Privacy Impact Assessment Guide
August 2006
Navigation
- Full Table of Contents
- Privacy Impact Assessment Guide
-
Module A
Threshold Assessment -
Module B
Nature of the Project -
Module C
Mapping the Information Flows -
Module D
Privacy Impact Analysis -
Module E
IPP Compliance Checklist -
Module F
Privacy Management
Full PIA Guide download
MODULE E
IPP Compliance Checklist
Table of Contents
- A) Information Privacy Principles (IPPs)
-
- 1) IPP 1 – Manner and purpose of collection
- 2) IPP 2 – Solicitation of personal information from the individual concerned
- 3) IPP 3 – Nature and method of personal information solicited
- 4) IPP 4 – Storage and security of personal information
- 5) IPP 5 – Information related to records
- 6) IPP 6 – Access
- 7) IPP 7 – Alteration of records
- 8) IPP 8 – Record-keeper's obligation to check accuracy etc
- 9) IPP 9 – Use only for relevant purposes
- 10) IPP 10 – Limits on use for other purposes
- 11) IPP 11 – Disclosure
- B) Commonwealth Contracts
- IPP COMPLIANCE - CONCLUSIONS
- Endnotes
This IPP Compliance Checklist aims to assist employees proposing change to investigate whether the personal information aspects of their project comply principally with the IPPs in section 14 of the Privacy Act.
Module E has been designed to be deployed as a template on desktops, portable computers (provided they are secure) or internal websites for use by any employee proposing change. Where so adopted by agencies, the module may need to be modified to add agency-specific details. For example, some agencies have processes that need to be completed where changes to computer software and/or hardware are contemplated. It would be more user-friendly if the PIA and such agency-specific processes were linked electronically. It would also usually assist the PIA process if a summary or copy of the documentation for those linked processes were attached to the PIA documentation, where relevant.
It should be noted that many terms used in the IPPs and NPPs have specific meanings, and it would be prudent to refer to the Privacy Act's definition for those terms. Another useful source for guidance in this regard is the Privacy Commissioner's IPP/NPP Guidelines (published on the Privacy Commissioner's website at www.privacy.gov.au). This module provides web addresses for the relevant Guidelines at the foot of the boxed text that summarises each IPP/NPP. Users are encouraged to refer to the Guidelines before responding to the questions asked in this module, and if necessary to seek further guidance from sources such as the agency's Privacy Contact Officer, legal unit or external guidance.
A) Information Privacy Principles (IPPs)
1) IPP 1 – Manner and purpose of collection
Personal information shall not be collected for inclusion in a record, or in a generally available publication, unless:
- for a lawful "purpose" directly related to a "function" or "activity" of the collector AND
- necessary for or directly related to that purpose.
Personal information shall not be collected by a collector by "unlawful" or "unfair" means.
(NB This is a summary of the IPP only. Please refer to section 14 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this IPP see www.privacy.gov.au/publications/
HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_14.4.pdf.)
1) Is the information to be collected for a lawful purpose directly related to a function or activity of the collector?
No
(If yes, please specify the "purpose" of collection and the relevant "function" or "activity" to which it is directly related. In particular, if the collection is "authorised" or "required" by, or under, a specific Act, regulation or determination, please specify details of the nature of this authority (n.b. this information will also be relevant to Question 3 under IPP 2 below). If no, please indicate what alternatives are proposed.)
2) Will the information collected be "necessary for" or "directly related to" that purpose?
No
(If yes, please indicate how it is "necessary for" or "directly related" to the relevant purpose. If no, please indicate what alternatives are proposed.)
3) Will the information be collected by "lawful" and "fair" means?
No
(If yes, please specify the "lawful" and "fair" means proposed. If no, please indicate what alternatives are proposed.)
If you answered "No" to any of the questions above, your agency may not have authority under the Privacy Act to collect the personal information in question. You may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this IPP.
2) IPP 2 – Solicitation of personal information from the individual concerned
Where a collector collects personal information for inclusion in a record or in a generally available publication, and the information is solicited by the collector from the individual concerned, the collector shall take such steps (if any) as are, in the circumstances, "reasonable" to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware:
- of the purpose for which the information is being collected;
- if the collection of the information is "authorised or required by or under law" – the fact that the collection of the information is so "authorised" or "required"; and
- any person to whom, or any body or agency to which, it is the collector's "usual" practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first-mentioned person, body or agency to pass on that information.
(NB This is a summary of the IPP only. Please refer to section 14 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this IPP see www.privacy.gov.au/publications/
HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_14.4.pdf.)
