Privacy: protecting not preventing Privacy quiz for Victorian Public Sector staff The Office of the

1
Privacy protecting not preventingPrivacy quiz
for Victorian Public Sector staffThe Office of
the Victorian Privacy Commissioner thanks the
Department of Justice for their permission to use
this quiz.
2
Welcome to the Privacy Quiz

• This quiz
• aims to help you understand the rules about
  privacy
• is meant to complement face-to-face privacy
  training
• consists of 20 introductory slides (as a
  refresher) and then 12 multiple choice questions
  and
• should take about 10-15 minutes.

3
Privacy Laws You

• As a government employee, you need to comply with
  privacy laws.
• How you must handle personal information is
  stated in the 10 Information Privacy Principles
  (IPPs) in the Information Privacy Act 2000 (Vic).
• Personal information means recorded information
  that identifies a person or could be used to
  identify a person.
• For example A persons name and address is
  personal information.
• A persons postcode and age (without his or her
  name) would be personal information if that
  person were the only elderly person living in
  a remote area in Victoria. This is because
  you could use that information to work out the
  persons identity.
• Tip Ask yourself Could anyone work out the
  individuals identity from this information?
• If the answer is yes, then its personal
  information.
• If the answers no, then its not personal
  information.

4
Information Privacy Principles (IPPs)

• This quiz is about the main concepts covered by
  the IPPs. These are
• Collection of personal information
• Use Disclosure of personal information
• Management of personal information
• Access Correction regarding personal information

5
Collection

• Collection means gathering, or getting access to,
  personal information.
• Dont collect what you dont need.
• When dealing with individuals, you must give them
  the option of being anonymous, where this is
  feasible and lawful.
• Fro example When you receive general phone
  inquiries or
• completed evaluation forms let the individual
  choose
• whether or not to identify him/herself.
• You must not collect personal information unless
  you need to for your work.
• Tip Always work out why you collect, or might
  collect, peoples personal information.

6
Collection continued

• Collect in a lawful and fair way.
• You must only collect personal information
  lawfully and fairly.
• For example Dont mislead or deceive people
  about the purpose for collecting their personal
  information.
• Dont tell people its mandatory to provide
  personal information if its really optional.

7
Collection continued

• Collect from the individual, rather than someone
  else.
• You must not collect personal information about
  an individual from someone else, unless it is
  unreasonable and impracticable to collect from
  the individual (i.e. unless you need to).
• For example In an emergency, if an person is
  unconscious, you may collect necessary
  information about that person from a friend or
  relative.

8
Collection continued

• Inform people when you collect their personal
  information.
• When collecting peoples personal information you
  must take reasonable steps to tell them
• Why you are collecting their information
• Who you expect to disclose their information to
• The name and contact details of your
  organisation
• They have a right to ask for access to their
  personal information
• What happens if they dont give you their
  information and
• Any law that requires their information to be
  collected
• Tips Put this information in a recorded phone
  message, in your standard forms or
  correspondence, on signs or on your website.
• Be specific about why you are collecting
  personal information.

9
Use Disclosure

• Use means what you do with personal information
  (without disclosing it to another person).
• Disclosure means enabling another person to
  access the personal information.
• For example You use the job application to
  assess whether the applicant should get the
  job you disclose the job applicants details
  to the police (with consent) for a criminal
  record check.

10
Use Disclosure continued

• Generally, only use and disclose personal
  information for the reason you collected it.
• This is the general rule (or starting point) for
  use and disclosure of personal information.
• Tips Always work out why you disclose, or might
  disclose, peoples personal information.
• Always work out why you are using, or might use,
  peoples personal information in a particular
  way.

11
Use Disclosure continued

• Use and disclosure is allowed for some other
  purposes.
• If you need to use or disclose personal
  information for a reason thats different to the
  reason you collected it, check IPP 2.1 to see if
  you can.
• IPP 2.1 gives a list of other reasons for which
  you can use and disclose personal information,
  such as
• with the persons consent
• where authorised by law
• for health and safety reasons
• for law enforcement reasons

12
Use Disclosure continued

• If theres a legitimate reason for using or
  disclosing personal information, privacy laws
  generally will allow that use or disclosure.
• For example You are not allowed to look up your
  neighbours details because you are curious.
• Tip When you give access to peoples
  information, make sure theres a record of
  that access and the reason for it.

13
Use Disclosure continued

• Protect personal information when you send it out
  of Victoria.
• If you send personal information outside of
  Victoria, make sure it is protected by privacy
  obligations.

14
Management

• Management covers security, accuracy and
  destruction of personal information, as well as
  openness about privacy practices.
• Keep personal information secure.
• You must do whats reasonable to ensure personal
  information is protected from loss, misuse,
  unauthorised access, unauthorised disclosure and
  unauthorised modification.

