In the first part of this blog we looked in general terms at the framework of procedures, practices and systems that organisations must implement to ensure compliance with each of the 13 Australian Privacy Principles (APPs).
Whilst the integration with some other governance programs such as Complaints Handling and Compliance are obvious, it is the integration with the Human Resources and Workplace Health and Safety functions that might not be so obvious at first sight.
Given that it is employees that handle personal information the best way for an organisation to embed privacy compliance in its culture is to ensure that it has HR and WHS systems in place that highlight to its staff their obligations in ensuring compliance with the new Privacy laws.
So what do these HR and WHS procedures, practices and systems look like? Here is a suggested, and by no means comprehensive, list of potential candidates:
Dealing with privacy questions and complaints
All staff must be trained to recognise when an enquiry or complaint raises privacy issues and how to refer that enquiry or complaint for action internally. In many organisations this will require staff to know who is responsible for managing privacy issues and how best to contact and inform them of the incident.
Dealing with unsolicited information
Under the new privacy laws, if an organisation receives unsolicited information and it is not reasonably necessary for one of its functions or activities then:
- If it is received verbally it should not be recorded (only information that is recorded is caught by the Privacy Act).
- If it is received in a record it should be destroyed or de-identified.
Staff must be trained to understand this basic requirement and the critical importance of not recording and disseminating information that is not relevant to the organisation’s functions or activities.
Social media disclosure
By now, hopefully most organisations will understand the critical importance of having a robust social media policy in place. If you haven’t implemented such a policy, we suggest you download the CompliSpace eBook on managing social media risks in the workplace.
The key social media issue for most organisations is that they should not publish any individual’s personal information (including a photograph) on a public website, or on any social media sites, without the individual’s consent. An organisation could be held vicariously liable in the event an employee, that can be clearly linked back to the organisation and its activities, publishes another individual’s personal information on their own personal social media accounts.
Compliance with direct consents/ directives
Where an organisation has received clear directives not to use the personal information of an individual, it is critical that the organisation implements procedures, practices and systems that ensure its staff are aware of these directives and that they abide by them. This will often require strong database management protocols to ensure that staff have access to up-to-date information with respect to an individual’s privacy specifications.
Direct marketing opt outs
Organisations must ensure that whenever an individual indicates that they do not want to receive direct marketing material, that they are promptly removed from any communications lists that may be used in the future.
Maintaining the quality of personal information
Organisations must also ensure that when they receive information indicating that an individual’s personal details have changed (this may involve something as simple as a change of address, or something as profound as the death of an individual), that they promptly update any relevant databases.
Organisations must also destroy or de-identify personal information that is no longer required for the primary purpose for which it was collected.
Whilst the process of updating data may sound simple, the reality is that clear protocols must be developed so that an organisation is able to receive assurance that the quality of any personal information they collect is being properly maintained.
Confidentiality of information
Most organisations will include detailed requirements around maintaining confidentiality of information in their employment contracts and in their general policies and procedures. Many of these policies are targeted at confidential business information, such as trade secrets, which are not covered by the new privacy laws.
Organisations must also ensure that their staff maintain confidentiality of personal information and only disclose personal information (particularly sensitive and health information), internally and externally, on a need to know basis.
Whilst obvious, it is remarkable how many organisations still get caught out disposing of documents containing personal information in unsecured waste paper bins, or dumping archived documents using unsecure waste collection services. Organisations must have clear protocols for securely disposing of any documented personal information. The most common practice is to use security waste disposal bins.
Decommissioning electronic equipment
Again while it should be obvious, many organisations still have not developed proper procedures, practices and systems with respect to decommissioning electronic equipment such as computers, laptops, tablets and smart phones and removing all information from relevant databases.
Security of Personal Information
The obligation of organisations to ensure security of personal information is a central requirement of the new Privacy laws.
Security means physical security (from building entry to lockable filing cabinets) as well as electronic information security. There are a range of procedures, practices and systems that organisations may implement to ensure adequate security including but not limited to:
- Physical security protocols – Has your organisation undertaken a risk assessment of your current systems for managing physical security?
- Security access policy – How does your organisation manage keys, swipe cards etc?
- IT information security policies – The complexity of IT information security will vary based on the size, nature and complexity of an organisation and the types of personal information it collects and stores. Your policies may cover everything from software installation and network access from home computers through to more technical specifications around the use of firewalls and data encryption.
- Password protection policy – Does your organisation have clear written protocols with respect to the maintenance and management of security of individuals passwords?
- BYOD policy – With staff in many organisations being able to access personal information through their own personal devices, the lines between work and personal lives are becoming increasingly blurred. A Bring Your Own Device(BYOD) Staff Usage Policy is primarily designed to ensure that any mobile devices used for work purposes are appropriately secured.
- External Document/Data Security – In most organisations employees take documents that may contain personal information home with them or have this information available on a laptop computer or personal device. Think of a teacher marking student assignments, a HR Manager reviewing job applications or an executive reviewing a personal loan application.
Organisations must ensure that they clearly communicate expectations with respect to external document/data security to all of their staff. What are your protocols for viewing documents that contain personal information in public places, such as on a bus or a train, where the information could potentially be viewed by others?
As the world moves more and more into the age where personal information is communicated through advanced technologies (think wearable devices such as Google Glasses) the list of potential procedures, practices and systems that touch on the security of personal information is potentially endless. As the world changes, so must your organisation’s procedures, practices and systems for managing personal information.
How can CompliSpace help?
CompliSpace’s comprehensive range of cost effective human resources and workplace health and safety policies, procedures, training and testing modules, ensure that managers and staff know what is expected of them and have key tools and information at their fingertips at all times. This enables a business to meet its workplace relations obligations while building a positive corporate culture, capturing knowledge and saving time. CompliSpace has also just recently released its new Privacy Module that links with key workplace relations policies. For more information, contact us on the details below:
P: 1300 132 090
This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on 1300 132 090 and we will be happy to assist.