1) Is the personal information to be solicited by the collector from the individual concerned?
No
(If yes, please detail how the information is to be solicited. If no, please detail why it will not be collected from the individual concerned, including the authority for not doing so, if relevant.)
If information is not to be solicited from the individual concerned, you may not need to address all of the following three questions. It is however prudent to err on the side of caution and answer them in any case, as there may be privacy risks, including potential inaccuracy, when personal information is not collected directly from the individual (see 1. Collection in Module C).
2) Will "reasonable steps" be taken to inform the individual of the purpose of the collection?
No
(If yes, please specify what "reasonable steps" will be taken. If no, please indicate why not.)
3) If the collection is to be "authorised" or "required" by law, will the individual be so advised?
No
(If yes, please specify which law and how the individual will be advised. If not, please indicate why not.)
4) Will the individual be advised about the "usual disclosures"?
No
(If yes, please list the proposed "usual" disclosures and specify how the individual will be advised. If no, please indicate why not.)
If you have answered "No" to questions 2, 3 or 4 above, your agency may not be able to collect, use or disclose the personal information in question. You may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this IPP.
3) IPP 3 – Nature and method of personal information solicited
Agencies must take "reasonable steps" to ensure that solicited personal information collected is relevant to the purpose of collection, up to date and complete, and is not collected in an "unreasonably intrusive way".
(NB This is a summary of the IPP only. Please refer to section 14 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this IPP see www.privacy.gov.au/publications/
HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_14.4.pdf)
1) Will "reasonable steps" be taken to ensure that any solicited personal information collected is "relevant", "up to date" and "complete"?
No
(If yes, please specify what the steps will be. If no, please indicate why not.)
2) Will reasonable steps be taken to ensure that the information will be collected in a way that does not "unreasonably intrude" on the individual?
No
(If yes, please specify what the steps will be. If no, please indicate why not.)
If you have answered "No" to either of the questions above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this IPP.
4) IPP 4 – Storage and security of personal information
A record-keeper who has possession or control of a record shall ensure:
- that, by "reasonable" security safeguards, the record is protected against loss, unauthorised access, use, modification or disclosure, and against other misuse; and
- if given to a person in connection with the provision of service to the record-keeper, that everything is "reasonably" done to prevent "unauthorised" use or disclosure of information in the record.
(NB This is a summary of the IPP only. Please refer to section 14 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this IPP see www.privacy.gov.au/publications/
HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_15.7.pdf.)
If your proposed changes involve modifications to information or computer technology, you may have to complete other agency-specific processes. If so, it may be useful to attach a summary or a copy of the documentation from that process to this PIA as relevant, and particularly where information flows are to be modified.
Note: For assessments related to new or existing Information or Computer Technology (ICT) systems, this section should be completed by the unit in the agency responsible for systems maintenance and security and signed off by the unit's manager.
a) Security safeguards14
1) Will there be "reasonable technical security" in place to protect against loss, unauthorised access, use, modification or disclosure, and against other misuse?
No
(If yes, please specify what they will be and how they will prevent loss, unauthorised access, use, modification or disclosure, or other misuse. If no, please indicate why not.)
2) Will there be "reasonable physical security" in place to protect against loss, unauthorised access, use, modification or disclosure, and against other misuse?
No
(If yes, please specify what they will be and how they will prevent loss, unauthorised access, use, modification or disclosure, or other misuse. If no, please indicate why not.)
3) Will there be work unit policies and procedures in place for the security of personal information during the handling (routine and ad hoc) of the information?
No
(If yes, please specify what those policies and procedures will be and how they will protect information during handling. If no, please indicate why not.)
4) Will controls and procedures be created for the authority to add, change or delete personal information?
No
(If yes, please specify what they will be. If no, please indicate why not.)
5) Will your system security include an ongoing audit process that can track use of the system, including for back-up materials (e.g. when and who accessed, and if those processes collect personal information will they themselves have privacy protections built in)?
No
(If yes, please specify what the process will be and how they will protect privacy. If no, please indicate why not.)
6) Will audit mechanisms identify inappropriate accesses to the system?
No
(If yes, please specify how and what the consequences will be. If no, please indicate why not.)
b) Safeguarding information provided to external parties
An agency must do everything it "reasonably" can to prevent unauthorised use or disclosure of information it provides to external parties providing a service to the agency, whether private sector contractors or overseas agencies or organisations.