15
Management tips 1

• Clear the printer tray at the end of each day.
• Dont discuss personal information in the lift,
  foyer or corridor.
• Use encryption and password protection where
  appropriate.
• Restrict access to electronic records and conduct
  regular audits of database access.
• Dont have loose papers on files as they may fall
  out.
• Keep files in locked filing cabinets when not
  being used.

16
Management tips 2

• Place computer screens where they cant be seen
  by clients or members of the public.
• Pre-program fax numbers to avoid mis-dialling.
• Use the secure printing function on printers.
• Dont take personal information away from work
  unless you need to. Find out about and comply
  with local security policies for out-of-office
  information.
• Ask yourself Am I doing all thats reasonable
  to keep peoples information secure?

17
Management continued

• Keep personal information accurate.
• You must do whats reasonable to make sure the
  personal information you collect, use or disclose
  is accurate, complete and up to date.
• Tips Pay particular attention to individuals
  contact details. Sending personal information to
  the wrong place can have serious consequences.
• If you take down someones details over the
  phone or in person, repeat back the details to
  check theyre right.
• When you send out correspondence, remind
  addressees to update their contact details if
  they change.
• When speaking with people before you send them
  something, check that their address details are
  up to date.
• Ask yourself Am I doing all thats reasonable
  to keep peoples information accurate?

18
Management continued

• Dont keep personal information you dont need
  anymore.
• You must do whats reasonable to destroy or
  permanently de-identify personal information if
  its not needed any more for any reason.
• Tips You should periodically destroy records, in
  accordance with the requirements of the Public
  Records Act 1973 (Vic). Get advice about this
  from records management specialists.
• When you destroy records, do it properly
  destroy them completely and confidentially
  dont just put them in an ordinary bin. Use a
  shredder.

19
Management continued

• Be open about your privacy practices.
• You must have a written privacy policy and make
  it available to clients, staff and the general
  public.
• Large organisations will need different privacy
  policies to cover their different functions and
  practices.
• Tip Put your privacy policy/policies on your
  website and have hard copies available at your
  workplace.
• Review your privacy policies regularly.

20
Access Correction

• Individuals have a right to ask for access to
  their personal information.
• Individuals have a right to ask for correction of
  their personal information if it is inaccurate.
• For organisations subject to the Freedom of
  Information Act, access and correction is handled
  under that Act.

21
Question 1/12

• Where it is lawful and practicable, individuals
  must have the option of WHAT when interacting
  with you?
• Being anonymous
• Providing their name, address and telephone
  number
• Providing their familys contact details

22
Question 2/12

• Which type of information listed below is NOT
  personal information?
• A persons religious beliefs
• A persons criminal record
• A photograph of a person
• A Medicare number
• Melbournes postcode (3000)
• Personnel records

23
Question 3/12

• You must only collect personal information
• Which is necessary for your work
• By fair and lawful means
• Preferably from the individual concerned
• In all these instances

24
Question 4/12

• You must take reasonable steps to tell people, at
  or before the time personal information is
  collected, why you are collecting it and who you
  expect to disclose it to.
• True
• False

25
Question 5/12

• What are the main privacy concepts in this quiz?
• Collection
• Use Disclosure
• Management
• Access Correction
• All of the above

26
Question 6/12

• Once you gather personal information you can use
  or disclose that information for
• Any reasons
• The reasons for which you collected it
• The reasons you can think of at the time you use
  or disclose the information

27
Question 7/12

• A good test for whether or not to collect, or
  give access, to personal information is
• The need-to-know test
• The litmus test
• The rule-of-thumb test

28
Question 8/12

• You should ensure contact details are up-to-date
  prior to using them to contact an individual.
• True
• False

29
Question 9/12

• Which of these is NOT a measure to keep personal
  information secure?
• Locked filing cabinets
• Using the need-to-know test
• Password-protecting electronic files
• Discussing personal information in the hallways
  and foyers of your workplace because we are all
  government employees

30
Question 10/12

• Government agencies need to have publicly
  available privacy policies (setting out how they
  manage personal information).
• True
• False

31
Question 11/12

• Individuals have the right to seek access to
  their personal information and ask for
  corrections to be made.
• True
• False

32
Question 12/12

• Where do you go to find out when you can destroy
  documents?
• Public Records Office of Victoria (PROV)
• Authorities and schedules issued under the Public
  Records Act 1973
• Your records management staff
• All of the above

33
Want to know more?

• For more information about privacy laws go to
  your intranet, your privacy contact officer or
  www.privacy.vic.gov.au.
• For further information about this quiz please
  contact Privacy Victoria on
• 1300 666 444 or email training_at_privacy.vic.gov.au.