Understanding privacy - PowerPoint PPT Presentation

1 / 55

About This Presentation

Title:

Understanding privacy

Description:

Management of personal information. Access and correction. Responding to privacy complaints ... or can be reasonably ascertained. TIP. This is a broad definition. ... – PowerPoint PPT presentation

Number of Views:73

Avg rating:3.0/5.0

Slides: 56

Provided by: davidphil

Category:

more less

Transcript and Presenter's Notes

Title: Understanding privacy

1
Understanding privacy

An overview of the
Information Privacy Act 2000

2
Session outline

What is information privacy?
The 10 Information Privacy Principles
Collection
Use and disclosure
Management of personal information
Access and correction
Responding to privacy complaints

3
Why do you need to knowabout privacy?

Its the law All Victorian public sector
organisations must comply. People have a right to
challenge how their personal information is
handled.
Breaches can be costly in and reputation
Privacy is a basic human right enshrined in the
Universal Declaration of Human Rights and the
Victorian Charter of Human Rights and
Responsibilities.
We all expect our privacy to be protected.
Privacy matters to people.

4
Why do you need to knowabout privacy? (cont.)

Its makes good business sense research
indicates that the public is more likely to trust
an organisation that values and protects privacy.
Complying with privacy laws can lead to improved
information management and customer service.
Good quality information is the basis for good
decision-making.
Government context People often have no choice
but to give their personal information to
government, so it is our responsibility to
protect that information.

5
Context for privacy laws
Technological advances are rapidly changing the
way that information is collected and handled

Huge increase in the volume of information
collected and stored.
Electronic information is more vulnerable and
more fluid. Large amounts of information can be
easily
copied, searched, aggregated and interlinked
stored on small, portable devices
transmitted widely
Collection and use of information can be less
transparent.

6
Activity 2

What is information privacy?

7
Impact of privacy laws

Privacy laws provide people with more control
over how organisations handle their personal
information.
Privacy laws encourage openness and transparency.
The right to privacy has to be balanced against
the necessary flow of information for provision
of services.

8
Privacy protection is a balancing act

Maximising the level of control that individuals
have over their personal information
while ensuring that the right information is
available to the right people at the right time
in the right way to enable necessary govt
operations and services.
9
The privacy protection landscape
Charter of Human Rights ResponsibilitiesAct
(Vic)

Personal information handled by Federal govt
agencies, e.g. Centrelink
Much of the private sector

All health related personal information held in
public and private sectors
Most of the personal info handled by health
service providers

All recorded personal information handled by
State govt agencies and local govt
(other than health related info)

Victorian govt departments agencies must act
compatibly with human rights

10
Victorian Charter of Human Rights
Responsibilities

The public sector has been bound by the charter
since the beginning of 2008.
Includes the right to protection of privacy and
reputation.
All public authorities must act compatibly with
human rights.
All statutory provisions are to be interpreted
compatibly with human rights.
Any new laws will require a statement of
compatibility to advise Parliament on how they
meet the charters standards.

The Victorian
Information Privacy Act 2000

12
Relationship to other laws

If there is an inconsistency between a provision
of the Information Privacy Act and another Act,
the other Acts provision prevails to the extent
of the inconsistency.
(Information Privacy Act section 6)

13
Activity 3

What laws guide information handling in your
workplace?

14
What is personal information?

Recorded information or opinion
whether true or not
about an individual
whose identity is apparent
or can be reasonably ascertained

TIP This is a broad definition. For example, in
some contexts information about a property or
business can be personal information.
15
Exemptions

The Act provides for some limited exemptions
Publicly available information
generally available publications
information kept in a library, art gallery or
museum for reference, study or exhibition and
public record under the control of Keeper of
Public Recordsthat is available for public
inspection
Courts and tribunals (partial exemption)
Law enforcement (partial exemption)

16
Law enforcement exemption(partial exemption)
It is not necessary for a law enforcement agency
to comply with certain IPPs if it believes on
reasonable grounds that non-compliance is
necessary for

Law enforcement functions or activities
Enforcing laws relating to confiscation of
proceeds of crime
Conduct of proceedings in court or tribunal
Polices community policing functions

This is a partial exemption so, for example,
there is no exemption for the IPPs relating to
data quality and data security.
17
Public registers

The Information Privacy Act recognises that
public registers may need different rules, but
requires that they comply with the Information
Privacy Principles (IPPs) as far as is reasonably
practicable.
Consider
the purpose of the register
what information has to be put on the register
how the register should be made available to the
public

18
Activity 4

What information is covered under the Act?

