In the first article in this series, I looked at the general requirements of the Privacy Act and provided examples of how your organisation can deal with certain types of breaches.
I will now examine two of your specific obligations under the Australian Privacy Principles (APPs), which affect day to day business. The first to consider is the obligation in APP1 to have a clearly expressed and up-to-date policy which describes how you manage personal information.
This APP provides a list of elements that your policy must contain, which are:
- The kinds of personal information you collect and hold
- How you collect and hold personal information
- The purposes for which you collect, hold, use and disclose personal information
- How someone can access the personal information about them that you hold, and get it corrected
- How someone can complain about a breach of an APP and how that complaint will be dealt with
- Whether you are likely to disclose personal information to overseas recipients, and if so, the countries involved.
APP1 also requires that you take reasonable steps to make your policy available -- posting it on your website is acceptable.
Making sure you understand the ingredients of APP1, and what is involved in complying with it, goes a long way to understanding the nature and intent of the Australian Privacy regime.
Clearly, the primary goal of APP1 is to ensure your policy includes the required ingredients -- but there is a great deal more. When you look at the items covered, they highlight all the key precepts of Privacy law.
Let's take a closer look.
The first two components necessitate looking at the data and information you collect in your business, determining what part of that is personal information, and then categorising the types of personal information that are involved.
Carried out properly, a review of the data and information you collect will provide insight into how you are conducting your business, the efficiencies involved -- or lack of them -- and potentially how you might improve effectiveness and reduce costs.
This will include reviewing internal systems and processes for data retention and management. Again, if done properly, you might be surprised at what such a review could turn up in terms of inefficiencies and/or wasted resources or costs.
Item 3 of APP1 covers a very wide range of activities and each should be considered separately, as well as part of your privacy compliance review. There are four separate actions covered in item 3, but it is not necessarily the case that parts 2, 3 and 4 automatically occur.
For example, your organisation may collect and hold personal information, but not in fact use it. Alternatively, you might be using it, but for purposes other than those for which it was collected.
Sign up for CIO Asia eNewsletters.