Privacy obligations

Content Summary

If an organisation needs to comply it can choose to:

  • become bound by an approved industry code
  • apply to have its own code under the Act approved by the Australian Information Commissioner
  • be bound by the Australian Privacy Principles (APPs).

The functions of a privacy compliance program are to:

  • develop an organisation's privacy practices
  • assist in defending a complaint made to the Australian Information Commissioner.

This information will help your organisation develop a privacy compliance program.

Privacy policy checklist

Use this checklist to help create organisation's privacy policy.

Nominate a privacy officer

Consider nominating a staff member to act as a privacy officer, if you feel your organisation of a size to warrant one. The privacy officer should be given clear authority to:

  • undertake a privacy review of existing systems to determine how the organisation uses personal information
  • direct and implement a privacy strategy
  • establish systems to ensure compliance with the new legislation
  • maintain the privacy compliance system.

Know the apps

Be familiar with the Australian Privacy Principles guidelines (APPS) to understand how they are likely to affect the business practices of your organisation.

Conduct a privacy review

You should carry out a privacy review to assess:

  • the type of information your organisation collects and keeps
  • how your organisation uses such information and who, if anyone, it share this information with.

We recommend using a comprehensive questionnaire for the review. At a minimum, it should include the following questions.

  • What personal information has been and will be collected and from whom? This question needs to be answered in two parts to include personal information and sensitive information
  • How is personal information collected? Any form of data collection should be considered, including standard forms, surveys, mail, emails, call centres
  • Why is the personal information is collected?
  • Do all the reasons for collecting information relate to the functions or businesses that your business conducts?
  • Who accesses and uses the personal information, both within your organisation and any third parties
  • How is personal information stored and destroyed?
  • How can personal information be accessed?
  • Who has access to what information?
  • What information is disclosed to third parties? For example: mailing houses, business partners
  • What consents are in place for your business to use or disclose of personal information ?
  • Is the information current and accurate is the information? This will involve an assessment of the procedures to update information or delete irrelevant information, and to ensure accurate date recording
  • How are complaints handled?
  • Do you send information overseas or to related companies? If you are likely to disclose personal information to international recipients, list the countries where those recipients are based
  • How can individuals access personal information held about them and how can they correct information if necessary?
  • How can individuals complain to your business about a breach of the Australian Privacy Principles and how will you deal with such a complaint?

Implement a privacy compliance program

Prepare a privacy compliance manual to minimise your exposure to privacy compliance risks. Consider the following three step process.

  1. Identify any privacy compliance issues identified in the review. The privacy officer and senior management, potentially in consultation with lawyers, should take responsibility for this.
  2. Implement and educate staff on their responsibilities for security and information management.
  3. Maintain andupdate the contents of the manual according to changes in business practices law, regulation and industry codes and practices. Retrain and refresh staff in relation to their responsibilities. Undertake audits at regular intervals.

Develop a privacy statement and policy

If your organisation is subject to the Act, you must have a privacy policy which clearly sets out how you will manage personal information.

The policy must be publicly available and for free. You could publish it on your website but hard copies should also be available.

A business’ privacy policy must disclose everything as set out in the privacy review section above.

Develop privacy procedures

Your organisation must take reasonable steps to protect the personal information it holds from misuse, unauthorised access, modification or disclosure.

You must also destroy and de-identify information when it’s no longer needed.

Your privacy policy should be supported by specific procedures, include guidelines on:

  • managing mailing lists
  • collecting, managing and using contact lists
  • inclusions in contracts with consultants and suppliers including outsourcing where personal information may be handled
  • managing personal information access requests
  • using sensitive information
  • conducting security reviews of current practices or procedures
  • storing forms used to collect personal information, eg not leaving correspondence in trays overnight
  • using paper shredders
  • positioning computer screens at inquiry counters away from the public
  • using password protected-computers and screen savers
  • setting a short time frame for activation of screen savers
  • enforcing regular password changes
  • restricting access to data by key staff only
  • using anti-virus-software for computers
  • storing computer backups securely
  • removing access rights for employees who leave the organisation
  • providing all staff with the internet and email usage policy.

You should have procedures in place:

  • to ensure data is removed, destroyed or cleared when no longer required
  • for access requests to the records handling policy.
  • to handle complaints or incidents regarding breaches of privacy. -

A key way to ensure you comply with privacy obligations is for your procedures to include how you’ll manage information handling issues. For example, the security and confidentiality of personal information in service provider contracts. Two key areas identified by the Privacy Commissioner include cleaning and counselling services.

More information about privacy obligations

CPA Australia has made every effort to ensure that, at the date of publication, the information contained on this page is correct.

The information and recommendations on this page are considered to be consistent with the law and applicable guidelines at the time of publication. However, they do not constitute legal advice. This information is not intended to be comprehensive. Members concerned about their legal rights and obligations in relation to federal, state or territory privacy legislation may wish to seek their own independent legal advice.