Privacy & the Privacy Act
The type of privacy covered by the Privacy Act 1988 (Commonwealth) is the protection of people’s personal information. In basic terms, personal information is information that identifies you or that could identify you.
The Privacy Act’s definition of personal information is:
“… information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”
Identifying and known information
Information does not have to include your name to be personal information. For example, in some cases your date of birth and postcode may be enough to identify you.
The mere fact that personal information may already be known to members of the public will not mean that it is not personal information or that it is not entitled to protection under the Privacy Act
What is confidentiality?
Confidentiality is a concept that is related to, but different from, privacy.
Confidential information is information of a confidential nature that is provided in circumstances giving rise to an obligation of confidence.
Often, people in the public sector are bound by duties of confidence, whether through relationships, through legislation or under a contract.
Confidentiality is about controlling the disclosure of information, and often deals with a broader range of information than just personal information.
Obligations of confidentiality can apply to things like:
- trade secrets
- business strategies and ideas
- technical information, and
- intellectual property.
Privacy and confidentiality
- While confidentiality can arise out of a relationship, privacy relates to the right of an individual to have their personal details protected, to be left alone and/or to be left anonymous.
- If you receive information of a confidential nature in circumstances giving rise to an obligation of confidence, you may owe an obligation of confidence to the provider of that information.
- Privacy, however, is the right of the subject of the information, no matter who provided or who received the information.
- For example, if Bill tells Tom in confidence that David has a drinking problem, the relationship of confidence is between Bill and Tom, but it is David’s privacy that is involved because it is his personal information being disclosed.
What is secrecy?
- Secrecy is about preventing information coming to the knowledge of others.
- Governments and corporations may have secrets, but not privacy rights. Privacy is a condition for individual human beings.
How secrecy is used
Secrecy may assist a person to maintain privacy and a company to maintain confidentiality.
Governments may use secrecy to serve other public interests, such as:
- the protection of national security
- the integrity of law enforcement investigations, and
- the facilitation of ‘frank and fearless’ advice.
But secrecy can also be used to avoid detection of misdeeds or to avoid public accountability.
The Privacy Act should not be used to avoid legitimate scrutiny and accountability or to impede the free flow of information.
About the Privacy Act
The Privacy Act regulates how personal information is handled.
- how personal information is collected
- how it is then used and disclosed
- its accuracy
- how securely it is kept, and
- the individual’s general right to access that information.
The Privacy Act also covers more specific matters, such as:
- the use of tax file numbers, and
- how creditworthiness information is handled by credit reporting agencies and credit providers.
The purpose of the Privacy Act
The key purposes of the Privacy Act are to:
- ensure that organisations that hold information about people handle that information responsibly,and
- give people some control over the way information about them is handled.
Who must comply with the Privacy Act?
The Privacy Act covers all federal and Australian Capital Territory (ACT) government agencies and some private sector organisations.
- If your business is a private sector organisation (including a non-government organisation or not-for-profit organisation) you are likely to be covered by the Privacy Act, unless you are a small business.
- All private sector health service providers are covered by the Privacy Act, regardless of whether they are small businesses are not.
Why do we need a Privacy Act?
The importance of responsible information practices has been increasing over recent years.
We need privacy laws because:
- the volume of information collected and stored has increased dramatically in recent years
- electronic information is more vulnerable and more fluid
- large amounts of information can be easily copied, searched, aggregated and interlinked, stored on small portable devices, and transmitted widely, and
- the collection and use of information is often less transparent.
Privacy laws provide people with more control over how organisations handle their personal information.
What are the IPPs?
The Information Privacy Principles (IPPs) are the base line privacy standards that federal and ACT government agencies need to comply with in relation to the personal information kept in their records.
There are eleven IPPs in the Privacy Act. Most federal government agencies that handle information about people must follow these IPPs. The IPPs:
- regulate the way government agencies collect, store, use and disclose information about people
- allow people access to information agencies keep about them, and
- allow people to request changes to this information.