19
Information Privacy Principles

10 Information Privacy Principles (IPPs) form the
core of the Information Privacy Act.
IPPs are connected and set minimum standards for
how personal information should be handled
Collection (IPPs 8, 1, and 10)
Use and disclosure (IPPs 2 and 9)
Management of personal information (IPPs 3, 4, 5
7)
Access and correction (IPP 6 and Freedom of
Information Act)

20
Collection
21
Collection

IPP 1 Collection and IPP 8 Anonymity
Dont over collect Collect only personal
information that is necessary for the performance
of functions
Anonymity People should have the option of not
identifying themselves when entering
transactions, if that is lawful and feasible
Collect for a pre-determined purpose
Collect lawfully, fairly and not unreasonably
intrusively
Collect information only from the person
themselves, where practicable

22
Collection

When collecting personal information, take
reasonable
steps to tell the person
who is collecting the information
what it will be used for
whether the collection is required by law
how the person can get access to the information
who else usually has access to the information
what the main consequences, if any, are for the
person if they do not provide the information.

TIP Unsolicited personal information is also
subject to the IPPs.
23
Collection

IPP 10 Sensitive information
Collection of sensitive information is tightly
restricted and usually will
require consent.
This includes information or opinion about an
individuals
political views
religious beliefs
sexual preferences
membership of groups (e.g. unions, political
groups)
racial or ethnic origin or
criminal record.

24
Activity 5

Applying the collection principles

25
Points to consider collection

Do you really need all of the personal
information you collect?
Do you have collection notices on all forms
requesting personal information?
Are customers who provide information over the
telephone/internet/in person given clear notice
about howthe information will be used and
disclosed?
Do you collect any sensitive information? Is
this collection justified?

26
Use and disclosure
Remember the basic rule Purpose governs use
27
Use and disclosure

Step 1 - What purpose was the information
collected for?
Step 2 Consider IPP2
Use and disclose personal information for the
primary purposefor which it was collected
Or for a related purpose a person would
reasonably expect
Or for one of the other reasons in IPP 2
Otherwise, use and disclosure can only occur with
consent.

TIP Disclosure includes confirming information
and providing information that is also available
from other sources.
28
Consent

Individual has the capacity to consent
Voluntary
Informed
Specific
Current

TIP The Act does not require that consent be in
writing.However, as a general rule, seek express
consent in writing.
29
Use and disclosure (IPP2)
Permitted disclosures ? personal information may
also be used or disclosed for a secondary
purpose, without consent, for the following
reasons

Required or authorised by another law
Research or statistical analysis
Serious and imminent threat to individuals life,
health, safety or welfare
Serious but not imminent threat to public
health, safety or welfare
To investigate or report concerns re unlawful
activity or
To assist a law enforcement agency.

TIP Organisations are not required to disclose
information under IPP2, but may choose to.
However obligations under other laws remain.
30
Use and disclosure for research

The research must be in the public interest
Publication of the research must be
non-identifying
It must be impracticable for the organisation to
seek the persons consent and
In the case of disclosure, the organisation must
reasonably believe that the recipient will not
disclose.

31
Use and disclosure

IPP 9 Transborder data flows
Personal information can only be transferred
interstate or overseas if certain conditions are
met.
Consent is one condition.

32
Activity 7

A Victorian case study

33
Points to consider Use and disclosure

When does your organisation use or disclose
personal information for a purpose other than the
primary purpose it was collected for?
Which of the use and disclosure provisions
authorise this?
Is there a practical commonsense way that this
purpose can be met without a disclosure, for
example, releasing non-identifying data or acting
as a go-between to pass on information without
disclosing personal details?
Dont feel pressured to respond hastily to
requests for disclosure. If uncertain, check
before disclosing.