1) Will the contractual obligation imposed by the agency on the external party comply with section 95B of the Privacy Act?13
No
(If yes, please specify the relevant provisions in the proposed contract. If no, please indicate why not.)
2) Will the contract include requirements inconsistent with NPPs 7-10?
No
(If yes, please specify the proposed inconsistencies and the reasons for them.)
3) Will the agreement with a State/Territory government or agency/body or the arrangement with a foreign government, agency, body or organisation include explicit undertakings that the recipient will afford the same privacy restrictions and protections as the information receives in the hands of the Commonwealth agency, including against different third party uses and disclosures?
(N.B. It may be helpful to also consider IPP 11.3 obligations (see below) at this point.)
No
(If yes, please specify the proposed undertakings; indicate which Privacy Act protections they exclude, if any; and how adherence will be monitored. If no, please indicate why not.)
If you have answered "No" to any of the questions above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this IPP.
5) IPP 5 – Information related to records
A "record-keeper" in "possession" or "control" of personal information shall:
-
unless "authorised by law" to refuse to do so, take such steps as are "reasonable" to enable any person to ascertain:
- whether the "record-keeper" has possession or control of personal information,
- the nature of that information,
- the purposes for which that information is used, and
- the steps which need to be taken if the person wishes to gain access to their records;
-
maintain a record setting out the:
- nature of records kept,
- purpose of each type of record,
- classes of individual about whom records are kept,
- period for which each type of record is kept,
- persons entitled to, and the conditions under which they may have, access to the records, and
- steps to be taken by an individual wishing to access their records; and
-
ensure that:
- the record maintained above is made available for public inspection, and
- a copy of this record is given to the Privacy Commissioner in June each year.
(NB This is a summary of the IPP only. Please refer to section 14 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this IPP see www.privacy.gov.au/publications/
HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_15.7.pdf.)
1) Will the "record-keeper" be "authorised by law" to refuse to inform any person of the records in the record-keeper's possession or control?
No
(If yes, please indicate which law will be relied upon and how the discretion will be exercised.)
2) Will processes be put in place to satisfy the above requirements?
No
(If yes, please specify how each of these criteria will be satisfied. If no, please indicate why not.)
If you have answered "No" to question 2 above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this IPP.
6) IPP 6 – Access
Individuals shall be entitled to have "access to records", except to the extent the record-keeper is "required" or "authorised" to refuse access under any law of the Commonwealth that provides access by persons to documents.
(NB This is a summary of the IPP only. Please refer to section 14 of the Privacy Act for the full text. The qualification in this IPP effectively grants access to information on the basis of the rights available under the Freedom of Information Act 1982. For the Privacy Commissioner's Guidelines in relation to this IPP see www.privacy.gov.au/publications/
HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_15.7.pdf.)
1) Will processes be put in place to provide access to records under the relevant Commonwealth law (e.g. Freedom of Information Act 1982; Archives Act 1901)?
No
(If yes, please specify the proposed processes. If no, please indicate why not.)
If you have answered "No" to the question above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this IPP.
7) IPP 7 – Alteration of records
A "record-keeper" shall take "reasonable steps", subject to any Commonwealth law that provides a right to require correction or amendment of documents, to ensure that the record is accurate and, having regard to the purpose of collection or use, that the record is relevant, up to date, complete and not misleading.
Where the "record-keeper" is unwilling to amend a record in accordance with a request by the individual concerned and no decision or recommendation to the effect that the record should be amended is made under the provisions of a law of the Commonwealth, the "record-keeper" shall on request attach any statement by the individual concerned correcting, deleting or adding to the record.
(NB This is a summary of the IPP only. Please refer to section 14 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this IPP see www.privacy.gov.au/publications/
HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_15.7.pdf.)
1) Will reasonable steps be taken to ensure accuracy, relevance, currency, completeness of records and that they are not misleading?
No
(If yes, please describe the reasonable steps. If no, please indicate why not.)
2) Will provision be made for attaching corrections?
No
(If yes, please specify the provisions. If no, please indicate why not.)
8) IPP 8 – Record-keeper's obligation to check accuracy etc
"Record-keepers" shall not use personal information without taking "reasonable steps" to ensure the accuracy, currency and completeness of the information.
(NB This is a summary of the IPP only. Please refer to section 14 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this IPP see
1) Will processes be put in place to ensure accuracy, currency and completeness before information is used?
No
(If yes, please specify the proposed processes. If no, please indicate why not.)
If you have answered "No" to the question above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this IPP.
