How does the Privacy Act connect with Information Management?
The six steps previously identified as needing to be taken by an organisation to implement the processes need to comply with the Privacy Act are:
2. Review, amend and document processes identified in Step 1
4. Communicate and train personnel in the new Privacy processes
6. Monitor and improve privacy processes and procedures
Step 1 Know what personal information your organisation collects.
An information audit will identify what information your organisation collects about people, how it is collected, why it is collected, where it is stored, how it is used, who has access to it and when is it destroyed. The currency of the information must be considered, particularly with regard to consent for collection, use and disclosure.
An additional level of complexity comes into the information audit when we ask the question what is personal information? There is a chicken and egg issue here because it may depend upon what your organisation is doing with the information it collects as to whether a piece of information is considered personal. Let me explain:
The Act basically says the personal information is
information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not (s 6(1)).
So the common ones we all think of include name, date of birth, address, signature, employment details, bank details. Some may not think that a telephone number, an IP address or a Cookie ID (collected by your website system) would be deemed to be personal however, if your organisation uses data linking methods then this type of information brought together could reasonably identify a person.
To quote Leif Gamertsfelder from his publication Corporate Information and the Law
The accretion issue’ is one that is extremely important in the context of the information economy and the increasing use of big data’. Corporations need to ensure that they do not inadvertently breach the Act due to a mistaken belief that individual data sets do not constitute personal information’ when, in aggregate, they actually do have such status. (para 9.15)
This then requires that consideration must be given to what technology is being used by your organisation and is that technology collecting information that could be personal, e.g websites, smartphone Apps. In addition, consideration needs to be given to the processes within the organisation that may be collecting personnel information as an adjunct to other processes, e.g. a vocational reference is likely to contain personal information about the author(name, position, opinion) of the reference as well as the subject of the reference.
Remember this phase is not just about finding out what personal information is collected but it is also necessary to workflow the processes associated with the information. This identifies exactly how the information enters the organisation (collection), how it is used and who has access to it (use or disclosure) and how it is maintained and disposed of (Integrity, access and control)
This step should be established as a project with a project team made up of people with expertise in:
- Records/information management
- Information technology (system & website administration)
- Subject expert Marketing/membership/shareholder register
People with expertise in information management will be vital to this step as they will be able to apply their skills in conducting information inventories and workflow analysis.
Step 2 Review, amend and document processes identified in Step 1
On completing the information audit every process associated with personal information must be reviewed to ensure the protection of the information and that there are no current actions that are in breach of the APPs (for example direct-marketing to individuals who may have opted-out or had not been given the opportunity to opt-out because of previous practices). As the information being collected is reviewed the following questions should be asked:
- Did the individual consent to the collection of this information?
- Is this information necessary for one or more of the organisation’s functions or activities?
Remember, if you can’t answer yes to both those questions you may not be able to legally collect or hold that information.
An approach to be applied at this phase and for the future, as new systems and processes are adopted, is that of privacy impact assessments (PIA). Step 1 contains a component of the PIA in that the flow of the personal informationis being documented as part of the information audit. The PIA provides a structured process to not only consider the flow of the personal information but also:
- analyse the possible impacts on individuals’ privacy
- identify and recommend options for avoiding, minimising or mitigating negative privacy impacts
- build privacy considerations into the design of a project
- achieve the project’s goals while minimising the negative and enhancing the positive privacy impacts. 
At this stage you should also be thinking about documenting the method of communication to, and training of personnel who are responsible for the processes and procedures. (Again a governance issue that involves informationJ)
(a) the kinds of personal information that the entity collects and holds;
(b) how the entity collects and holds personal information;
(c) the purposes for which the entity collects, holds, uses and discloses personal information;
(d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
(e) how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
(f) whether the entity is likely to disclose personal information to overseas recipients;
(g) if the entity is likely to disclose personal information to overseas recipientsthe countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
- be as specific as possible;
- summarise where possible; and
- provide information in layers.
The guide goes on to provide some headings that should be considered for the policy
- Collection of personal information
- Disclosure (sharing)
- Rights and choices
- How to make a complaint
- Contact details
In developing the policy the processes and procedures are also being developed. These all need to be documented and managed as they are the record of compliance (a governance issue being supported by IM practices).
Step 4 – Putting it in to action
Step 5 Monitor and Improve.
It is all very well to implement processes to comply with legislative requirements but part of the compliance requirement is to ensure that the organisation continually adheres to the processes. APP1.2 requires that an organisation must take reasonable steps to implement practices, procedures and systems relating to [its] functions or activities that will:
- ensure [it] complies with the APPs and any binding registered APP code, and
- enable [it] to deal with inquiries or complaints from individuals about [its] compliance with the APPs or such a code.
The concept of continuous review and adherence is emphasised in the practice of Privacy Impact Assessments (PIAs) suggested by the Office of the Australian Information Commissioner and referred to earlier in this paper as part of step 2.
Using the PIA approach during any stage of development or improvement of systems will demonstrate that the organisation has built privacy into its systems and culture and that privacy forms part of the design procedure.
Documented evidence of monitoring activities is also an important part of proving compliance and as such an audit process and schedule will need to be developed and implemented. This demonstrates a commitment by the organisation to ongoing adherence. The audit process and the outcomes need to be captured into the organisations information management system, as does the actions taken to correct any non-compliances found during the audit process.
As a final pointer in this brief guide the organisation also needs identify when there are changes to the legislation itself and amend the existing processes to adhere to the changes in the Privacy Act, the changes could be significant and require considerable work to ensure compliance, just as the recent changes.
The significant changes to the Privacy Act which came into effect in March 2014 required every organisation to review the legislation and determine firstly if it impacted on the organisation and secondly, if it did, what was required to meet compliance.
An essential part of compliance is being able to prove compliance. Implementing effective policy and procedures, as suggested here; using the existing information management systems to determine current practices; and capturing all documentation of activities, policy and procedures into the information management system will provide significant protection for the organisation.
Corporate Information and the Law, L Gamertsfelder, LexisNexis Butterworths, 2013
 Guide to undertaking privacy impact assessments, Officer of the Australian Information Commissioner, May 2014
 Guide to undertaking privacy impact assessments, Officer of the Australian Information Commissioner, p.1 & 2, May 2014
 Guide to undertaking privacy impact assessments, Officer of the Australian Information Commissioner, p.1, May 2014
 Privacy Fact Sheet 17: Australian Privacy Principles, Office of the Australian Information Commissioner, p1, Jan. 2014
 Chapter 1: APP 1 Open and transparent management of personal information Version 1.0, February 2014 Office of the Australian Information Commissioner APP guidelines Page 3
 Guide to undertaking privacy impact assessments, Office of the Australian Information Commissioner, May 2014