This content is currently in Alpha


Keeping user data safe

The collection, use, disclosure and storage of personal information by most Australian Government agencies and some private sector organisations is tightly regulated.

If you do not properly address privacy issues, it can impact on the community’s trust in the Australian Government and undermine the success of your digital service. It may also result in your agency breaching the Privacy Act 1988 (Privacy Act).

The Office of the Australian Information Commissioner (OAIC) is responsible for privacy functions under the Privacy Act and other laws. It has a number of privacy regulatory powers, including the power to investigate complaints made by individuals about alleged breaches of the Privacy Act.

The OAIC’s APP guidelines outline the mandatory requirements of the Australian Privacy Principles (APPs), how the OAIC will interpret the APPs, and matters it may take into account when exercising functions and powers under the Privacy Act.

Why must I?

Legislative requirement: the Privacy Act regulates the handling of personal information about individuals. The Privacy Act contains 13 APPs that set out standards and obligations that apply to most Australian Government agencies when they handle personal information.

How do I?

Identify personal information

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. What constitutes personal information can be dynamic and will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances. It can be a lot more than a name and address.

Understand what you are collecting and what you are going to do with it

When gathering data you should understand what personal information you are collecting, why you are collecting it, and what will happen to it. The APPs, in particular APP 3, APP 4 and APP 6, regulate the purposes for which agencies may collect, use and disclose personal information. Stricter obligations apply to the collection, use and disclosure of sensitive information.

When developing your digital service, it is important you consider how you will handle personal information at the beginning and then across the entire personal information life cycle. Also, how you protect the information at each stage. The personal information life cycle may include the passing of information to a third party for storage, processing or destruction. You may still be responsible for the security of the information in these circumstances.

Protect the information you handle

Under the Privacy Act, agencies must take reasonable steps to protect the personal information they hold from misuse, interference, loss, and from unauthorised access, modification or disclosure (APP 11). Agencies must also take reasonable steps to destroy or de-identify personal information that they hold once it is no longer needed (unless an exception applies).

Digital services should be designed to:

The OAIC’s Guide to securing personal information is an important reference tool to help you meet your obligations under APP 11. It contains further information about personal information security, including steps and strategies to protect personal information.

Consider a privacy impact assessment, privacy by design, and other tools

When designing a digital service, it is important you describe and map the personal information flows associated with the service at the outset. The OAIC strongly recommends that you conduct a privacy impact assessment (PIA) — it can help you meet your obligations under the Privacy Act. A PIA is a systematic assessment that identifies the impact a project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. You should also use the results from your PIA to help design your security controls.

You should also consider adopting privacy by design (PbD). This is an approach to privacy management that ensures privacy protections are built into practices, procedures and systems from the start. PbD aims to ensure privacy is considered at the beginning, and then across the entire information life cycle and in all business processes, planning, projects and priorities. PbD is an important strategy for both minimising and managing privacy risks. The OAIC’s Guide to undertaking privacy impact assessments has been developed to assist Australian Government agencies (and other entities) conduct PIAs and to build in PbD. The OAIC also has a PIA training resource that you can download for use.

The APP guidelines are a key resource to help you comply with the APPs. The OAIC also has a number of privacy resources that deal with specific issues or topics, such as securing personal information, developing mobile apps or sending personal information overseas. You should refer to these tools to help you meet your obligations under the Privacy Act.

Confirm compliance with all the APPs

The following questions may help you consider other APP obligations, in addition to those mentioned in this guide, when you are designing a digital service:

Engage with key privacy officers

All Australian Government agencies should have staff responsible for managing privacy, including a key privacy officer. These staff are responsible for handling internal and external privacy enquiries, complaints, and access and correction requests. They should also have access to a senior member of staff with overall accountability for privacy. The OAIC’s Privacy management framework provides guidance to help agencies ensure they’ve got the right privacy governance and accountability in place.

Your privacy officer should be engaged in the development of your digital services to ensure they comply with the Privacy Act and the APPs.

Last updated: 18 August 2015