Embed Size (px)
Citation preview
PRIVACY COMPLIANCE
An Introduction to PrivacyPrivacy Training
INTRODUCTION
This training course aims to:• Introduce participants to the topic of privacy.•Provide an overview the Australian Privacy Principles. •Assist participants in applying the principles to the handling of personal information.•Help team members understand the obligations of the Club under the Privacy Act and Australian Privacy Principles; and• Inform participants what to do if there is a breach of privacy.
OBJECTS OF THE PRIVACY ACT The objects of the Privacy Act are to: Promote the protection of the privacy of individuals. Recognise that the protection of the privacy of individuals is
balanced with the interests of entities in carrying out their functions or activities.
Provide the basis for nationally consistent regulation of privacy and the handling of personal information.
Promote responsible and transparent handling of personal information by entities.
Facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected.
Facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected.
Provide a means for individuals to complain about an alleged interference with their privacy; and
Implement Australia’s international obligation in relation to privacy.
WHO REGULATES PRIVACY? The Office of the Australian Information Commissioner (OAIC) regulates privacy and is responsible for:•Conducting investigations.•Reviewing decisions made under the FOI Act.•Handling complaints.•Monitoring agency administration.• Providing advice to the public, government agencies and businesses.
Individuals can make complaints to the Office of the Australian Information Commissioner if they feel that there has been a privacy breach. Privacy breaches will have an impact on the Club financially, its reputation and brand.
WHY DO YOU NEED TO KNOW ABOUT PRIVACY? Privacy is important to you and it is important to others, it is a basic human right. People expect that their personal information will be handled appropriately and the Club is obligated under privacy legislation to do so.
There are many examples of new technologies which have greatly changed the way that information can be collected and handled.
Privacy laws provide people with more control over how organisations handle their personal information.
Venues that are required to comply with the AUSTRALIAN PRIVACY PRINCIPLES (APP’s), will need to understand the set of 13 standards of law that regulate the handling of personal information by APP entities.
PENALTIES – CONSEQUENCES OF NON COMPLIANCE Where a ‘civil penalty provision’ breach occurs, the Office of the Australian Information Commissioner (OAIC) can make an application to the courts for an order to make the entity pay a civil penalty. Penalties can apply if an entity does, or repeatedly does an act, or engages in a practice that is serious interference with the privacy of an individual or privacy of one or more individuals.
The Information Commissioner may apply for an order to contain a person from engaging in conduct that would amount to a breach of the Privacy Act. The Commissioner can make a formal decision or determination where a privacy complaint has been made against the Club; this may be an order for the Club to apologise, pay compensation or change its practices.
PENALITIES – CONSEQUENCES OF NON COMPLIANCE The Commissioner can carry out investigations in response to a complaint, or on the Commissioner’s own initiative. Civil penalties of up to $340,000 for individuals and $1.7 million for corporations can be imposed.
An offence under the Privacy Act will see the Criminal Code applied. Chapter 2 of the Criminal Code (except Part 2.5) sets out the general principles of criminal responsibility.
PERSONAL INFORMATION Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
Whether the information or opinion is true or not; and
Whether the information or opinion is recoded in a material form or not.
Put simply, personal information is information that identifies you or could reasonably identify you.
Some things to think about:
Information may still be identifying even if it does not include a person’s name.
A person’s work details can be personal information.
Information can change into personal information depending on context.
Anything can be personal information when linked to an individual who can be identified.
PERSONAL INFORMATION
Think about the types of personal information that is collected in your department.
Sensitive information is a subset of personal information and includes, but is not limited to information about an individual’s membership of a professional or trade association, membership of a trade union, criminal record or health information about an individual.
There are higher standards for collection of sensitive information. Some exceptions apply.
WHAT ARE THE AUSTRALIAN PRIVACY PRINCIPLES?More information can be found on the OAIC Fact Sheet 17.
http://www.oaic.gov.au/images/documents/privacy/privacy-resources/privacy-fact-sheets/privacy-fact-sheet-17-australian-privacy-principles_2.pdf
BREACH OF PRIVACY
A privacy breach occurs when personal information held by the Club is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse. Data breaches can occur from:• Lost or stolen; laptops, mobile phones, removable storage devices,
or paper records containing personal information.• Hard disk drives and other digital storage media (integrated in
other devices, for example, multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased.• Databases containing personal information being 'hacked' into or
otherwise illegally accessed by individuals outside of the agency or organisation.• Employees accessing or disclosing personal information outside the
requirements or authorisation of their employment.• Paper records stolen from insecure recycling or garbage bins.• An agency or organisation mistakenly providing personal
information to the wrong person, for example by sending details out to the wrong address; and• An individual deceiving an agency or organisation into improperly
releasing the personal information of another person.
BREACH OF PRIVACY
If you think that there has been a breach of privacy, the following steps must be taken:•Contain the breach and do a preliminary assessment• Evaluate the risks associated with the breach•Notify the privacy officer immediately• Prevent future breaches.
If something goes wrong…don’t just hope that no-one will notice as the breach may escalate!