9) IPP 9 – Use only for relevant purposes
A "record-keeper" shall not use information except for a purpose to which the information is relevant.
(NB This is a summary of the IPP only. Please refer to section 14 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this IPP see
www.privacy.gov.au/publications/ipp8_11.pdf.)
1) Will relevance be tested before use?
No
(If yes, please specify how it is proposed that relevance will be tested. If no, please indicate why not.)
If you have answered "No" to the question above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this IPP.
10) IPP 10 – Limits on use for other purposes
"Use" in relation to information, does not include mere disclosure of the information, but does include the inclusion of the information in a publication.
By way of guidance, "use" refers to what may happen to the personal information in the hands of the collector/record-keeper. "Disclosure" refers to the process of releasing personal information from the control of the record-keeper.
"Consent" means express consent or implied consent.
1A) Will the individual the personal information is about be asked to consent to the proposed use for other purpose(s)?
No
(If yes, please specify how consent will be sought and describe the other purpose(s). If no, please indicate why consent will not be relied upon and describe the other purposes.)
1B) Will a record be kept of whether the consent was "express" or "implied"?
No
(This is not strictly an IPP requirement, but it is nonetheless an important matter to consider. If no record will be kept, please indicate why. If proposing to rely upon implied consent, please specify basis for so doing.)
2) Will there be processes or guidance in place to assist the record-keeper determine what constitutes "necessary to prevent or lessen a serious and imminent threat to the life or health" of a person, before invoking this exemption?
No
(If yes, please specify the proposed processes or guidance. If no, please indicate why not.)
3) Will there be processes or guidance in place to assist the record-keeper determine whether a proposed other purpose is either "required" or "authorised" by or under law, before invoking this exemption?
No
(If yes, please specify the proposed processes or guidance. If no, please indicate why there will be no processes or guidance.)
4) Will there be processes or guidance in place to assist the record-keeper determine what is "reasonably necessary" for enforcement of a "criminal law", "pecuniary penalty" or "protection of the public revenue", before invoking this exemption?
No
(If yes, please specify the proposed processes or guidance related to satisfying the "reasonably necessary" test, and determining the law(s) that will be relied upon. If no, please indicate how the record-keeper will satisfy the "reasonably necessary" test and determine the relevant law(s).)
5) Will there be processes or guidance in place to assist the record-keeper determine what "directly related purposes" are?
No
(If yes, please specify the proposed processes or guidance related to satisfying the "directly related purpose" test. If no, please indicate how the record-keeper will satisfy the "directly related purpose" test.)
6) Will there be processes in place to allow the record-keeper to record that a use under IPP 10(d) has occurred?
No
(If yes, please specify the proposed processes. If no, please indicate why not.)
If you have answered "No" to any of the questions above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this IPP.
11) IPP 11 – Disclosure
-
A "record-keeper" shall not "disclose" information to a person, body or agency (other than the individual concerned) unless:
- the individual concerned is "reasonably likely to have been aware", or made aware under IPP 2, that information of this kind is usually passed to that person, body or agency; or
- the individual has "consented" to the disclosure; or
- the record-keeper believes on "reasonable grounds" that the disclosure is "necessary" to "prevent or lessen a serious and imminent threat to life or health"; or
- disclosure is "required or authorised by or under law"; or
- disclosure is "reasonably necessary" for "enforcement of criminal law" or a "law imposing a pecuniary penalty", or to "protect public revenue".
- Where disclosed for e) above the "record-keeper" shall record that use in the record of the information concerned.
- A person, body or agency to whom such personal information is disclosed shall not use or disclose the information for a purpose other than the purpose for which it was disclosed to it.
(NB This is a summary of the IPP only. Please refer to section 14 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this IPP see
www.privacy.gov.au/publications/ipp8_11.pdf.)
1) Will processes be put in place to make individuals aware of the usual disclosures and to assist the record-keeper determine whether the individual was "reasonably likely to have been aware" of such disclosures?
(NB The responses to the IPP 2 questions will be relevant.)
No
(If yes, please specify the proposed processes. If no, please indicate why not.)
2A) Will the individual whose personal information is to be disclosed have consented to the disclosure(s)?
No
(If yes, please specify how consent will be sought and describe the proposed disclosure(s). If no, please indicate why consent will not be relied upon and describe the proposed disclosure(s).)
2B) Will a record be kept of whether the consent was "express" or "implied"?
No
(This is not strictly an IPP requirement, but it is nonetheless an important matter to consider. If no record will be kept, please indicate why. If proposing to rely upon implied consent, please specify basis for so doing.)
