This content is currently in Alpha
Keeping user data safe
The collection, use, disclosure and storage of personal information by most Australian Government agencies and some private sector organisations is tightly regulated.
If you do not properly address privacy issues, it can impact on the community’s trust in the Australian Government and undermine the success of your digital service. It may also result in your agency breaching the Privacy Act 1988 (Privacy Act).
The Office of the Australian Information Commissioner (OAIC) is responsible for privacy functions under the Privacy Act and other laws. It has a number of privacy regulatory powers, including the power to investigate complaints made by individuals about alleged breaches of the Privacy Act.
The OAIC’s APP guidelines outline the mandatory requirements of the Australian Privacy Principles (APPs), how the OAIC will interpret the APPs, and matters it may take into account when exercising functions and powers under the Privacy Act.
Why must I?
Legislative requirement: the Privacy Act regulates the handling of personal information about individuals. The Privacy Act contains 13 APPs that set out standards and obligations that apply to most Australian Government agencies when they handle personal information.
How do I?
- Identify personal information
- Understand what you are collecting and what you are going to do with it
- Protect the information you handle
- Consider a privacy impact assessment, privacy by design, and other tools
- Confirm compliance with the APPs
- Engage with key privacy officers
Identify personal information
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. What constitutes personal information can be dynamic and will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances. It can be a lot more than a name and address. For instance, the Privacy Commissioner has determined that metadata may constitute personal information.
Understand what you are collecting and what you are going to do with it
When gathering data you should understand what personal information you are collecting, why you are collecting it, and what will happen to it. The APPs, in particular APP 3, APP 4 and APP 6, regulate the purposes for which agencies may collect, use and disclose personal information. Stricter obligations apply to the collection, use and disclosure of sensitive information.
When developing your digital service, it is important you consider how you will handle personal information at the beginning and then across the entire personal information life cycle. Also, how you protect the information at each stage. The personal information life cycle may include the passing of information to a third party for storage, processing or destruction. You may still be responsible for the security of the information in these circumstances.
Protect the information you handle
Under the Privacy Act, agencies must take reasonable steps to protect the personal information they hold from misuse, interference, loss, and from unauthorised access, modification or disclosure (APP 11). Agencies must also take reasonable steps to destroy or de-identify personal information that they hold once it is no longer needed (unless an exception applies).
Digital services should be designed to:
- prevent the misuse, interference, loss or unauthorised access, modification or disclosure of personal information
- detect privacy breaches promptly
- respond to potential privacy breaches in a timely and appropriate manner.
The OAIC’s Guide to securing personal information is an important reference tool to help you meet your obligations under APP 11. It contains further information about personal information security, including steps and strategies to protect personal information.
Consider a privacy impact assessment, privacy by design, and other tools
When designing a digital service, it is important you describe and map the personal information flows associated with the service at the outset. The OAIC strongly recommends that you conduct a privacy impact assessment (PIA) — it can help you meet your obligations under the Privacy Act. A PIA is a systematic assessment that identifies the impact a project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. You should also use the results from your PIA to help design your security controls.
You should also consider adopting privacy by design (PbD). This is an approach to privacy management that ensures privacy protections are built into practices, procedures and systems from the start. PbD aims to ensure privacy is considered at the beginning, and then across the entire information life cycle and in all business processes, planning, projects and priorities. PbD is an important strategy for both minimising and managing privacy risks. The OAIC’s Guide to undertaking privacy impact assessments has been developed to assist Australian Government agencies (and other entities) conduct PIAs and to build in PbD. The OAIC also has a PIA training resource that you can download for use.
The APP guidelines are a key resource to help you comply with the APPs. The OAIC also has a number of privacy resources that deal with specific issues or topics, such as securing personal information, developing mobile apps or sending personal information overseas. You should refer to these tools to help you meet your obligations under the Privacy Act.
Confirm compliance with all the APPs
The following questions may help you consider other APP obligations, in addition to those mentioned in this guide, when you are designing a digital service:
- Have you allowed individuals the option to deal with you anonymously or by pseudonym (APP 2)?
- Are you only collecting the personal information you need (APP 3)?
- Have you taken reasonable steps to notify individuals that you will be collecting their personal information, how you will be using it, and ensure the individual is aware of this before you collect it (APP 5)?
- Is personal information only being used for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies (APP 6)?
- Will you be using the information you collect for direct marketing (APP 7)?
- Is personal information likely to be disclosed to an overseas recipient through the digital service? If so, have you considered your obligations under cross-border disclosure (APP 8)?
- How are you going to ensure that any personal information held by the digital service is accurate, up-to-date and complete (APP 10)?
- Do you need to develop a mechanism for individuals to access or correct their personal information held by the digital service (APP 12 and APP 13)?
Engage with key privacy officers
All Australian Government agencies should have staff responsible for managing privacy, including a key privacy officer. These staff are responsible for handling internal and external privacy enquiries, complaints, and access and correction requests. They should also have access to a senior member of staff with overall accountability for privacy. The OAIC’s Privacy management framework provides guidance to help agencies ensure they’ve got the right privacy governance and accountability in place.
Your privacy officer should be engaged in the development of your digital services to ensure they comply with the Privacy Act and the APPs.
Last updated: 18 August 2015