The Privacy Act 1988 (Cth) (Privacy Act) contains 13 Australian Privacy Principles (APPs) that Government agencies, and most private sector organisations must follow when they handle personal information. Regardless of whether or not your organisation is an “APP entity”, it is always good business practice to ensure you protect customer’s personal information.
Personal information is information or an opinion that identifies, or could identify, an individual. Therefore applying caution when handling personal information is very important. These tips will help you improve business practice, customer trust and satisfaction and simultaneously comply with the APPs.
Following these internal policies will help you manage and mitigate privacy risks, including the risks posed by human error.
Additionally, ensure that you provide privacy notices and collection statements to customers when collecting new information. Make sure you handle customer information in the way you say you will.
Elect a Privacy Officer
There should be a senior member of staff tasked with the role of a Privacy Officer who understands your entity’s responsibilities under the Privacy Act.
This employee will be tasked with managing privacy accountability and handling requests, complaints and enquiries about your information handling practices.
Priorities Privacy During Project Planning
When developing a new project or a business initiative that involves new or changed information handing practices, always consider doing a privacy impact assessment (PIA). A PIA identifies how a project may impact on individuals’ privacy and establishes steps for managing, minimising or eliminating these impacts.
We can provide you with short or long form PIA templates and guide you through the process of conducting a PIA.
Only collect the information you need
You must only collect the personal information you actually need. Avoid collecting information that is not necessary. Further to this, only use or disclose the information for the primary purpose for which it was collected and according to what the individual has consented to.
Access personal information on a need-to-know basis
Generally, you should only have access to personal information that you need for your role or function. By limiting the information you and your staff access, you are helping to protect it from unauthorised access, use or disclosure.
Keep personal information secure
Establish systems to protect personal information from unauthorised access, modification or disclosure. Using secure servers and requiring strong passwords are good ways to protect the information.
Establish a data breach response plan
All entities should have a data breach response plan. Make sure you are familiar with your data breach response plan, as this will help you respond quickly and appropriately in the case of a data breach. A quick response can substantially decrease the impact on the affected individuals. It is also best practice to notify the OAIC when you have a data breach and there is risk of serious harm to the affected individuals.