3) Will there be processes or guidance in place to assist the record-keeper determine what constitutes "necessary to prevent or lessen a serious and imminent threat to the life or health" of a person, before invoking this exemption?
No
(If yes, please specify the proposed processes or guidance. If no, please indicate why not.)
4) Will there be processes or guidance put in place to assist the record-keeper determine whether a proposed disclosure is either "required" or "authorised" by or under law, before invoking this exemption?
No
(If yes, please specify the proposed processes or guidance. If no, please indicate why there will be no processes or guidance.)
5) Will there be processes or guidance in place to assist the record-keeper determine what is "reasonably necessary" for enforcement of a "criminal law", "pecuniary penalty" or "protection of the public revenue", before invoking this exemption?
No
(If yes, please specify the proposed processes or guidance related to satisfying the "reasonably necessary" test, and determining the relevant law(s) that will be relied upon. If no, please indicate how the record-keeper will satisfy the "reasonably necessary" test and determine the relevant law(s).)
6) Will there be processes put in place to allow the record-keeper to record that disclosure under IPP 11(e) has occurred?
No
(If yes, please specify the proposed processes. If no, please indicate why not.)
7) Will there be processes put in place to ensure that the person, body or agency to whom disclosure has been made will only use or disclose such information for the purposes for which the disclosure was made to that person, body or agency?
(N.B. The responses to some of the IPP 4 questions will be relevant.)
No
(If yes, please specify the proposed processes and how compliance will be monitored. If no, please specify why processes will not be put in place and how this requirement will be satisfied.)
If you have answered "No" to any of the questions above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this IPP.
B) Commonwealth Contracts
Under section 95B of the Act, agencies are required to ensure that a "contracted service provider" under a Commonwealth contract does not do any act that would breach the IPPs. "Contracted service providers" are also required to comply with the NPPs, unless the contract provides otherwise. There are four NPPs which have no IPP equivalents, and these are listed below. Agencies should include provisions relating to these when contracting services.
Agencies should also ensure, pursuant to section 16F of the Act, that any personal information collected under a Commonwealth contract is not used or disclosed for direct marketing unless the contract so requires.
"Contracted service provider", for a government contract, is defined as: "...an organisation that is or was a party to the government contract and that is or was responsible for the provision of services to an agency or a State or Territory authority under the government contract; or a subcontractor for the government contract".
1) NPP 7 – Identifiers
An "organisation", other than a prescribed organisation, must not adopt as its own "identifier" of an individual an identifier assigned by an agency, and must not use or disclose an identifier assigned by an agency unless necessary to fulfil an agency obligation, or for "law enforcement and similar purposes".
(NB This is a summary of the NPP only. Please refer to Schedule 3 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this NPP see www.privacy.gov.au/publications/nppgl_01.pdf.)
"Identifier" is defined as including: "...a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation's operations. However, an individual's name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier."
"Organisation" means:
- an individual; or
- a body corporate; or
- a partnership; of
- any other unincorporated association; or
- a trust;
that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory."
1) Is the organisation a "prescribed organisation" for the purposes of NPP 7?
No
(If yes, please specify the prescribing instrument and its relevance to any proposed disclosures. If no, please answer questions 2 to 4 below.)
2) Will the agency disclose any "assigned identifiers" to an organisation for any purpose?
No
(If yes, please specify any intended organisations and purposes. If no, please proceed to NPP 8 questions below.)
3) Will steps be taken to ensure that the organisation does not adopt a Commonwealth identifier as its own?
No
(If yes, please specify what steps will be taken and how compliance will be monitored. If no, please specify why it will be appropriate to have an organisation adopt a Commonwealth identifier as its own, and how it is proposed to comply with the Privacy Act.)
4) Will steps be taken to ensure that the organisation does not use or disclose Commonwealth identifiers, beyond its obligations to the agency?
No
(If yes, please specify what steps will be taken and how compliance will be monitored. If no, please specify why not; why it will be necessary for the organisation to use or disclose Commonwealth identifiers; and how it is proposed to comply with the Privacy Act.)
If you have answered "No" to questions 2, 3 or 4 above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this NPP.
2) NPP 8 – Anonymity
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
For the Privacy Commissioner's Guidelines in relation to this NPP see www.privacy.gov.au/publications/nppgl_01.pdf.
1) Will individual have the option not identifying themselves for any specified transactions with the organisations?
