Privacy Principles Tested - How does your organisation measure up?
Privacy eBulletin - 8 July 2014
Since the introduction of the new Australian Privacy Principles (APPs), there has been speculation as to which sector might be the first to have their privacy practices assessed by the Privacy Commissioner. Industries such as sport, health, and the banking industry were each considered likely suspects for a test-case of the new requirements.
Last week, the Office of the Australian Information Commissioner (OAIC) answered that question when it published a report of its assessment into the privacy practices of a health services provider.
The report provides a helpful guide for organisations in a wide variety of industries to understand their privacy requirements, and how the OAIC will look to apply the new Australian Privacy Principles. The report's recommendations provide a useful yardstick for organisations to measure when reviewing their own privacy practices
- Which APP's were assessed?
- OAIC's Guidelines
- What are the take home lessons?
- Further information
Calvary Hospital, a private sector organisation which provides health, aged and community care, was considered an ideal candidate for assessment by the OAIC and the Department of Health. In particular, the assessment was designed to review Calvary's privacy policies to ensure compliance with the requirements of APP 1 and APP 5.
- APP 1 requires organisations to handle personal information in an open and transparent manner.
- APP 5 sets out matters that an organisation has to inform individuals about at the time of, or as soon as practicable after, the collection of their personal information.
APP1 and APP5 are two principles relevant to all organisations that handle personal information.
The OAIC has released a set of guidelines for organisations to consider when drafting their privacy policies. In assessing Calvary, the OAIC evaluated Calvary's policies, including draft collection notices, privacy brochures, and online privacy resources available on its website. OAIC used these guidelines as a measure.
The message for business is that those organisations who adopt practices in line with the OAIC guidelines will, for the most part, be compliant with their privacy requirements. The tricky part is that the OAIC has indicated that simply relying on the guidelines alone may not ensure total compliance. All business are different, and organisations need to apply the guidelines to their specific situation.
- whether the organisation’s policy is easy to understand;
- whether it is specific and tailored to its business;
- whether it covers the types of information collected; and
- how the information is held and disclosed.
The OAIC's guideline in relation to APP1 is available here.
- the type of personal information collected and held by the organisation;
- how the organisation collects and holds personal information;
- the purposes for which personal information is collected, held, used and disclosed;
- how an individual may access their personal information and seek its correction;
- how an individual may complain if the entity breaches privacy requirements; and
- whether the entity is likely to disclose personal information to overseas recipients.
APP1: Tips from Calvary
As to lessons learnt from the OAIC's review into Calvary's compliance with APP1, the following tips should be noted:
- Where an organisation is part of a group or structure, the policy must indicate whether it applies to the whole group, or individual businesses within the group. By way of example, if there are differences in the way in which different parts of the group handle personal information, separate policies should be used. Where a central policy is used, the organisation needs to be mindful of how the APPs apply to each business in the group, and other jurisdictional or legislative issues;
- The OAIC is keen to ensure that privacy policies are easily accessible to the public, and a link at the bottom of a website home page is a commonly used and acceptable practice;
APP 5 compliance
APP5 requires an organisation that collects personal information about an individual to take reasonable steps either to notify the individual of certain matters, or to ensure the individual is aware of those matters, either at the time of collection or as soon as practicable thereafter.
The OAIC's guideline in relation to APP5 is available here.
The OAIC has indicated that "reasonable steps" is tied to the sensitivity of the personal information. In short, the more sensitive the information, the more onerous the steps will need to be on the organisation to provide notification of the matters in APP5. For organisations in the health services industry, it is possible that much of the information they collect will be considered 'sensitive information.'
APP 5: Tips from Calvary
As to lessons learnt from the OAIC's review into Calvary's compliance with APP5, the following tips should be noted:
- Organisations in a group structure must clearly and consistently specify which business is collecting the personal information;
- Organisations should identify the differences between how the personal information collected will be used, and how it may be disclosed;
- Ideally, methods of contact (phone, email) should be fixed, such that they will not change with staff turnover;
- If information is to be disclosed overseas, this must be indicated as well as how and why such disclosures occur;
Although the APPs represent a 'principles-based approach' to privacy regulation in Australia, the clear indication from the OAIC is that businesses are obliged to comply with certain mandatory matters. Should things go awry, organisations that can demonstrate OAIC requirements have been implemented into their business practices will be viewed more favourably than those companies that haven't yet turned their mind to privacy matters.
The OAIC has not yet flexed its muscles and tested its expanded powers to ensure privacy compliance in most industries, and certainly no business wants to be that test case.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.