In the first article in this series, I looked at the general requirements of the Privacy Act and provided examples of how your organisation can deal with certain types of breaches.
I will now examine two of your specific obligations under the Australian Privacy Principles (APPs), which affect day to day business. The first to consider is the obligation in APP1 to have a clearly expressed and up-to-date policy which describes how you manage personal information.
This APP provides a list of elements that your policy must contain, which are:
- The kinds of personal information you collect and hold.
- How you collect and hold personal information.
- The purposes for which you collect, hold, use and disclose personal information.
- How someone can access the personal information about them that you hold, and get it corrected.
- How someone can complain about a breach of an APP and how that complaint will be dealt with.
- Whether you are likely to disclose personal information to overseas recipients, and if so, the countries involved.
APP1 also requires that you take reasonable steps to make your policy available – posting it on your website is acceptable.
Making sure you understand the ingredients of APP1, and what is involved in complying with it, goes a long way to understanding the nature and intent of the Australian Privacy regime.
Clearly, the primary goal of APP1 is to ensure your policy includes the required ingredients – but there is a great deal more. When you look at the items covered, they highlight all the key precepts of Privacy law.
Let’s take a closer look.
The first two components necessitate looking at the data and information you collect in your business, determining what part of that is personal information, and then categorising the types of personal information that are involved.
Carried out properly, a review of the data and information you collect will provide insight into how you are conducting your business, the efficiencies involved – or lack of them – and potentially how you might improve effectiveness and reduce costs.
This will include reviewing internal systems and processes for data retention and management. Again, if done properly, you might be surprised at what such a review could turn up in terms of inefficiencies and/or wasted resources or costs.
Item 3 of APP1 covers a very wide range of activities and each should be considered separately, as well as part of your privacy compliance review. There are four separate actions covered in item 3, but it is not necessarily the case that parts 2, 3 and 4 automatically occur.
For example, your organisation may collect and hold personal information, but not in fact use it. Alternatively, you might be using it, but for purposes other than those for which it was collected.
Furthermore, while it is all very well to collect personal information, item 4 of APP1 focuses on how readily you can isolate and retrieve a particular individual’s information, and correct it. In particular, how will you facilitate an individual contacting you and wanting access to it and to change it?
Item 5 is an extension of the above in terms of providing a complaint management system. Investigating your organisation’s compliance with APP1 is about understanding your business procedures as much as it is about understanding the requirements of the APPs.
Having some level of comfort that you do comply with the APPs will necessitate investigating your business procedures, and understanding your strengths and weaknesses in data collection and management.
The second APP I want to look at is APP11. The recent assessment of St. Vincent’s Hospital by the Privacy Commissioner highlights how organisations can be aware of responsibilities and put procedures and policies in place to address them, but fall down in not taking them to a high enough level, and/or not reviewing them regularly. This is directly relevant to APP11, which concerns security.
The Privacy Commissioner has power under section 33 of the Privacy Act to conduct assessments of an organisation’s compliance with the APPs. This does not have to be connected to any complaint or formal breach of the Privacy Act.
It is part of the supervisory and interactive aspect of the Office of the Australian Information Commissioner, and is seen as a supplement to the published guidelines.
In the case of St. Vincent’s, the assessment was to review compliance with APP11, which requires organisations to take reasonable steps to protect the personal information they collect from misuse or interference, and from unauthorised access or modification.
The review focused in particular on the access and security controls pertaining to the storage of information on its electronic health record system.
The upshot of the assessment was a finding that St. Vincent’s did not satisfy all the requirements of APP11. Four recommendations were made in the Commissioner’s report:
- The hospital’s security and access policies needed updating. The policy relating to the eHealth system did not contain information about the hospital’s Privacy Act obligations, nor did it contain any guidance on security measures staff should take when using the eHealth system.
- The hospital did provide induction training for new staff, but the Commissioner found it was inadequate in that it was not supported by written materials, nor were there any follow up courses.
- The access rights and procedures were out of date and needed review and upgrading. The hospital did not have any clear process for reviewing access rights.
- The eHealth user access logging system was not adequate. In particular, viewing of the metadata was not tracked.
St. Vincent’s accepted all of the assessments, and no doubt is working to address them. There are some valuable general guidelines to be drawn from this assessment.
Related organisational policy or procedural topics, like privacy and security management pertaining to it, should be consolidated into one manual or source.
Induction and topic training should be supported by written materials, and refresher courses for that training should be provided at regular intervals. The supporting written materials ought to be reviewed and updated regularly as well.
As with training materials, so security and access management systems and protocols need to be regularly reviewed and, where appropriate, updated and/or expanded. Systems and controls need to be in place to be able to monitor clearly how personal information is being accessed and used, and by whom.
A regular review of your privacy compliance will not only ensure compliance with Australian privacy law, it can in fact give you a much needed, refreshed perspective on your IT and security systems, as well as your internal policies and procedures.
Guy Betar is a corporate/IT lawyer with more than 20 years’ experience. He is currently special counsel at Salvos Legal and can be contacted by email at email@example.com.