Ok, so this article is a bit dryer than usual, I go by the motto ‘compliance is fun’ because life is what you make it and sometimes its nice to put a tick in that box, but this topic is serious and technical.
I am not going to go into a heap of detail, the OAIC (Office of the Australian Information Commissioner) has a great website that is easy to ready and covers all the gory details. I will however try to convince you that you NEED to have a look at this stuff, especially if you are collecting and keeping customer information.
Being aware of what is personal and sensitive information and having a plan to manage privacy within your business is the first step to not being a news headline due to a data breach.
So let’s jump in …
What is the Privacy Act?
The Privacy Act 1998 (the Act) regulates how individual people’s information is handled in Australia.
The Act creates a privacy protection framework that is underpinned by the Australian Privacy Principles or APPs.
Australian Privacy Principles
The 13 Australian Privacy Principles govern standards, rights and obligations around:
the collection, use and disclosure of personal information
an organisation or agency’s governance and accountability
integrity and correction of personal information
the rights of individuals to access their personal information.
Who is covered by the Privacy Act
In general (with exceptions of course) any organisation with an annual turnover of $3m or more per annum and all Australian Government Agencies are considered an APP Entity and have responsibilities and obligations under the Act.
An APP Entity is any type of entity operating a business, including sole traders, a body corporate, a partnership, any other incorporated association or a trust. Organisations that turn over less than $3m, such as health services, may still be included as an APP Entity.
APP Entities are obliged to ensure personal and sensitive information is properly managed and protected.
What is Personal Information?
Personal information includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances.
For example, personal information may include:
an individual’s name, signature, address, phone number or date of birth
sensitive information
credit information
employee record information
photographs
internet protocol (IP) addresses
voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique)
location information from a mobile device (because it can reveal user activity patterns and habits).
What is sensitive information?
Sensitive information is personal information that includes information or an opinion about an individual’s:
racial or ethnic origin
political opinions or associations
religious or philosophical beliefs
trade union membership or associations
sexual orientation or practices
criminal record
health or genetic information
some aspects of biometric information.
Generally, sensitive information has a higher level of privacy protection than other personal information.
Keeping information secure
Security of personal information is covered under APP 11 and requires an APP Entity to take reasonable steps to protect personal information. Usually when we think of information protection we think of cyber security and keeping our systems secure to protect the information held within them. But, under the act, we also need to protect information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
So on top of keeping information safe from hackers, this could also mean ensuring only certain people have access to certain records, physically locking away information, laptops or other devices and having the ability to monitor systems and track changes to information.
Further, removing information once it is no longer necessary for the purpose it was collected is also important. What protocols do you have in place for removing the personal information on your system that you no longer need?
Notifiable Data Breach
When personal information is lost, or accessed or disclosed without authorisation, it becomes a data breach. When that breach is likely to result in serious harm to an individual, that breach is notifiable under the Act and must be reported to the individual(s) the information belongs to and to the OAIC.
As an APP Entity, you need to ensure your staff understand what a data breach is and be able to identify when a breach occurs and whether it is an eligible breach that requires reporting.
Form more information OAIC.
Key Takeaways
Key takeaways, understand whether you are an APP Entity and if you are, make sure you take steps to understand your obligations. Regardless of whether you are an APP, understand what personal and sensitive information is, and have a plan for managing and protecting that information within your business.
If you are responsible for an organisation or business and you don’t have a privacy management plan, check out this free template.
Need some help?
If you need help with business planning, governance, risk or compliance, or to get your business organised, Elouise from Ellevate Solutions is here to help you.