- What is Personal Information?
Personal information is very broadly defined as any information about an identifiable individual.
- How can Personal Information be collected and used?
Personal information should only be collected for a lawful purpose connected with a function or activity of your organisation. It should generally be collected directly from the individual concerned, and not in a manner that is unlawful, unfair or unreasonably intrusive. When personal information is being collected, individuals should also be notified of the purpose for which the information is collected, who will hold it, who it may be shared with, whether it is required by law, whether it is mandatory to provide it and what the consequences are if it is not provided. They also need to be told they can access and correct their personal information.
- Who can Personal Information be shared with?
Personal information should generally not be disclosed to anyone unless it is in connection with the purpose for which it was collected, or as authorised by the individual concerned.
- Security obligations
You have obligations to maintain security of the personal information you hold and make sure that there is no unauthorised use, modification or disclosure.
- Rights of access and correction
Individuals have the right to request access to personal information you hold about them.
Five key initiatives to assist you to comply
Taking the following five key steps will help your organisation comply with its privacy obligations and effectively deal with any non-compliance.
- Perform a health check
Assess how well your organisation is doing right now. Review policies and security practices and see if these align with your organisation’s obligations under the Privacy Act. Things to think about include: What personal information is being collected and why? How is it being used? Who is it shared with? Who has access and how is this controlled? Where is it located? How is accuracy checked and confirmed, and how long is it retained for?
- Conduct a Privacy Impact Assessment (PIA) for any proposed new initiative
New initiatives for which it is appropriate to conduct a PIA can be wide ranging. Generally, a PIA should be considered when it is anticipated that there will be significant collection of personal information or there will be changes in operations that will affect databases of personal information. If any risks are identified during a PIA, consider how to effectively mitigate those risks.
- Take a leadership role in privacy compliance
Embed a culture of privacy within your organisation that encourages and promotes compliance. Compliance should not just be a concern held by the legal department or with the privacy officer – promote an awareness of privacy obligations for all staff.
- Create an Emergency Data Breach Plan
plan is essential to help you respond quickly and appropriately to a data breach. It can help you effectively mitigate the fallout caused by a breach, and in particular, reputational damage. The action checklist in your Emergency Data Breach Plan will include items like containment, investigation, communication (both internally and any external notifications), a media plan, and prevention.
- Train your employees
Make sure staff know about your organisation’s obligations under the Privacy Act and what they need to do to ensure compliance. Educate staff about your organisation’s policies around personal information. Importantly, create an atmosphere where staff feel it is safe to promptly escalate mistakes and privacy breaches, and ensure staff know when privacy issues should be escalated and to whom. Bear in mind that we expect the ongoing review of the Privacy Act will result in mandatory reporting of serious privacy breaches, so you will need to know when breaches occur.
Five simple tips to roll out to staff
Here are the five tips you can roll out to your staff as part of your compliance programmes.
- Promptly escalate any disclosure
If you are aware of any breach of privacy, let your supervisor or Privacy Officer know about it as soon as possible. The sooner we know about the breach, the faster we can act to mitigate the fallout. We expect that in the near future the Privacy Act will require mandatory reporting of privacy breaches. So, if you don’t tell us about the breach, we won’t be able to comply with our obligations.
- Be wary of autocomplete when sending emails
Autocomplete conveniently suggests recipients when you are addressing your emails. But before you hit “send”, take a moment to check that your email is addressed to the intended recipient. It is very difficult to effectively recall an email once it has been sent.
- Make sure you use effective passwords on all devices
This is a good time to remember that you need strong passwords both on your PC here at work but also on your other devices too, particularly those that you use for work purposes. Make sure you don’t use the same password at work as you do for other purposes and that you do change your passwords on a regular basis.
- Exercise discretion in public or at social gatherings
It is amazing the information you can overhear in a lift, or see on someone else’s device if you happen to glance in the “right” direction. If you have to talk shop out of the office, take steps to make sure you will not be overheard and ensure your screens cannot be viewed by someone else. If you are taking files out of the office, make sure these are secure and covered.
- Be professional in internal communications
Internal communications can often be dashed off quickly without much thought to who else might see them. If a communication contains personal information about an identifiable individual, then that communication might need to be disclosed following a Privacy Act request. It is therefore important to keep in mind that communications containing personal information should be professional and shouldn’t contain derogatory statements about others.
Credit to Simpson Grierson