Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

IT Advocate: The privacy minefield

There are significant differences between state and federal privacy legislation. CIOs who deal with government agencies or other public sector organisations must determine the privacy laws applicable to them – and how best to accommodate them.
Page:

It is clear to most businesses that deal with personal information that the Privacy Act 1988 (Cth) (Privacy Act) and National Privacy Principles (NPPs) impact in some way or another on them in terms of rights and obligations under the Act. Conversely, consumers dealing with private sector organisations can be relatively certain of the procedures by which they can access personal information held by private sector organisations, or make a complaint in respect of the information handling practices of such an organisation.

However, if consumers or service provider businesses find themselves dealing with government-owned corporations, universities, local governments, state governments or a raft of other state-based public sector bodies, they will need to undertake a significant amount of research to determine the privacy laws applicable to them, and how to best deal with those privacy laws.

At least one thing is clear -- all jurisdictions recognise a definition of personal information that is roughly the same and that such information must be protected, and used only in certain ways.

Commonwealth and Australian Capital Territory government agencies

Commonwealth and ACT government agencies are required to comply with the provisions of the Privacy Act in so far as they relate to Commonwealth and ACT government agencies. In general, this means complying with the requirements of the 11 Information Privacy Principles (IPPs).

Interestingly, the ACT also has the Health Records (Privacy and Access) Act 1997 which covers health records held in the public sector in the ACT and also seeks to apply to acts or practices in the private sector not covered by the Privacy Act. There is no such legislation dealing separately with the handling of health information at the Commonwealth level.

The Privacy Act requires that an agency entering into a contract with a service provider (whether private sector or otherwise) must take contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an IPP if done or engaged in by the agency. If an individual considers that the contractor has breached their obligations in the handling of personal information about them, they may make a complaint to the Privacy Commissioner who has jurisdiction to directly investigate the actions of the contractor.

Individuals may apply for access to personal information held about them by a Commonwealth or ACT Government Agency either under the Privacy Act or the Freedom of Information Act 1982 (Cth), but the Privacy Commissioner has accepted that most agencies will deal with such requests in accordance with the procedures under the Freedom of Information Act, and has not initiated a separate regime for dealing with access requests under the Privacy Act.

Queensland Government Agencies

Until 1 July 2009, Queensland government agencies were bound by the requirements of ‘information standards’ which essentially did not have the force of law. As of 1 July 2009, Queensland government agencies are bound to comply with the Information Privacy Act 2009 (Qld) which sets out obligations similar to the IPPs mentioned above for most agencies, and obligations similar to the NPPs for the Queensland Department of Health.

Interestingly, and despite this new regime, Queensland does not have separate privacy legislation to regulate private sector health providers.

Under the Information Privacy Act if a service provider is contracted to provide services to a government agency, and the provider is bound to comply with the provisions of the act under the contract, then it becomes a ‘bound service provider’ for the purposes of the legislation, and it is answerable to the Privacy Commissioner under that legislation, regardless of the fact that it is not originally bound to comply with the requirements of that legislation.

Access to information held about individuals by the Queensland government is now facilitated under the Information Privacy Act. However, if an individual incorrectly makes an application for access under the Right to Information Act 2009 (Qld) (the new freedom of information legislation) -- then the relevant government agency must the individual of their error, and ask the individual if they would like to amend their application so that it is made under the correct legislation.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ACT, Department of Health, Department of Justice, Queensland Government, University of Tasmania

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: IT advocate, legal, McCullough Robertson
Latest Blog Posts
Whitepapers
  • Gartner MarketScope for Application Life Cycle Management
    Organisations adopting agile practices, utilising global and distributed teams, or exploiting complex processes and technologies are most likely to benefit from using ALM tools to plan, manage and report on their development activities. This MarketScope assesses the market offerings and their providers.
    Learn more »
  • Collaborative software delivery: Managing today’s complex environment to improve software quality
    IBM Rational Team Concert software can help simplify, automate and govern the delivery process. Based on the open standards Jazz platform, it offers a lean collaborative application life cycle management (ALM) solution with integrated planning, work-item tracking, version control, build management and reporting.
    Learn more »
  • The mobile print enterprise - How IT consumerisaton is driving anytime, anywhere printing
    The widespread adoption of smartphones and tablets, across Android, BlackBerry and Apple iOS platforms, has broadened the effectiveness of professional workers to remotely support business requirements. A continued reliance on printing amongst many businesses means IT must provide enterprise mobile printing capabilities that are secure and reliable. This not only ensures employees remain productive but also allows mobile printing to be tracked and controlled – vital in an era when many businesses face financial, environmental and security concerns. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments