Understanding privacy - PowerPoint PPT Presentation


PPT – Understanding privacy PowerPoint presentation | free to view - id: 129bf9-OWMyZ


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Understanding privacy


Management of personal information. Access and correction. Responding to privacy complaints ... or can be reasonably ascertained. TIP. This is a broad definition. ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 56
Provided by: davidphil


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Understanding privacy

Understanding privacy
  • An overview of the
  • Information Privacy Act 2000

Session outline
  • What is information privacy?
  • The 10 Information Privacy Principles
  • Collection
  • Use and disclosure
  • Management of personal information
  • Access and correction
  • Responding to privacy complaints

Why do you need to know about privacy?
  • Its the law All Victorian public sector
    organisations must comply. People have a right to
    challenge how their personal information is
  • Breaches can be costly in and reputation
  • Privacy is a basic human right enshrined in the
    Universal Declaration of Human Rights and the
    Victorian Charter of Human Rights and
  • We all expect our privacy to be protected.
  • Privacy matters to people.

Why do you need to know about privacy? (cont.)
  • Its makes good business sense research
    indicates that the public is more likely to trust
    an organisation that values and protects privacy.
  • Complying with privacy laws can lead to improved
    information management and customer service.
    Good quality information is the basis for good
  • Government context People often have no choice
    but to give their personal information to
    government, so it is our responsibility to
    protect that information.

Context for privacy laws
Technological advances are rapidly changing the
way that information is collected and handled
  • Huge increase in the volume of information
    collected and stored.
  • Electronic information is more vulnerable and
    more fluid. Large amounts of information can be
  • copied, searched, aggregated and interlinked
  • stored on small, portable devices
  • transmitted widely
  • Collection and use of information can be less

Activity 2
  • What is information privacy?

Impact of privacy laws
  • Privacy laws provide people with more control
    over how organisations handle their personal
  • Privacy laws encourage openness and transparency.
  • The right to privacy has to be balanced against
    the necessary flow of information for provision
    of services.

Privacy protection is a balancing act

Maximising the level of control that individuals
have over their personal information
while ensuring that the right information is
available to the right people at the right time
in the right way to enable necessary govt
operations and services.
The privacy protection landscape
Charter of Human Rights Responsibilities Act
  • Personal information handled by Federal govt
    agencies, e.g. Centrelink
  • Much of the private sector
  • All health related personal information held in
    public and private sectors
  • Most of the personal info handled by health
    service providers
  • All recorded personal information handled by
    State govt agencies and local govt
  • (other than health related info)
  • Victorian govt departments agencies must act
    compatibly with human rights

Victorian Charter of Human Rights
  • The public sector has been bound by the charter
    since the beginning of 2008.
  • Includes the right to protection of privacy and
  • All public authorities must act compatibly with
    human rights.
  • All statutory provisions are to be interpreted
    compatibly with human rights.
  • Any new laws will require a statement of
    compatibility to advise Parliament on how they
    meet the charters standards.

  • The Victorian
  • Information Privacy Act 2000

Relationship to other laws
  • If there is an inconsistency between a provision
    of the Information Privacy Act and another Act,
    the other Acts provision prevails to the extent
    of the inconsistency.
  • (Information Privacy Act section 6)

Activity 3
  • What laws guide information handling in your

What is personal information?
  • Recorded information or opinion
  • whether true or not
  • about an individual
  • whose identity is apparent
  • or can be reasonably ascertained

TIP This is a broad definition. For example, in
some contexts information about a property or
business can be personal information.
  • The Act provides for some limited exemptions
  • Publicly available information
  • generally available publications
  • information kept in a library, art gallery or
    museum for reference, study or exhibition and
  • public record under the control of Keeper of
    Public Records that is available for public
  • Courts and tribunals (partial exemption)
  • Law enforcement (partial exemption)

Law enforcement exemption (partial exemption)
It is not necessary for a law enforcement agency
to comply with certain IPPs if it believes on
reasonable grounds that non-compliance is
necessary for
  • Law enforcement functions or activities
  • Enforcing laws relating to confiscation of
    proceeds of crime
  • Conduct of proceedings in court or tribunal
  • Polices community policing functions

This is a partial exemption so, for example,
there is no exemption for the IPPs relating to
data quality and data security.
Public registers
  • The Information Privacy Act recognises that
    public registers may need different rules, but
    requires that they comply with the Information
    Privacy Principles (IPPs) as far as is reasonably
  • Consider
  • the purpose of the register
  • what information has to be put on the register
  • how the register should be made available to the

Activity 4
  • What information is covered under the Act?