The IPPs (x11)
- Principle 1 Manner and purpose of collection
- Principle 2 Solicitation of personal information from individual concerned
- Principle 3 Solicitation of personal information generally
- Principle 4 Storage and security of personal information
- Principle 5 Information relating to records kept by record-keeper
- Principle 6 Access to records containing personal information
- Principle 7 Alteration of records containing personal information
- Principle 8 Record-keeper to check accuracy of personal information before use
- Principle 9 Personal information to be used only for relevant purposes
- Principle 10 Limits on use of personal information, and
- Principle 11 Limits on disclosure of personal information.
What are the APPs?
- The Australian Privacy Principles (APPs) are the base line privacy standards that some private sector organisations need to comply with in relation to personal information. All health service providers in the private sector need to comply with these principles.
- There are ten APPs that regulate how private sector organisations manage personal information. They cover the collection, use, disclosure, storage and management of personal information. They also allow individuals to, in certain circumstances, access that information and have it corrected if it is wrong.
The APPs (x10)
- Principle 1 Collection
- Principle 2 Use and disclosure
- Principle 3 Data quality
- Principle 4 Data security
- Principle 5 Openness
- Principle 6 Access and correction
- Principle 7 Identifiers
- Principle 8 Anonymity
- Principle 9 Transborder data flows, and
- Principle 10 Sensitive information.
Exemptions from the Privacy Act
There are several exemptions from the Privacy Act, which relate to:
- small businesses, with some exceptions
- political activities
- journalism activities of media organisations, and
- employee records.
Role of the Privacy Officer
As a matter of good practice, all organisations should have at least one member of staff who is:
- dedicated to knowing the requirements of relevant privacy law, and
- can convey that knowledge across the organisation.
The Privacy Officer is concerned with:
- encouraging and assisting compliance with the Privacy Act
- developing policies concerning the management of personal information, and
- establishing an internal complaints process.
At Bowhill Engineering the Privacy Officer is Jodie Hawkes – firstname.lastname@example.org
A complaint may relate to any of the IPPs or APPs. The OAIC (Office of Australian Information Commissioner) can investigate interferences with the privacy of an individual.
- Handle Complaints internally; through our Grievance Procedure The OAIC encourages individuals to try and resolve their privacy concerns directly with the organisation on an informal basis
- Preliminary Enquiries;
Sometimes the OAIC may need more information to see whether it can investigate further.
- Investigating the complaint;
The OAIC investigates the complaint by writing to the respondent to tell them about the complaint and asking for their side of the story. In some cases they may decide not to investigate the complaint further.
If the OAIC investigates a complaint, they may try to resolve it through conciliation. In this process they try and get the complainant and the respondent to try and reach an agreement that will resolve the complaint in a fair way. If they cannot agree, the OAIC may close the complaint or to make a determination.
- Making a determination
If the OAIC thinks that the respondent has agreed to a reasonable outcome, but the complainant does not accept it; it can close the complaint on the grounds that the respondent has adequately dealt with the matter, even if the complainant does not agree. If the OAIC does not think that the respondent has agreed to a reasonable outcome, the OAIC can make a formal decision about what the respondent needs to do. This is called a determination.
The OAIC tries to resolve complaints on a case-by- case basis through conciliation. Depending on the
particular complaint, some possible resolutions could include:
- an apology
- a change to the respondent’s practices or procedures
- staff counselling
- taking steps to address the matter, for example, providing access to personal information, or amending records
- compensation for financial or non-financial loss, or
- other non-financial options, for example, a complimentary subscription to a service.
Notifiable Data Breach (NDB)
We are aware of our requirements under this mandatory scheme that became effective 22/2/18 and that we have 30 days to assess whether a breach has occurred once we become aware of a potential breach. If an eligible data breach has occurred we will notify the Office of the Australian Information Commissioner (OAIC) and comply with the notification requirements.
Eligible Data Breach
• Unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an organisation holds; and
• This is likely to result in serious harm to one or more individuals
Note: if the organisation takes remedial action that prevents the likelihood of serious harm, then the breach is not an eligible data breach.