Furthermore, while it is all very well to collect personal information, item 4 of APP1 focuses on how readily you can isolate and retrieve a particular individual's information, and correct it. In particular, how will you facilitate an individual contacting you and wanting access to it and to change it?
Item 5 is an extension of the above in terms of providing a complaint management system. Investigating your organisation's compliance with APP1 is about understanding your business procedures as much as it is about understanding the requirements of the APPs.
Having some level of comfort that you do comply with the APPs will necessitate investigating your business procedures, and understanding your strengths and weaknesses in data collection and management.
The second APP I want to look at is APP11. The recent assessment of St. Vincent's Hospital by the Privacy Commissioner highlights how organisations can be aware of responsibilities and put procedures and policies in place to address them, but fall down in not taking them to a high enough level, and/or not reviewing them regularly. This is directly relevant to APP11, which concerns security.
The Privacy Commissioner has power under section 33 of the Privacy Act to conduct assessments of an organisation's compliance with the APPs. This does not have to be connected to any complaint or formal breach of the Privacy Act.
It is part of the supervisory and interactive aspect of the Office of the Australian Information Commissioner, and is seen as a supplement to the published guidelines.
In the case of St. Vincent's, the assessment was to review compliance with APP11, which requires organisations to take reasonable steps to protect the personal information they collect from misuse or interference, and from unauthorised access or modification.
The review focused in particular on the access and security controls pertaining to the storage of information on its electronic health record system.
The upshot of the assessment was a finding that St. Vincent's did not satisfy all the requirements of APP11. Four recommendations were made in the Commissioner's report:
- The hospital's security and access policies needed updating. The policy relating to the eHealth system did not contain information about the hospital's Privacy Act obligations, nor did it contain any guidance on security measures staff should take when using the eHealth system.
- The hospital did provide induction training for new staff, but the Commissioner found it was inadequate in that it was not supported by written materials, nor were there any follow up courses.
- The access rights and procedures were out of date and needed review and upgrading. The hospital did not have any clear process for reviewing access rights.
- The eHealth user access logging system was not adequate. In particular, viewing of the metadata was not tracked.
Sign up for CIO Asia eNewsletters.