34
Management of personal information

35
Management of personal information

IPP 3 Data quality
Make sure personal information is
accurate
complete
up-to-date

TIP Check the spelling of common names, such as
John/Jon. Many privacy breaches occur by mixing
client records.
36
Recording personal information

Be specific vagueness and ambiguity make it
difficult for others to use the information
Distinguish fact from opinion
Check the information, particularly if it is old
or not provided by the person themselves
Inaccurate spelling of names and addresses lead
to privacy breaches

37
Management of personal information

IPP 4 Data security
Take reasonable steps to protect personal
information from misuse, loss, unauthorised
access, modification or disclosure.
Personal information should be destroyed or
de-identified when it is no longer needed.
Destruction should be in accordance with disposal
schedules of the Public Records Act 1973.

38
Management of personal information

Physical security might include precautions like
locking filing cabinets
restricting access to certain areas
positioning computer terminals so they cannot be
seen by unauthorised personnel
questioning unaccompanied or unrecognised
visitors and
disposing of paper records effectively.

39
Management of personal information

Operational security might include
rules on levels of access
audit trails to detect unauthorised access
changing of passwords at frequent intervals
avoiding collecting information in public waiting
rooms where possible
procedures for verifying identity for telephone
transactions
using fictitious information for training and
procedures for dealing with employees who leave.

40
Security of transmission

Fax
programming fax machines to avoid risk of
misdialling
retaining fax activity history reports
controlling the type of information sent
telephoning intended recipient prior to
transmission
E-mail
guidelines for use of e-mail
encrypting files
blind carbon copying address details
e-mail privacy notices
Post
take care not to display contents of letters
through window envelope

41
Management of personal information

IPP 7 Unique identifiers
Limits the
assignment
adoption
sharing of unique identifiers
Intended to minimise cross-matching of data
across government agencies

42
Management of personal information

IPP 5 Openness
Document clearly expressed policies on management
of personal information and provide the policies
to anyone who asks
Know where to find the policy
Know who your privacy contact person is
Make sure the policy is reviewed to reflect
current practice

43
Points to consider management of personal
information

Once privacy is lost, it cant easily be
retrieved regularly review the security
arrangements for both paper-based and electronic
data.
One simple effective way to monitor data quality
is to ask people, in any correspondence with
them, to check the information and advise of
updates or corrections.

44
Access and correction
45
Access and correction (IPP6)

Individuals have a right to seek access to their
personal information and request corrections.
Access and correction are mostly handled under
the Freedom of Information (FoI) Act.

46
Points to consider access and correction

Is your organisation subject to FoI legislation?
If yes, applications for access and correction of
personal information are handled under FoI
If no, access and correction are handled under
the Information Privacy Act
If appropriate, requests can also be handled
informally through administrative processes

47
Activity 8

What could have been done differently?

48
Functions of Privacy Victoria
49
Privacy Victorias activities

Privacy awareness and education for the Victorian
public sector and general public
Receive and conciliate complaints
Advise government on legislation and policy
Respond to enquiries from VPS and general public
Audits
Compliance notices
Monitor developments in technology

50
Complaints procedure

A complaint may relate to any of the 10 IPPs
Emphasis on individual attempting to resolve
their privacy concerns directly with the
organisation
Commissioner considers whether or not to
entertain the complaint
Conciliation through Privacy Victoria
Commissioner makes a decision when conciliation
is not possible or fails
Referral to Victorian Civil and Administrative
Tribunal (VCAT)

51
Remedies

If VCAT upholds a complaint, potential remedies
include
restraint orders
ordering action to redress the damage suffered
compensation orders of up to 100,000
reimbursement of expenses incurred in makingthe
complaint

52
Complaint handling tips

Respond promptly.
Keep complaint handling procedures simple and
flexible.
If there has been a breach, take action quickly
and tell the complainant what you have done.
If a problem has occurred, what can you do to
prevent it happening again?
Explain things in plain language.
What has really prompted the complaint?
Can you deal with the complaint independently?
Be prepared to say sorry, quickly and sincerely.

53
Key points

Privacy laws do not prevent the legitimate flows
of information necessary for the operation of
government.
Become familiar with the 10 IPPs and apply them
to the way you handle personal information
Collect only the information you need
Advise people why you need the information and
how it will be used and disclosed
Use and disclose only for the primary purpose of
collection unless the person consents or another
IPP2 provision applies
Take steps to ensure the quality of the
information
Secure the information

54
More information