Understanding privacy

1
Understanding privacy

• An overview of the
• Information Privacy Act

2
Session outline

• What is information privacy?
• The 10 Information Privacy Principles
• Collection
• Use and disclosure
• Management of personal information
• Access and correction
• Responding to privacy complaints

3
Why do you need to know about privacy?

• Its the law All Victorian public sector
  organisations must comply. People have a right
  to challenge how your organisation handles their
  personal information.
• Its makes good business sense - Research
  indicates that the public is more likely to trust
  an organisation that values and protects privacy.
• Privacy is a basic human right We all expect
  our privacy to be protected.

4
Context for privacy laws

• Technological advances are rapidly changing the
  way that information is collected and handled.
• For example
• Increase in CCTV cameras
• RFIDs in brochures to allow targeted advertising
  as person walks around waiting room
• Tracking traffic flow using drivers mobile
  phones
• GPS enabled school uniforms

5
Privacy matters to people

• Census 2001 46 of people said No to their
  identifying information being released in 99
  years
• Australia Post study only 8 enjoyed
  unsolicited personalised mail
• Study of Australians perceptions of privacy
• 60 said they are more inclined to trust an
  organisation that gives them control over use of
  their information
• More than 40 had refused to deal with
  organisations because of privacy concerns

6
Privacy is

• Exercising some control over who knows what about
  us.
• Privacy has several dimensions -
• Privacy of the body
• Privacy of the home
• Freedom from surveillance
• Freedom from eavesdropping
• Information privacy

7
Privacy protection is a balancing act

Maximising the level of control that individuals
have over their personal information
while ensuring that the right information is
available to the right people at the right time
in the right way to enable necessary govt
operations and services.
8
Privacy is not

• The same as secrecy-
• Privacy cannot be used to justify secrecy
  regarding an organisations operations
• The same as confidentiality-
• Confidentiality relates to the handling of
  particular categories of information

9
Privacy is

• Openness and transparency in the handling of
  personal information
• Maximising the control that a person has over how
  their personal information is handled
• Privacy laws, properly interpreted,
  facilitate legitimate flows of information.
• Paul Chadwick, Victorian Privacy Commissioner

10
The privacy protection landscape

Health Records Act (Vic)
Information Privacy Act (Vic)
Privacy Act (Cth)

• Covers
• All health related personal information held in
  public and private sectors
• Most of the personal info handled by health
  service providers

• Covers
• Federal government agencies, e.g. Centrelink
• Much of the private sector

• Covers
• All personal info handled by State government
  agencies and local government
• (other than health related info)

11

• The Victorian
• Information Privacy Act

12
Relationship to other laws

• If there is an inconsistency between a provision
  of the Information Privacy Act and another Act,
  the other Acts provision prevails to the extent
  of the inconsistency.
• (Information Privacy Act section 6)

13
Personal information

• Recorded information or opinion,
• whether true or not,
• about an identifiable individual.

(Information Privacy Act section 3)
14
Exemptions

• The Act provides for some limited exemptions
• Courts and tribunals (partial exemption)
• Publicly available information
• generally available publications
• information kept in a library, art gallery or
  museum for reference, study or exhibition and
• public record under the control of Keeper of
  Public Records that is available for public
  inspection
• Law enforcement (partial exemption)

15
Information Privacy Principles

• 10 Information Privacy Principles (IPPs) form the
  core of the Information Privacy Act.
• IPPs are connected and guide how personal
  information should be handled
• Collection (IPPs 8, 1, and 10)
• Use and Disclosure (IPPs 2 and 9)
• Management of personal information (IPPs 3, 4, 5
  7)
• Access and Correction (IPP 6 and Freedom of
  Information)

16
Collection
17
Collection

• IPP 8 - Anonymity
• Agencies must give individuals the option of not
  identifying themselves when entering
  transactions, if that is lawful and feasible

18
Collection

• IPP 1 - Collection
• Collect only personal information that is
  necessary for the performance of functions
• Collect for a pre-determined purpose
• Collect lawfully, fairly and not unreasonably
  intrusively
• Collect information only from the person
  themselves, where practicable

19
When collecting personal information, tell the
person

• who is collecting the information
• what it will be used for
• whether the collection is required by law
• how the person can get access to the information
• who else usually has access to the information
• what the main consequences, if any, are for the
  person if they do not provide the information.
• (Information Privacy Act IPP 1.3)

20
Collection

• IPP 10 - Sensitive information
• Collection of sensitive information is tightly
  restricted. This includes information or opinion
  about an individuals
• political views
• religious beliefs
• sexual preferences
• membership of groups (e.g. unions, political
  groups)
• racial or ethnic origin or
• criminal record.

