Changes to Commonwealth legislation in 2012 mean that it is important for organisations to update their privacy policies and processes to ensure compliance.

This material provides general information which is current at the time of first publication. The contents do not constitute legal advice and should not be relied upon as such. Formal legal or other professional advice should be sought where required.

 

Introduction

Privacy legislation is nothing new for organisations in the health, community services and education sectors. Privacy laws have been operating in Australia for over 25 years, and the majority of organisations have the basics covered.

However, recent changes to Commonwealth legislation have altered the detail of privacy compliance requirements.

Increasing awareness of the security risks surrounding electronic storage and transmission of data should also prompt review of where data is held, who could access it (legitimately or illegitimately) and how it is protected.

This article notes a few of the more significant changes introduced by the Commonwealth Privacy Amendment (Enhancing Privacy Protection) Act 2012. This legislation introduces a set of Australian Privacy Principles. Although broadly similar to previously legislated principles, there are a number of points of difference. These include:

  • Expanded notification requirements
  • Increased liability for cross-border disclosures
  • Limitation of use and disclosure to relevant information

We then provide a checklist of prompt questions which you may wish to consider in reviewing your privacy policy. Links to resources are at the end of the article.

If you need assistance in reviewing your privacy policy, Lirata Consulting can provide expert advice. Please contact us for more information.

Legislation

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (“the Act”) came into effect in March 2014. It amends the Commonwealth Privacy Act 1988 in a variety of ways. Notably, it replaces the previous National Privacy Principles (NPPs) with a revised set of Australian Privacy Principles (APPs). Although the APPs cover broadly similar territory to the NPPs, they alter the requirements for compliance, making some areas more specific while others are broader. Organisations are now expected to be compliant with the new legislation.

It is important to note that privacy legislation affects personal information pertaining to a range of stakeholders including clients or patients, volunteers, students on placement, contractors, and Board members amongst others. Although client information tends to be the focus, privacy policies should address the full range of personal information held by the organisation.

Commonwealth legislation needs to be read in conjunction with applicable legislation in the States and Territories, with relevant clauses of funding contracts, and with government policy frameworks. Although employee information is specifically excluded from coverage under the Privacy Act 1988, it may fall within scope under other jurisdictional legislation or regulations.

Notification of collection of personal information (APP 5)

Organisations are generally aware of the requirement to notify individuals of the collection of their personal information. APP 5 expands the notification requirements to include:

  • Collection of information from third parties
  • Any information that is/must be collected by law
  • The purposes of collecting the information
  • The main consequences if information is not collected
  • Who the information is usually shared with
  • How information can be accessed and corrected
  • How a complaint about a breach of privacy can be made
  • Whether information is likely to be disclosed to overseas recipients.

You may need to update your procedures and materials to ensure that these required elements are covered.

Cross border disclosures (APP 8)

Australian organisations which exchange information with overseas recipients now face stricter requirements and increased scope of liability for privacy breaches. Organisations must take reasonable steps to ensure that overseas recipients do not breach the APPs. In certain circumstances, Australian organisations can now be held responsible for acts or practices of overseas recipients that would breach the APPs. Exceptions may apply where overseas recipients are bound by a code similar to the APP and the individual whose data is at stake can use this code to manage their privacy in relation to the recipient. Other exceptions include where individuals provide informed consent for the unrestricted release of the information or where specific legal requirements are in place.

Organisations operating internationally or partnering with providers in other countries should closely examine off-shore privacy practices to ensure they meet the APP requirements.

Quality of personal information (APP 10)

The legislation has an overall focus on ensuring that personal information held by organisations is accurate and limiting collection to what is necessary for the organisation to undertake its core business. In line with this focus, APP 10 requires that organisations take reasonable steps to ensure that information collected is accurate, up-to-date and complete. In addition, when using or disclosing information organisations must ensure that the information used or disclosed is relevant to the matter at hand.

Since collection, use and disclosure of client information typically involves many front line staff, you may need to review the adequacy of the tools provided for staff to collect quality data, as well as provision of training to ensure that staff understand the nature of relevance and other data quality requirements.

