Information Overload

Insights from practitioners in Information Management

Information Overload - August 2014 - How does the Privacy Act connect with Information Management?


How does the Privacy Act connect with Information Management?


Shirley Cowcher


Introduction

In the July 2014 edition of Information Overload I wrote about Directors’ responsibilities to meet legislative obligations and gave a quick example of how information management can support those responsibilities.  In giving this example, I used the implementation or amendment of the Privacy Act compliance requirements.  

The example listed six steps for the implementation and used them to indicate how information management would support those steps.  This edition will take that a little further and outline what each step entails and how information management is there every step of the way.
The six steps previously identified as needing to be taken by an organisation to implement the processes need to comply with the Privacy Act are:

1. Know what personal information your organisation collects.
2. Review, amend and document processes identified in Step 1 
3. Develop and Document the Privacy Policy
4. Communicate and train personnel in the new Privacy processes
5. Communicate the new Privacy Policy to customers
6. Monitor and improve privacy processes and procedures

Here steps four and five have been merged in to one step called: Putting it in to Action.

Step 1 – Know what personal information your organisation collects.

An information audit will identify what information your organisation collects about people, how it is collected, why it is collected, where it is stored, how it is used, who has access to it and when is it destroyed.  The currency of the information must be considered, particularly with regard to consent for collection, use and disclosure.

An additional level of complexity comes into the information audit when we ask the question what is personal information?  There is a chicken and egg issue here because it may depend upon what your organisation is doing with the information it collects as to whether a piece of information is considered personal.  Let me explain:

The Act basically says the personal information is

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

    • whether the information or opinion is true or not; and
    • whether the information or opinion is recorded in a material form or not (s 6(1)).

So the common ones we all think of include name, date of birth, address, signature, employment details, bank details.  Some may not think that a telephone number, an IP address or a Cookie ID (collected by your website system) would be deemed to be personal however, if your organisation uses data linking methods then this type of information brought together could reasonably identify a person.

To quote Leif Gamertsfelder from his publication Corporate Information and the Law[1]

The ‘accretion issue’ is one that is extremely important in the context of the information economy and the increasing use of ‘big data’. Corporations need to ensure that they do not inadvertently breach the Act due to a mistaken belief that individual data sets do not constitute ‘personal information’ when, in aggregate, they actually do have such status. (para 9.15)

This then requires that consideration must be given to what technology is being used by your organisation and is that technology collecting information that could be personal, e.g websites, smartphone Apps.  In addition, consideration needs to be given to  the  processes within the organisation that may be collecting personnel information as an adjunct to other processes, e.g. a vocational reference is likely to contain personal information about the author(name, position, opinion) of the reference as well as the subject of the reference.

Remember this phase is not just about finding out what personal information is collected but it is also necessary to workflow the processes associated with the information.  This identifies exactly how the information enters the organisation (collection), how it is used and who has access to it (use or disclosure) and how it is maintained and disposed of (Integrity, access and control)

This step should be established as a project with a project team made up of people with expertise in:

        • Records/information management
      • Information technology (system & website administration)
      • Risk/compliance/governance/legal
      • Subject expert – Marketing/membership/shareholder register

People with expertise in information management will be vital to this step as they will be able to apply their skills in conducting information inventories and workflow analysis.

The completion of Step 1 is essential, without the information obtained from this step it will not be possible to write an compliant Privacy Policy.

Step 2 – Review, amend and document processes identified in Step 1

On completing the information audit every process associated with  personal information must be reviewed to ensure the protection of the information and that there are no current actions that are in breach of the APPs (for example direct-marketing to individuals who may have opted-out or had not been given the opportunity to opt-out because of previous practices). As the information being collected is reviewed the following questions should be asked:

    • Did the individual consent to the collection of this information?
    • Is this information necessary for one or more of the organisation’s functions or activities?

Remember, if you can’t answer yes to both those questions you may not be able to legally collect or hold that information.

An approach to be applied at this phase and for the future, as new systems and processes are adopted, is that of privacy impact assessments (PIA).[2]  Step 1 contains a component of the PIA in that the flow of the personal information[3]is being documented as part of the information audit.  The PIA provides a structured process to not only consider the flow of the personal information but also:

    • analyse the possible impacts on individuals’ privacy
    • identify and recommend options for avoiding, minimising or mitigating negative privacy impacts
    • build privacy considerations into the design of a project
    • achieve the project’s goals while minimising the negative and enhancing the positive privacy impacts. [4]


This step will provide clarity for the development of the Privacy Policy and the documentation of processes and procedures associated with the collection and use of personal information as well as the complaints handling procedures.

