Understanding What Is Personal Information
All staff are responsible for understanding what “personal information” is.
Personal information is information or an opinion (including information or an opinion forming part of a database):
- whether true or not,
- whether recorded digitally, on paper or any other way,
- about a living individual whose identity is obvious from that information, or
- about a living individual whose identity can reasonably be identified from the information or opinion by itself or combined with other information.
Examples of personal information are:
- name and address
- bank account details and credit card information
- credit worthiness information
- information about a person’s preferences, qualifications or experience
- tax file numbers
Some personal information is considered sensitive and requires greater protection. All staff must monitor the collection of personal information to ensure that we DO NOT collect this kind of information, and if we do, it is carefully managed and protected.
- criminal record
- genetic information
- health or medical information
- membership of a political association, professional or trade association or trade union
- political opinion
- racial or ethnic origin
- religious beliefs or affiliations
- sexual preferences or practices
What Is Not Personal Information
Confidential Information –
Information exchanged between people in a relationship that has inherent requirements of confidentiality, eg. doctor and patient or lawyer and client, may be confidential. This does not apply to our business.
Parties may also enter into an agreement to keep information private and confidential. That is a contractual agreement and does not affect the privacy of personal information as required under privacy legislation. Information that is exchanged under a non-disclosure agreement or deed of confidentiality may not be personal information. It may contain personal information.
Freedom of Information (FOI) or Right to Information (RTI) –
Only government agencies or related entities are required to answer requests made under FOI or RTI requests. FOI or RTI requests do not apply to our business.
How We Collect Personal Information
All staff are responsible for monitoring how we collect information, consistent with the following:
- through sign in and contact forms on our website
- by collecting business cards
- by reviewing applications and referrals
- through forms completed as part of Service Delivery
- through phone calls, emails, or other forms of communication
- through social networking services
- by reviewing complaints or feedback submitted
- Include demographic information collect via website browser cookies if used
Secure Storage of Personal Information
Management must ensure that business information systems and local recordkeeping systems have access-control protocols and procedures that so that:
- records are stored with an appropriate level of security (eg. records containing personal information must be kept locked or password protected).
- records can only be accessed by staff for legitimate work purposes.
- record and archival integrity is maintained.
- staff who access records are aware of their responsibilities for protecting privacy and confidentiality where relevant.
- the business understands the data storage terms and conditions of our data host providers, and any relevant local government laws that apply to our data host providers.
Information that is collected electronically must only be stored in the business customer relationship management (CRM) system. Personal information should not be stored on employee’s local computer drives.
Information that is collected in hard copy, we transfer the collected data into our electronic CRM system and the securely destroy the hard copy.
Why We Collect Personal Information
Management is responsible for monitoring the collection of personal information to ensure that it is not collected for any purpose not stated in this procedure.
We collect personal information for the purposes of:
- delivering products and services to our customers
- marketing our products and services to customers and prospective customers
- marketing related products and services to our customers
- building business relationships
Use and Disclosure of Personal Information
All staff are responsible for monitoring how we use the personal information we collect in ways that support the purpose for collection.
We do not make collated personal information available to others, unless they are providing a service that supports what we do, for example, mail delivery companies or telemarketers employed by us.
Spam is electronic junk mail sent via email, mobile devices or social media accounts. Management is responsible for monitoring the transmission of messages so that that we do not send ‘junk’ and we do not send electronic mail unless:
- We have express or implied consent from the person we are sending it to.
- We identify our business and how we can be contacted in the body of the message.
- We provide people with the opportunity to ‘unsubscribe’ to allow recipients to opt out of receiving our messages.
Disclosure to Government Agencies
Only the company Privacy Officer is authorised to respond to requests from government agencies or legal requests. Please forward all requests to email@example.com.
Information requested by government agencies or legal requests must:
- be in writing on appropriate letterhead
- state the relevant law authorising the request for information
- provide specific detail of the information requested
- provide sufficient information to assist staff to determine whether or not the request is reasonably necessary
Managing Requests for Access to Personal Information
If a person requests a copy of the personal information held about them, the request must be referred to the Privacy Officer. An acknowledgement of receipt of the request for information must be sent to the applicant within 10 business days of receipt.
A request for access to information must be received in writing. The purpose of the request is not relevant. There can be no charge for making the request.
The Privacy Officer may ask for more detail regarding the information requested.
The Privacy Officer may choose to provide access to the information in the following ways:
- via inspection in person by the applicant
- via hard copy delivered by ordinary post
- via electronic copy delivered to the confirmed personal email address of the applicant
A reasonable charge may be levied for provision of information to cover the administrative costs incurred in providing that information.
The response to a request for access must be delivered to the applicant within 30 days of the request being received.
Integrity of Personal Information
Where staff are aware that personal information is incorrect, they must correct that information as soon as possible.
If a person advises that their personal information is incorrect, and the Privacy Officer does not agree with their assertion, any request that person makes to amend their personal information must be stored with the personal information already held.
Records Management Procedures
All personal information should be securely destroyed after it is no longer required.
Personal information will be retained for a period of 7 years after last use for the purpose of meeting legal, accounting and auditing requirements, unless a longer period of retention is legally required.
- acknowledge receipt of the complaint as soon as possible
- obtain evidence relevant to the breach
- investigate the breach
- make sure that there are no further breaches regarding the person in question, or the type of information disclosed
- assess the cause (eg. as lack of training or awareness of privacy requirements)
- assess the potential harm from the breach (harm to the individual whose personal information has been disclosed and harm to the company)
- implement any actions necessary to reduce potential harm or prevent it happening again
- decide what to tell the affected person (whether or not there was a breach; if so, how it happened; what has been done to control or reduce potential harm; what has been done/ will be done to prevent it happening again)
- decide whether anyone else needs to be notified eg. Privacy Commissioner (depends on the level of perceived harm – for example if credit card details have been disclosed) and
- keep a record of the complaint, the investigation and the response to the complainant.
The complainant must be notified of the ability to make a complaint to the office of the Privacy Commissioner if they are not satisfied with the way the complaint was handled.
Powers of the Privacy Commissioner
The Privacy Commissioner has the power to investigate complaints made by individuals who are concerned about the use or disclosure of their personal information. The Privacy Commissioner has the power to:
- accept an enforceable undertaking from the business, which usually has a financial penalty for non-compliance
- start a court action to require an enforceable undertaking
- make a determination about how personal information was handled and whether compensation should be paid to the “victim”
- bring a court action to enforce a determination
- seek an injunction from the court to stop our business doing something, or require our business to do something
- apply to the court for fines to be paid by our business
The possible consequences of an investigation by the Privacy Commissioner should be considered when managing privacy complaints.