Policy review checklist

The following checklist is oriented towards organisations working in the health, community services and education sectors. The questions may provide useful prompts in reviewing your organisational privacy policy, procedures and forms against the Australian Privacy Principles.

Part 1: Consideration of information privacy

  • APP 1: Open and transparent management of personal information
    Are the relevant policy and procedure documents up to date and available to stakeholders in accessible formats?
  • APP 2: Anonymity and pseudonymity
    What are the legal requirements and practicalities of dealing with anonymous individuals or individuals using pseudonyms?

Part 2: Collection of personal information

  • APP 3: Collection of solicited personal information
    Are the organisation’s client consent processes and forms compliant with the APPs? Do they cover the following areas: data collection, service provision, exchange of information, research and evaluation? How is consent recorded? How does consent apply to staff, volunteers and students on placement?
  • APP 4: Dealing with unsolicited personal information
    Can the organisation distinguish between solicited and unsolicited information? Does the organisation have appropriate measures in place for managing unsolicited information?
  • APP 5: Notification of the collection of personal information
    Are all of the notification topics required by the APP covered by the organisation’s privacy policy? Do brochures, consent forms or other documents given to stakeholders (including clients, staff and volunteers) cover the required topics? Do staff cover these topics in verbal briefings to clients?

Part 3: Dealing with personal information

  • APP 6: Use and disclosure of personal information
    Do staff responsible for determining whether or not information should be disclosed to outsiders understand their responsibilities in relation to the APP? Has the organisation clearly defined the circumstances in which information will be disclosed (including those allowed or required by law)?
  • APP 7: Direct marketing
    Is any direct marketing by the organisation compliant with APP? For example, is it easy for people to opt out of these communications?
  • APP 8: Cross-border disclosures
    Do staff responsible for determining whether or not information should be disclosed to overseas recipients understand their responsibilities in relation to the APP? Has the organisation assessed the compliance of all overseas partners with the APPs?
  • APP 9: Adoption, use or disclosure of government related identifiers
    Does the organisation only collect, use and disclose government related identifiers (for example, Centrelink CRNs, Tax File Numbers) in defined circumstances in compliance with the law?

Part 4: Integrity of personal information

  • APP 10: Quality of personal information
    Is this personal information used by the organisation relevant, accurate, up-to-date and complete? How is relevance determined?
  • APP 11: Security of personal information
    Are robust and effective systems in place for securing, protecting, and destroying or de-identifying personal information? Has the organisation clearly defined criteria for archiving and destruction of records no longer needed for any authorised purpose?
  • APP 12: Access to personal information
    What policies and procedures facilitate access by the individual to their information? How is the appropriate access determined and how would refusal be communicated? Are access processes consistent with time and cost requirements?
  • APP 13: Correction of personal information
    What policies and procedures facilitate corrections to personal information? How are the appropriate corrections identified and how would refusal be communicated? Where corrections are made, how does the organisation communicate these to other organisations with whom it has shared the affected information?

Conclusion

Every health, education or community services organisation operating in Australia is required to operate in compliance with the amended privacy legislation. While this legislation is essential for protecting our rights, it also creates a significant compliance workload. Organisations need to consider the effects of these changes on a range of policy areas including privacy, consent, complaints, records administration, service delivery, reception, and human resource management.

If you have not done so already, you should take the following steps to ensure compliance with the APPs:

  1. Familiarise yourself with the amended legislation
  2. Update relevant policies, procedures and forms
  3. Train staff in relation to their obligations
  4. Audit practice and systems to check that the policy is being implemented as intended.
 

Assistance with compliance

Lirata Consulting assists organisations to review their processes and policies to ensure that they are compliant with Privacy legislation. We can provide expert advice on:

  • Development and review of privacy policies and procedures
  • Consent processes
  • Compliant records management and storage procedures
  • Auditing compliance with privacy legislation

For further information or assistance, please contact Mark Planigale at Lirata Consulting.

Mobile: 0429 136 596
Landline: 03 9457 2547
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
 

Download

In brief: Updates to Australian privacy legislation (PDF 419 KB)

External resources

A useful set of resources for understanding the legislative changes and requirements can be found at website of the Office of the Australian Information Commissioner: