The Privacy Act amendments make numerous changes to the way agencies collect, hold, use and disclose personal information. Agencies already have systems and procedures to comply with current privacy obligations. What needs to happen now is to identify what the new obligations are and how to adapt existing practices and procedures to achieve compliance. A high level approach to becoming compliant has these phases:
One of the key steps in the toolkit involves designing and conducting the privacy audit.
An important step in the compliance process is to conduct a privacy audit to identify the current privacy practices and procedures to then compare them against the new obligations to determine areas of non-compliance.
A privacy audit is designed to identify:
- types of personal information you currently collect, hold, use and disclose
- types of personal information you may collect, hold, use and disclose in the future
- how you collect, hold, use and disclose that information
- what legislation, policies and procedures currently govern your agency's collection, holding, use and disclosure of personal information
- where these activities take place, and
- what may be "reasonable steps" in the context of your agency and in relation to individual information collection processes.
The audit project team should involve senior management from the legal, FOI, IT, media relations and HR areas in your agency.
Assess current privacy compliance
To collect privacy compliance information, each area within the agency will need to be investigated. As an initial step, a questionnaire is useful to identify current practices and get the managers thinking about how their current practices may need to change.
The best questionnaires contain appropriate guidance to assist line areas to understand relevant concepts, for example, the collection, use and disclosure of sensitive information.
At a minimum, the questionnaire should ask each area to identify their current practices around the key stages of the information lifecycle. To help you we have included a list of items your questionnaire should cover below.
Validation and clarification
After the questionnaires have been completed and analysed, the audit team should meet with line areas to ensure they understood the question and validate the responses; identify any areas of risk and non-compliance and discuss appropriate compliance strategies.
Prepare audit report
The audit report will present the audit team's findings and identify:
- key privacy issues and risks facing the agency
- the level of privacy compliance within the agency, and
- recommendations to ensure compliance with privacy obligations.
Privacy compliance survey topic suggestions
- The systems, policies and procedures in place to ensure compliance with the area's privacy obligations
- The privacy training and guidance material used by the area in carrying out their functions
- The results of any privacy compliance audits that have been undertaken
- Any complaints handling process in place regarding the collection, holding, use and disclosure of personal information
- Any complaints or enquiries received in the past
- Any specific legislation that governs their current privacy practices/LI>
- The types of personal information that it collects
- Any personal information that it collects that is "sensitive information"
- Any government identifiers to the personal information
- Whether it's lawful/practical for people to remain anonymous when dealing with the area
- Why that personal information is required for its functions
- Any legal requirement or authorisation to collect the personal information
- How the personal information is collected
- How the area informs the person of its policies and procedures for collection of the personal information
- What the area informs the person about the collection of the information
- The terms of any consent that a person gives to the collection
- Any unsolicited personal information that is received
- How the area uses the information collected
- Why the information is required to be used for the area to exercise its function
- Any legal requirement or authorisation to use the information
- How the individual is informed of that use
- The terms of any consent to that use
- The policies and procedures the area follows that govern use of personal information
- Any personal information disclosed
- Any personal information disclosed overseas and, if so, where and under what conditions
- How the individual is made aware of the disclosures
- Terms governing any disclosure to third parties and terms of any consent to disclosure
- Any legal requirement or authorisation to disclose the information
- Policies and procedures the area follows that govern disclosure of personal information
- Storage and security
- How is the personal information stored
- What security measures are in place to ensure protection against loss, unauthorised access, use, modification or disclosure
- What security policies/procedures are governing the handling and storage of personal information apply to the area
- What protocols/procedures govern adding, amending or deleting personal information
- What legal requirements/authorisations apply to storing/destroying personal information
- Information integrity
- How can an individual access their personal information
- How are they made aware of the area having their personal information
- How are they made aware of their ability to access their personal information
- Any legal requirement or authorisation governing refusal or access to the information
- The policies and procedures the area follows that govern a person's access to personal information
- How does the area ensure that the personal information is accurate, relevant, up-to-date, complete and not misleading
- Overview of the Australia Privacy Principles
- The other requirements
- Privacy developments: what's next?
- Topics covered by the draft OAIC APP Guidance
- AAPT hacking case study: what would happen if it was an agency under the new law?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.