Information Privacy Principles
  • 10 Information Privacy Principles (IPPs) form the
    core of the Information Privacy Act.
  • IPPs are connected and set minimum standards for
    how personal information should be handled
  • Collection (IPPs 8, 1, and 10)
  • Use and disclosure (IPPs 2 and 9)
  • Management of personal information (IPPs 3, 4, 5
  • Access and correction (IPP 6 and Freedom of
    Information Act)

  • IPP 1 Collection and IPP 8 Anonymity
  • Dont over collect Collect only personal
    information that is necessary for the performance
    of functions
  • Anonymity People should have the option of not
    identifying themselves when entering
    transactions, if that is lawful and feasible
  • Collect for a pre-determined purpose
  • Collect lawfully, fairly and not unreasonably
  • Collect information only from the person
    themselves, where practicable

  • When collecting personal information, take
  • steps to tell the person
  • who is collecting the information
  • what it will be used for
  • whether the collection is required by law
  • how the person can get access to the information
  • who else usually has access to the information
  • what the main consequences, if any, are for the
    person if they do not provide the information.

TIP Unsolicited personal information is also
subject to the IPPs.
  • IPP 10 Sensitive information
  • Collection of sensitive information is tightly
    restricted and usually will
  • require consent.
  • This includes information or opinion about an
  • political views
  • religious beliefs
  • sexual preferences
  • membership of groups (e.g. unions, political
  • racial or ethnic origin or
  • criminal record.

Activity 5
  • Applying the collection principles

Points to consider collection
  • Do you really need all of the personal
    information you collect?
  • Do you have collection notices on all forms
    requesting personal information?
  • Are customers who provide information over the
    telephone/internet/in person given clear notice
    about how the information will be used and
  • Do you collect any sensitive information? Is
    this collection justified?

Use and disclosure
Remember the basic rule Purpose governs use
Use and disclosure
  • Step 1 - What purpose was the information
    collected for?
  • Step 2 Consider IPP2
  • Use and disclose personal information for the
    primary purpose for which it was collected
  • Or for a related purpose a person would
    reasonably expect
  • Or for one of the other reasons in IPP 2
  • Otherwise, use and disclosure can only occur with

TIP Disclosure includes confirming information
and providing information that is also available
from other sources.
  • Individual has the capacity to consent
  • Voluntary
  • Informed
  • Specific
  • Current

TIP The Act does not require that consent be in
writing. However, as a general rule, seek express
consent in writing.
Use and disclosure (IPP2)
Permitted disclosures ? personal information may
also be used or disclosed for a secondary
purpose, without consent, for the following
  • Required or authorised by another law
  • Research or statistical analysis
  • Serious and imminent threat to individuals life,
    health, safety or welfare
  • Serious but not imminent threat to public
    health, safety or welfare
  • To investigate or report concerns re unlawful
    activity or
  • To assist a law enforcement agency.

TIP Organisations are not required to disclose
information under IPP2, but may choose to.
However obligations under other laws remain.
Use and disclosure for research
  • The research must be in the public interest
  • Publication of the research must be
  • It must be impracticable for the organisation to
    seek the persons consent and
  • In the case of disclosure, the organisation must
    reasonably believe that the recipient will not

Use and disclosure
  • IPP 9 Transborder data flows
  • Personal information can only be transferred
    interstate or overseas if certain conditions are
  • Consent is one condition.

Activity 7
  • A Victorian case study

Points to consider Use and disclosure
  • When does your organisation use or disclose
    personal information for a purpose other than the
    primary purpose it was collected for?
  • Which of the use and disclosure provisions
    authorise this?
  • Is there a practical commonsense way that this
    purpose can be met without a disclosure, for
    example, releasing non-identifying data or acting
    as a go-between to pass on information without
    disclosing personal details?
  • Dont feel pressured to respond hastily to
    requests for disclosure. If uncertain, check
    before disclosing.

Management of personal information

Management of personal information
  • IPP 3 Data quality
  • Make sure personal information is
  • accurate
  • complete
  • up-to-date

TIP Check the spelling of common names, such as
John/Jon. Many privacy breaches occur by mixing
client records.
Recording personal information
  • Be specific vagueness and ambiguity make it
    difficult for others to use the information
  • Distinguish fact from opinion
  • Check the information, particularly if it is old
    or not provided by the person themselves
  • Inaccurate spelling of names and addresses lead
    to privacy breaches

Management of personal information
  • IPP 4 Data security
  • Take reasonable steps to protect personal
    information from misuse, loss, unauthorised
    access, modification or disclosure.
  • Personal information should be destroyed or
    de-identified when it is no longer needed.
  • Destruction should be in accordance with disposal
    schedules of the Public Records Act 1973.

