Privacy Management Plan - new
Privacy Management Plan
- 1. Introduction
- 2. Personal Information
- 3. Main Classes of information collected, held and disseminated by the Department
- 4. Information Protection Principles
- 5. Privacy Codes of Practice
- 6. Current Policies and Law Relating to Information
- 7. Other considerations
- 8. Public Registers
- 9. Internal and External Review Processes
- 10. Dissemination of Policies and Training
- 11. External Service Providers
- 12. Strategies for Compliance
- 13. Appendices
1. Introduction
1.1. This Privacy Management Plan is a plan for the Department’s compliance with the principles and requirements of the Privacy and Personal Information Protection Act 1998 (“the Act”). The Act requires each “public sector agency” to prepare and implement a Privacy Management Plan by 30 June 2000.
1.2. This plan is drafted in a way which takes account of the diverse range of functions of the Department’s various cost centres. It aims to give officers in Department cost centres dealing with personal information guidance on the requirements of the Act, strategies for compliance with those requirements and to set down some procedures which can be adopted by the Department to eliminate or reduce the risk of non compliance.
2. Personal Information
2.1. The Act is concerned with “personal information”. This is defined in the Act as being “any information or opinion about a person whose identity is apparent or can be reasonably ascertained from the information or opinion”. The information does not have to clearly identify a person. It need only provide sufficient information to lead to the identification of a person. It is not limited to confidential or sensitive personal details. It covers information held in paper or electronic records and may even extend to body samples or biometric data.
2.2. While the definition of “personal information” is very broad, there are some important exceptions to the definition. The exceptions which are most relevant to the Department are:
- Information arising out of a Royal Commission or Special Commission of Inquiry;
- Information contained in Cabinet documents;
- Information about individuals who have been dead for more than 30 years;
- Information about an individual’s suitability for appointment or employment as a public sector official;
- Information arising from the exercise of specific statutory law enforcement powers such as telephone interception, controlled operations and witness protection;
- Information contained in a publicly available publication;
- The exercise of judicial functions by a court or tribunal.
2.3. These exceptions do not interfere with the confidentiality or sensitivity of these types of information and exemption from the requirements of the Act does not mean that other policy or statutory requirements, such as the confidentiality of Cabinet documents, should be disregarded.
3. Main Classes of information collected, held and disseminated by the Department
3.1. Given the diversity of functions within the Department, the range of holdings of personal information is wide. A list of cost centres and program functions within the Department is contained in Appendix A. A list of types of information held by the Department together with some notes on particular issues relevant to types of holdings is found at Appendix B. Although not a Department cost centre, the Minister’s Office deals with a large range of information which will, to varying degrees, be covered by the Act.
4. Information Protection Principles
4.1. The protections provided by the Act are based on 12 Information Protection Principles set out in the Act. They cover collection, storage, use and disclosure of personal information. Many of the principles only require that “reasonable” steps be taken having regard to the circumstances. Factors which will determine the “reasonableness’ of steps to be taken will include the sensitivity of the information, the possible uses of the information, the context in which it was obtained and the financial and practical effects of strategies for compliance on the continued ability of the cost centre to perform its legitimate functions.
4.2. The Act also contains a number of exceptions to the operation of the principles. A summary of the Information Protection Principles together with a summary of the exceptions to the principles which are relevant to the Department is set out at Appendix C. Officers are alerted to the need to consult the full text of the principles as they appear in the Act or in the Privacy NSW publication “ A Guide to the Information Protection Principles”. A copy of that publication has been provided to each cost centre in the Department.
5. Privacy Codes of Practice
5.1. Privacy Codes of Practice as provided for in the Act are statements of how a public sector agency proposes to depart from the Information Protection Principles or public register provisions of the Act.
5.2. Currently the only proposal for the Department to make a Privacy Code of Practice is in relation to the Bureau of Crime Statistics and Research. However, cost centre managers are directed to monitor their cost centre’s capacity to comply with the principles and to alert senior management to any possible need for a Code of Practice.
6. Current Policies and Law Relating to Information
6.1. A range of other legislation affects the way the Department processes personal information. Some applies to the Department as a whole and some applies to individual cost centres. In many cases such legislation prohibits disclosure of certain kinds of information except in specified circumstances. On the other hand, some legislation authorises the collection of information in a particular way or the sharing of information with other agencies. A list of such legislation appears at Appendix D. The most wide reaching and comprehensive legislation of this type is the Freedom of Information Act. The Act makes it clear, however, that it is not intended to affect the operation of the Freedom of Information Act.
6.2. There is also a range of departmental and whole of government policies which affect the way in which personal information is dealt with by cost centres. A list of such policies is at Appendix E.
7. Other considerations
7.1. A number of other considerations, apart from expressed policy and statutory requirements, play a role in the way cost centres deal with personal information. It should be remembered by cost centres that compliance with or exemption from the requirements in the Act will not affect obligations arising under other legislation or under general law principles. Some matters for cost centres to continue to consider are obligations arising under principles of confidentiality, legal professional privilege, privilege for confidential professional communications and public interest immunity.