21
Use and disclosure
22
Use and disclosure (IPP 2)

• Use and disclose personal information for the
  primary purpose for which it was collected
• Or a related purpose a person would reasonably
  expect
• Or for one of the other reasons in IPP 2
• Otherwise, use and disclosure can only occur with
  consent.

23
Consent

• Individual has the capacity to consent
• Voluntary
• Informed
• Specific
• Current

24
Use and disclosure

• IPP 2 - Exceptions
• Specified categories of use or disclosure
  include
• Required or authorised by another law
• Research or statistical analysis
• Serious and imminent threat to individuals life,
  health, safety or welfare
• Serious but not imminent threat to public
  health, safety or welfare
• Eg bushfires and
• Law enforcement and security.

25
Use and disclosure

• IPP 9 Transborder data flows
• Personal information can only be transferred
  interstate or overseas if certain conditions are
  met.
• Consent is one condition.

26
Management of personal information

27
Management of personal information

• IPP 3 Data quality
• Make sure personal information is
• accurate
• complete
• up-to-date

28
Management of Personal information

• IPP 4 Data Security
• Take reasonable steps to protect personal
  information from misuse, loss, unauthorised
  access, modification or disclosure.
• Personal information should be destroyed or
  de-identified when it is no longer needed.

• Destruction should be in accordance with disposal
  schedules of the Public Records Act 1973.

29
Management of Personal Information

• Physical security might include precautions like
• locking filing cabinets
• restricting access to certain areas
• positioning computer terminals so they cannot be
  seen by unauthorised personnel
• questioning unaccompanied or unrecognised
  visitors and
• disposing of paper records effectively.

30
Management of Personal Information

• Operational Security might include
• rules on levels of access
• audit trails to detect unauthorised access
• changing of passwords at frequent intervals
• avoiding collecting information in public waiting
  rooms where possible
• procedures for verifying identity for telephone
  transactions
• using fictitious information for training and
• procedures for dealing with employees who leave.

31
Management of Personal Information

• Security of transmission
• Fax
• programming fax machines to avoid risk of
  misdialling
• retaining fax activity history reports
• controlling the type of information sent and
• telephoning intended recipient prior to
  transmission.

32
Management of Personal Information

• E-mail
• guidelines for use of e-mail
• encrypting files
• blind carbon copying address details and
• e-mail privacy notices.
• Post
• take care not to display contents of letters
  through window envelopes.

33
Management of Personal Information

• IPP 7 Unique identifiers
• Limits the
• assignment
• adoption and
• sharing of unique identifiers.
• Intended to minimise cross-matching of data
  across government agencies.

34
Management of Personal Information

• IPP 5 - Openness
• Document clearly expressed policies on management
  of personal information and provide the policies
  to anyone who asks.
• Know where to find the policy.
• Know who your privacy contact person is.
• Make sure the policy is reviewed to reflect
  current practice.

35
Access and correction
36
IPP 6 Access and Correction

• Individuals have a right to seek access to their
  personal information and make corrections.
• Access and correction are mostly handled under
  the Freedom of Information Act.

37
The five privacy rights

• The IPPs can be summarised as
• The right information
• to the right people
• for the right reason
• in the right way
• at the right time.

38
Privacy Victorias compliance activities

• Responding to complaints
• Audits
• Compliance notices

39
What can a privacy complaint relate to?

• A person may complain about a perceived breach of
  any of the 10 IPPs which interferes with their
  privacy.
• The breach must have occurred after 1 September
  2002.

40
Complaints procedure

• Emphasis on individual attempting to resolve
  their privacy concerns directly with the
  organisation
• Commissioner considers whether or not to
  entertain the complaint
• Conciliation through Privacy Victoria
• Privacy Commissioner makes a decision when
  conciliation is not possible or fails
• Referral to VCAT

41
Remedies

• If VCAT upholds a complaint, potential remedies
  include
• restraint orders
• ordering action to redress the damage suffered
• compensation orders of up to 100,000 and
• reimbursement of expenses incurred in making the
  complaint.

42
Key points

• Privacy laws do not prevent the legitimate flows
  of information necessary for the operation of
  government.
• Become familiar with the 10 IPPs and apply them
  to the way you handle personal information
• Collect only the information you need.
• Advise people why you need the information and
  how it will be used and disclosed.
• Use and disclose for the primary purpose of
  collection unless the person consents or an
  exemption applies.
• Take steps to ensure the quality of the
  information.
• Secure the information.

43
More information

• Privacy Victoria
• www.privacy.vic.gov.au
• 1300 666 444
• Federal Privacy Commissioner
• www.privacy.gov.au
• 1300 363 992
• Victorian Health Services Commissioner
• www.health.vic.gov.au/hsc
• 8601 5200