No
(If yes, please specify how this will be done. If no, please specify why an anonymous option will not be provided, and describe the relevant transactions.)
If you have answered "No" to the question above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this NPP.
3) NPP 9 – Transborder data flows
An "organisation" in Australia or an external Territory may only transfer personal information to a foreign country if:
- the recipient is subject to a law, binding scheme or contract which upholds information handling principles similar to the NPPs; or
- the individual "consents" to the transfer; or
- the transfer is "necessary for the performance of a contract" between the individual and the organisation, or for "necessary pre-contractual measures" taken in response to the individual's request; or
- the transfer is necessary for the conclusion or performance of a contract, in the interest of the individual, between the organisation and a third party; or
-
all of the following apply:
- the transfer benefits the individual; and
- it is "impractical to obtain consent"; and
- if it were practical, the individual would be likely to consent; or
- the organisation has taken "reasonable steps" to ensure that the information will not be held, used or disclosed by the recipient inconsistently with the NPPs.
(NB This is a summary of the NPP only. Please refer to Schedule 3 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this NPP see www.privacy.gov.au/publications/nppgl_01.pdf.)
1) Is it proposed that personal information, managed under a contract with an organisation, will be transferred to a foreign country?
No
(If yes, please specify which NPP 9 provisions will be relied upon for the proposed transfer; the proposed contractual provisions; which countries or third parties will be involved; and how compliance will be monitored.)
2) If no foreign transfer is contemplated, will the contract with an organisation still provide for NPP 9 protections?
No
(This is not strictly an IPP requirement, but is nonetheless worth considering in case foreign transfers are not originally intended but later become necessary. If yes or no, please specify why.)
If you have answered "Yes" to question 1 above but have not specified how the requirements of NPP 9 will be satisfied, or which countries or third parties will be involved, or if you have answered "No" to question 2, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this NPP.
4) NPP 10 – Sensitive information
An "organisation" must not collect "sensitive information" about an individual unless:
- the individual has "consented"; or
- the collection is "required by law"; or
- the collection is "necessary to prevent or lessen a serious and imminent threat to the life or health of an individual", where the individual is "physically or legally incapable of giving consent" or "cannot communicate consent"; or
- if the information is collected in the "course of the activities" of non-profit organisations, provided the conditions in NPP 10.1(d)(i) and (ii) are met; or
- the collection is "necessary for the establishment, exercise or defence of a legal or equitable claim"; or
- the conditions set out under NPP 10.2 to 10.4 are satisfied.
(NB This is a summary of the NPP only. Please refer to Schedule 3 of the Privacy Act for the full text. For the Privacy Commissioner's Guidelines in relation to this NPP see www.privacy.gov.au/publications/nppgl_01.pdf.)
An organisation will only be a "non-profit organisation" under this NPP if it has
"...racial, ethnic, political, religious, philosophical, professional trade, or trade union aims."
1) Is it proposed that sensitive information be collected under a Commonwealth contract?
No
(If yes, please specify the reason for collection and the protections proposed to be put in contractual arrangements for that collection. If no, please proceed to the next section.)
2) If sensitive information is to be collected, is it proposed to outsource the collection and management of such information?
No
(If yes, please specify which NPP 10 provisions will be relied upon; how the sensitive information is to be protected; and how compliance will be monitored. If no, please proceed to the next section.)
If you have answered "Yes" to questions 1 or 2 above, you may need to seek further advice (e.g. from your agency's Privacy Contact Officer; other agency expert; legal advice) regarding compliance with this NPP.
IPP COMPLIANCE - CONCLUSIONS
(Please provide a summary of the conclusions that have been reached in relation to this project’s overall compliance with the IPPs. This could include indicating whether some changes or refinements to the project might be warranted. Modules D and F of this Guide will assist when considering what responses might be appropriate to any privacy challenges that arise.)
(Proponent)
Date: ___ / ___ / ________
(Privacy Contact Officer)
Date: ___ / ___ / ________
Endnotes
13 Acknowledgment is given to the British Columbia Office of the Information and Privacy Commissioner's Privacy Impact Assessment Template (see www.oipcbc.org/sector_public/resources/pia.htm).
14 In relation to section 95B, see the Privacy Commissioner's Information Sheet 14 - "Privacy Obligations for Commonwealth Contracts" (www.privacy.gov.au/publications/IS14_01.html); the Australian Government Solicitor's Legal Briefing No 63 - "Outsourcing: Agency Obligations under the Privacy Act" (www.privacy.gov.au/publications/LB.pdf) and also IPP 11.3.