At this stage you should also be thinking about documenting the method of communication to, and training of personnel who are responsible for the processes and procedures.  (Again a governance issue that involves informationJ)

Step 3 – Develop and Document the Privacy Policy

It is important to remember that the Privacy Policy must be “clearly expressed and up to date”.  As a minimum the Privacy Policy must contain:

(a)  the kinds of personal information that the entity collects and holds;

(b)  how the entity collects and holds personal information;

(c)  the purposes for which the entity collects, holds, uses and discloses personal information;

(d)  how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;

(e)  how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;

(f)  whether the entity is likely to disclose personal information to overseas recipients;

(g)  if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.[5]

The Office of the Australian Information Commissioner has developed a Guide to developing a privacy policy[6] and it suggests that the policy should:

    • be as specific as possible;
    • summarise where possible; and
    • provide information in layers.

The guide goes on to provide some headings that should be considered for the policy

    • Scope
    • Collection of personal information
    • Disclosure (sharing)
    • Rights and choices
    • How to make a complaint
    • Contact details

In developing the policy the processes and procedures are also being developed. These all need to be documented and managed as they are the record of compliance (a governance issue being supported by IM practices).


Step 4 - Putting it in to action

Once approved the Privacy Policy and supporting framework of rules, procedures etc. must be communicated to the organisation’s personnel and customers.  Personnel must be trained in the processes and procedures.  A record of actions associated with the training of personnel is necessary to prove compliance. (The organisation’s IM system will support this).

Customers need to be informed of the Privacy Policy.  This is not necessarily a passive activity in terms of posting it on the website may not be sufficient.  It may be necessary for customers to be contacted directly and asked to provide informed consent for the collection and disclosure of their personnel information.  The need for this action would have been identified in Step 2.  In making contact with customers a record of the contact would need to be made and kept to prove compliance. (The organisation’s IM system will support this).

The Privacy Policy must be easily accessible and available.  It must be provided whenever personal information is being collected.  This means that it may have to be published on the company website, included in marketing and other publications.  Referred to during telephone, personal and email communications and provided in different formats upon request.  Each rendition of the policy must be captured and retained as evidence of compliance. (Again, the IM system will support this)

Step 5 – Monitor and Improve.

It is all very well to implement processes to comply with legislative requirements but part of the compliance requirement is to ensure that the organisation continually adheres to the processes. APP1.2 requires that an organisation must “… take reasonable steps to implement practices, procedures and systems relating to [its] functions or activities that will:

    • ensure [it] complies with the APPs and any binding registered APP code, and
    • enable [it] to deal with inquiries or complaints from individuals about [its] compliance with the APPs or such a code.[7]

The concept of continuous review and adherence is emphasised in the practice of Privacy Impact Assessments (PIAs)[8] suggested by the Office of the Australian Information Commissioner and referred to earlier in this paper as part of step 2.

Using the PIA approach during any stage of development or improvement of systems will demonstrate that the organisation has built privacy into its systems and culture and that privacy forms part of the design procedure.

Documented evidence of monitoring activities is also an important part of proving compliance and as such an audit process and schedule will need to be developed and implemented.  This demonstrates a commitment by the organisation to ongoing adherence.  The audit process and the outcomes need to be captured into the organisations information management system, as does the actions taken to correct any non-compliances found during the audit process.

As a final pointer in this brief guide the organisation also needs identify when there are changes to the legislation itself and amend the existing processes to adhere to the changes in the Privacy Act, the changes could be significant and require considerable work to ensure compliance, just as the recent changes.

Conclusion

The significant changes to the Privacy Act which came into effect in March 2014 required every organisation to review the legislation and determine firstly if it impacted on the organisation and secondly, if it did, what was required to meet compliance. 

An essential part of compliance is being able to prove compliance.  Implementing effective policy and procedures, as suggested here; using the existing information management systems to determine current practices; and capturing all documentation of activities, policy and procedures into the information management system will provide significant protection for the organisation.



[1]Corporate Information and the Law, L Gamertsfelder, LexisNexis Butterworths, 2013

[2] Guide to undertaking privacy impact assessments, Officer of the Australian Information Commissioner, May 2014

[3] Guide to undertaking privacy impact assessments, Officer of the Australian Information Commissioner, p.1 & 2, May 2014

[4] Guide to undertaking privacy impact assessments, Officer of the Australian Information Commissioner, p.1, May 2014

[5] Privacy Fact Sheet 17: Australian Privacy Principles, Office of the Australian Information Commissioner, p1, Jan. 2014

[6] Guide to developing an APP privacy policy, Office of the Australian Information Commissioner, May 2014

[7] Chapter 1: APP 1 — Open and transparent management of personal information   Version 1.0, February 2014 Office of the Australian Information Commissioner — APP guidelines  Page 3 

[8]  Guide to undertaking privacy impact assessments, Office of the Australian Information Commissioner, May 2014