Management of personal information
  • Physical security might include precautions like
  • locking filing cabinets
  • restricting access to certain areas
  • positioning computer terminals so they cannot be
    seen by unauthorised personnel
  • questioning unaccompanied or unrecognised
    visitors and
  • disposing of paper records effectively.

Management of personal information
  • Operational security might include
  • rules on levels of access
  • audit trails to detect unauthorised access
  • changing of passwords at frequent intervals
  • avoiding collecting information in public waiting
    rooms where possible
  • procedures for verifying identity for telephone
  • using fictitious information for training and
  • procedures for dealing with employees who leave.

Security of transmission
  • Fax
  • programming fax machines to avoid risk of
  • retaining fax activity history reports
  • controlling the type of information sent
  • telephoning intended recipient prior to
  • E-mail
  • guidelines for use of e-mail
  • encrypting files
  • blind carbon copying address details
  • e-mail privacy notices
  • Post
  • take care not to display contents of letters
    through window envelope

Management of personal information
  • IPP 7 Unique identifiers
  • Limits the
  • assignment
  • adoption
  • sharing of unique identifiers
  • Intended to minimise cross-matching of data
    across government agencies

Management of personal information
  • IPP 5 Openness
  • Document clearly expressed policies on management
    of personal information and provide the policies
    to anyone who asks
  • Know where to find the policy
  • Know who your privacy contact person is
  • Make sure the policy is reviewed to reflect
    current practice

Points to consider management of personal
  • Once privacy is lost, it cant easily be
    retrieved regularly review the security
    arrangements for both paper-based and electronic
  • One simple effective way to monitor data quality
    is to ask people, in any correspondence with
    them, to check the information and advise of
    updates or corrections.

Access and correction
Access and correction (IPP6)
  • Individuals have a right to seek access to their
    personal information and request corrections.
  • Access and correction are mostly handled under
    the Freedom of Information (FoI) Act.

Points to consider access and correction
  • Is your organisation subject to FoI legislation?
  • If yes, applications for access and correction of
    personal information are handled under FoI
  • If no, access and correction are handled under
    the Information Privacy Act
  • If appropriate, requests can also be handled
    informally through administrative processes

Activity 8
  • What could have been done differently?

Functions of Privacy Victoria
Privacy Victorias activities
  • Privacy awareness and education for the Victorian
    public sector and general public
  • Receive and conciliate complaints
  • Advise government on legislation and policy
  • Respond to enquiries from VPS and general public
  • Audits
  • Compliance notices
  • Monitor developments in technology

Complaints procedure
  • A complaint may relate to any of the 10 IPPs
  • Emphasis on individual attempting to resolve
    their privacy concerns directly with the
  • Commissioner considers whether or not to
    entertain the complaint
  • Conciliation through Privacy Victoria
  • Commissioner makes a decision when conciliation
    is not possible or fails
  • Referral to Victorian Civil and Administrative
    Tribunal (VCAT)

  • If VCAT upholds a complaint, potential remedies
  • restraint orders
  • ordering action to redress the damage suffered
  • compensation orders of up to 100,000
  • reimbursement of expenses incurred in making the

Complaint handling tips
  • Respond promptly.
  • Keep complaint handling procedures simple and
  • If there has been a breach, take action quickly
    and tell the complainant what you have done.
  • If a problem has occurred, what can you do to
    prevent it happening again?
  • Explain things in plain language.
  • What has really prompted the complaint?
  • Can you deal with the complaint independently?
  • Be prepared to say sorry, quickly and sincerely.

Key points
  • Privacy laws do not prevent the legitimate flows
    of information necessary for the operation of
  • Become familiar with the 10 IPPs and apply them
    to the way you handle personal information
  • Collect only the information you need
  • Advise people why you need the information and
    how it will be used and disclosed
  • Use and disclose only for the primary purpose of
    collection unless the person consents or another
    IPP2 provision applies
  • Take steps to ensure the quality of the
  • Secure the information

More information
  • Privacy Victoria
  • www.privacy.vic.gov.au
  • 1300 666 444
  • Federal Privacy Commissioner
  • www.privacy.gov.au
  • 1300 363 992
  • Victorian Health Services Commissioner
  • www.health.vic.gov.au/hsc
  • 8601 5200
  • Victorian Equal Opportunity Human Rights
  • www.humanrightscommission.vic.gov.au
  • 9281 7111 or 1800 134 142

Activities 9 and 10
  • Revision quiz
  • What do you need to do now?
About PowerShow.com