A short guide to privacy law: Part 2
I will now examine two of your specific obligations under the Australian Privacy Principles (APPs), which affect day to day business. The first to consider is the obligation in APP1 to have a clearly expressed and up-to-date policy which describes how you manage personal information.
Learn how smart CIOs are protecting customers from security breaches
This APP provides a list of elements that your policy must contain, which are:
APP1 also requires that you take reasonable steps to make your policy available -- posting it on your website is acceptable.
Making sure you understand the ingredients of APP1, and what is involved in complying with it, goes a long way to understanding the nature and intent of the Australian Privacy regime.
Clearly, the primary goal of APP1 is to ensure your policy includes the required ingredients -- but there is a great deal more. When you look at the items covered, they highlight all the key precepts of Privacy law.
Let's take a closer look.
The first two components necessitate looking at the data and information you collect in your business, determining what part of that is personal information, and then categorising the types of personal information that are involved.
Carried out properly, a review of the data and information you collect will provide insight into how you are conducting your business, the efficiencies involved -- or lack of them -- and potentially how you might improve effectiveness and reduce costs.
This will include reviewing internal systems and processes for data retention and management. Again, if done properly, you might be surprised at what such a review could turn up in terms of inefficiencies and/or wasted resources or costs.
Read more:OAIC to launch privacy management framework in May
Item 3 of APP1 covers a very wide range of activities and each should be considered separately, as well as part of your privacy compliance review. There are four separate actions covered in item 3, but it is not necessarily the case that parts 2, 3 and 4 automatically occur.
For example, your organisation may collect and hold personal information, but not in fact use it. Alternatively, you might be using it, but for purposes other than those for which it was collected.
Furthermore, while it is all very well to collect personal information, item 4 of APP1 focuses on how readily you can isolate and retrieve a particular individual's information, and correct it. In particular, how will you facilitate an individual contacting you and wanting access to it and to change it
Item 5 is an extension of the above in terms of providing a complaint management system. Investigating your organisation's compliance with APP1 is about understanding your business procedures as much as it is about understanding the requirements of the APPs.
Having some level of comfort that you do comply with the APPs will necessitate investigating your business procedures, and understanding your strengths and weaknesses in data collection and management.
Read more:Pilgrim launches privacy regulatory action policy
The second APP I want to look at is APP11. The recent assessment of St. Vincent's Hospital by the Privacy Commissioner highlights how organisations can be aware of responsibilities and put procedures and policies in place to address them, but fall down in not taking them to a high enough level, and/or not reviewing them regularly. This is directly relevant to APP11, which concerns security.
The Privacy Commissioner has power under section 33 of the Privacy Act to conduct assessments of an organisation's compliance with the APPs. This does not have to be connected to any complaint or formal breach of the Privacy Act.
It is part of the supervisory and interactive aspect of the Office of the Australian Information Commissioner, and is seen as a supplement to the published guidelines.
In the case of St. Vincent's, the assessment was to review compliance with APP11, which requires organisations to take reasonable steps to protect the personal information they collect from misuse or interference, and from unauthorised access or modification.
The review focused in particular on the access and security controls pertaining to the storage of information on its electronic health record system.
Read more:Privacy Principles awareness high but companies seek guidance: IDC
The upshot of the assessment was a finding that St. Vincent's did not satisfy all the requirements of APP11. Four recommendations were made in the Commissioner's report:
St. Vincent's accepted all of the assessments, and no doubt is working to address them. There are some valuable general guidelines to be drawn from this assessment.
Related organisational policy or procedural topics, like privacy and security management pertaining to it, should be consolidated into one manual or source.
Induction and topic training should be supported by written materials, and refresher courses for that training should be provided at regular intervals. The supporting written materials ought to be reviewed and updated regularly as well.
As with training materials, so security and access management systems and protocols need to be regularly reviewed and, where appropriate, updated and/or expanded. Systems and controls need to be in place to be able to monitor clearly how personal information is being accessed and used, and by whom.
A regular review of your privacy compliance will not only ensure compliance with Australian privacy law, it can in fact give you a much needed, refreshed perspective on your IT and security systems, as well as your internal policies and procedures.
Guy Betar is a corporate/IT lawyer with more than 20 years' experience. He is currently special counsel at Salvos Legal and can be contacted by email at guy.betar@salvoslegal.com.au.