way of going about it?

What does the legislation allow?

The Plain English Guidelines to the IPPs provide clear direction on when and how it is possible to use personal information for purposes other than that for which it was originally collected, and in what circumstances it can be disclosed to third parties e.g. if a project is outsourced to a market research company or call centre.

The most relevant IPPs for the purposes of conducting these types of projects are IPPs 2, 10, and 11.

IPP 2 requires the person from whom information is being collected to be notified of the purpose, the authority for collection, and to whom it may usually be disclosed.

IPP 10 prohibits agencies from using personal information for any other purpose than that for which it was collected, unless a prescribed exception applies. One of those exceptions is IPP 10.1(e) which states that Commonwealth agencies may use personal information for a purpose that is directly related to the purpose for which it was collected. See Guideline 44 which provides examples of uses of personal information which may be considered as directly related to the purpose of collection, including:

• Uses for the purposes of monitoring, evaluation or managing a specific program, and
• Uses for the purpose of conducting follow-up surveys.

IPP 11 covers the limits of disclosures of personal information.

Invitation to clients to participate

An important first step, when designing this type of project is to consider the range of information you are required to give potential participants about the project, and what extra privacy assurances they might need to encourage them to participate. People can only make informed decisions when they are given adequate information. It is best practice to contact clients first to invite them to participate in a project, and to gain consent to their involvement.

It is best to seek express consent (in writing), from clients to participate in the project. Guidelines 15 and 16 discuss options for obtaining consent.

Even where provisions such as those described in Guideline 44 are in place to allow agencies to conduct research, it would be advisable to notify clients when their information is collected in the first instance, that such uses and disclosures may occur in the future. If it is likely that agencies are planning to use the personal information they hold for such purposes as conducting research or surveys, then this should also be included on the IPP 2 notice.

Guidelines 12 and 13 provide information on how to construct an IPP2 Notice. Keep in mind that it may be some time since clients first contacted an agency, or filled in any forms and read the IPP 2 Notice, so you cannot necessarily rely on your clients remembering everything that was in the Notice.

What to include in the invitation
Once the project target group has been identified it is best practice to write to each person inviting them to participate. The letter should describe such things as:

• the purpose of the project,
• whether it's a pilot, one-off survey or longitudinal project,
• that there are no penalties for not participating (and that participation won't affect the service received),
• what will happen to the information at the completion of the project,
• that if the client chooses to participate and then changes their mind, they can opt-out at any time, without penalty, and
• contact details for more information about the specific project.

Other considerations
It is also important to outline in this letter of invitation that if any third party organisations (such as a market research company or call centre) will have access to the client's information, they will be covered by contractual arrangements that require them to comply with the same privacy obligations as the agency.

If this is the case, advising clients that the agency will only be using de-identified, aggregated data may also serve to allay fears that clients may have that adverse administrative action may be a result of information they divulge. This will probably result in better quality data, as they will be assured of confidentiality and that there will be no repercussions as a result of their involvement.

The invitation letter could also ask them to advise whether or not they would be interested in receiving feedback on the results of the project (e.g. 'If you choose to participate in the project please advise us whether you wish to receive feedback at the completion of the project'). This may save people getting extra information from agencies that they don't want.

It would also be beneficial for a dedicated telephone line (rather than the usual customer telephone enquiry number) to be established within the area of the agency that is running the project, for clients to be able to call to get more details, and therefore further assist them to make an informed decision about participation.

If all this information is contained in the letter of invitation it can be crucial to the success of the project, particularly by enhancing the client participation rate.

The client's file
Consideration also needs to be given as to what information is recorded on a client's file. not re-contacted and asked again.

Coordinating projects
You should also coordinate projects or share information about projects with other sections of the agency, so that they are aware that the project is taking place, and also so that clients aren't bombarded with requests to participate in multiple projects, from different parts of the organisation.

Disclosure of information to third party organisations

(n.b. some references in this section to Commonwealth agencies and their interactions with third parties may not be relevant to the ACT).

Information should not generally be disclosed to a third party without first gaining the consent of the client.  If the project is to be conducted by an organisation other than the agency, the letter inviting participation should be sent by the agency, and only the details of the clients who agree to participate in such an activity should be passed to the third party. 

IPP 11.1(a) allows disclosure without consent if certain conditions apply.  See Guidelines 18-24 if you are relying on this exception.

When agencies contract a third party to undertake market research/survey activity for them, the contract should specify that the third party agrees to handle the personal information in a manner consistent with the IPPs and NPPs 7-10.  For further information about contractors please see Information Sheet 14 - Privacy Obligations for Commonwealth Contractors on our website.

The Australian Government Solicitor has prepared a Legal Briefing (No 63) on privacy and Commonwealth agency outsourcing which is called Outsourcing: Agency Obligations under the Privacy Act.  The briefing includes a model clause to assist Commonwealth agencies to discharge their responsibilities under section 95B of the Privacy Act 1988 (Cth) when drafting Commonwealth contracts. 

Agencies must ensure that when a third party organisation is involved in conducting a project, the staff of that organisation know that they are required to comply with privacy obligations under the Privacy Act.  One way to ensure this is to have third party staff dealing with agencies client's personal information sign a confidentiality agreement setting out the limits of use and disclosure consistent with IPPs 10 and 11.

Where third parties are involved, agencies may also consider training the organisation's staff about their privacy obligations, or providing a checklist or information sheet.  Some organisations contracted to carry out this work on your agency's behalf will not have detailed knowledge of their privacy obligations under the IPPs, and if there are any complaints it will be the agency's responsibility to explain how they made the contractor aware of the privacy requirements, and how they sought to ensure that there were no breaches of privacy.

Completion of the project

Retrieving, destroying data
Agencies need to give consideration to what will happen to client's personal information at the completion of the project.  If a third party organisation has been contracted to carry out the research, agencies need to consider the arrangements for retrieving all the data at the completion of the project. 

That all information is to be returned from, or destroyed by, the third party to the agency can usually be specified in the contract, and made a condition of final payment.  Third parties should not be allowed to keep copies of customer lists, or other personal information at the completion of the project, and the contract should specify that once the project is complete, the third party must return or destroy all the survey material.  Agencies should ensure that they follow up with the third parties that the return or destruction of all data has occurred. 

Feedback
At completion of the project participants may appreciate receiving feedback on the outcome of the project (understanding that on occasion some results may be confidential).  It is common courtesy to advise and thank participants at the completion of the project.

Evaluation
It can be useful to conduct an evaluation of all privacy aspects of the project at completion, to review the methodology, and identify any problems which arose.  Design of the evaluation tool should be part of the original project plan so that evaluative data can be collected during the exercise.  For example if you are planning to make follow-up calls to a random sample of clients, then they will need to be asked, at first contact, to participate in both the survey and evaluation stages.  The information gained during an evaluation exercise can be used to better design the next project.

Office of the Privacy Commissioner
March 2003