8. Public Registers
8.1. Public Registers are defined in the Act as registers containing personal information that are made publicly available or open to public inspection. Some registers are in effect, at least in part, exempted from the requirements in the Act relating to public registers because the information contained in the register falls within one of the exceptions to the definition of “personal information”.
8.2. For example, a register which has, and is authorised to have, its entire contents published in a publicly available publication would not be a public register within the meaning of the Act. See paragraph 2.2 above for a list of the main exceptions to the definition of “personal information”. In addition, if access to a register is given only to specific categories of people rather than to the public at large, then it may be that it is not a public register within the meaning of the Act because it is not “publicly available or open to public inspection”.
8.3. The Department maintains the following registers of information:
- Register of Births, Deaths and Marriages
- Roll of Legal Practitioners
- Roll of Public Notaries
- Register of Schemes under the Charitable Trusts Act
8.4. The cost centres which administer each of these registers will analyse the public register provisions of the Act and, to the extent to which those provisions apply to those registers, will adopt strategies for compliance with the Act’s requirements in relation to public registers. In summary, those requirements are that:
- Before disclosing any personal information from a public register, the responsible agency must be sure that the information is to be used for a purpose which is legitimate by reason of its relationship to the purpose of the register or of the legislation under which the register is kept; and
- Where the agency suppresses, on request, a person’s information from a public register the agency must be satisfied that the safety or well-being of the person will be adversely affected by not suppressing the information and that the suppression is not against the public interest.
8.5. It should be remembered that registers which do not fall within the public register requirements of the Act are still subject to the privacy information principles in the Act.
9. Internal and External Review Processes
9.1. People who have complaints about how the Department has dealt with personal information may apply to the Department for “internal review”. Applications for internal review may concern conduct by a cost centre which a person believes:
- breaches an information protection principle;
- breaches a code that applies to the department or one of its cost centres; or
- is an inappropriate disclosure by the Department or one of its cost centres of personal information kept in a public register.
9.2. The Act sets out a number of requirements for the processing of applications for review including time frames, reporting requirements and requirements for advice to people about their rights to internal and external review.
9.3. The Department has developed a procedure for the conduct of internal reviews. A copy of the procedure, which also canvasses external review by the Administrative Decisions Tribunal, is attached at Appendix F.
10. Dissemination of Policies and Training
10.1.The Corporate Development and Training Unit of the Department offers a variety of courses for staff of the Department which provide opportunities for disseminating policies and practices relating to the Department’s privacy obligations. All new staff complete a one day induction course in workplace ethics and privacy obligations. Relevant policies and practices are canvassed in this context. The Corporate Development and Training Unit also runs specialised courses for individual cost centres.
10.2.The Department’s Code of Conduct, issued to all staff, deals with the use and disclosure of information obtained in the course of employment and with the confidentiality obligations of staff who have left the Department.
10.3.All staff have a copy of, or access to, this Privacy Management Plan. Information sessions are to be held on the Plan in each cost centre.
10.4.Training for staff is also supplemented by resources to be accessed when more complex decisions or assessments have to be made. Currently available resources include:
- Department circulars;
- Department guidelines and other publications including the Code of Conduct, Policy for Use of Electronic Mail and the Internet, Security of Information Systems Policy, Security of Electronic Information Policy, Draft Information Technology Strategic Plan;
- Publications from the Privacy Commissioner’s Office, including:
-
- the Guide to the Privacy and Personal Information Protection Act;
- the Guide to the Information Protection Principles;
- the Guide to Making Privacy Codes of Practice;
- the Guide to Public Registers
11. External Service Providers
11.1.The Department has contractual arrangements with a range of service providers. These contracts are ongoing and in some cases span a number of years. Some were in existence prior to the commencement of the Act.
11.2.Existing contracts are being reviewed and updated to reflect the obligations of the Department under the Act. New contracts will include appropriate clauses covering compliance issues.
12. Strategies for Compliance
12.1. Assessment of Current Practices
12.1.1. The first step in compliance with the Act and its principles is to assess current practice and procedure. Individual cost centres can do this by:
- determining which types of information are held, by reference to Appendix B, and identifying the personal information contained in those holdings;
- determining the functions and purposes of the cost centre by reference to relevant Department program functions and the Business Plan of the cost centre;
- ascertaining the coverage of the Information Protection Principles and relevant exceptions to the personal information held, initially by reference to Appendix C and paragraph 2.2 above;
- referring to the current law and policies which already govern the way in which information is processed and ascertaining the policies and procedures adopted in compliance with those laws and policies; and
- identifying any remaining areas of risk or exposure under applicable Information Protection Principles.
12.1.2. If such areas of risk or exposure are identified then procedures must be adopted in line with or beyond the following general strategies for compliance. If the need for a Privacy Code of Practice is identified, this must be brought to the attention of Senior Management immediately (see paragraph 5 above).
12.1.3. A number of general strategies for compliance with the Information Protection Principles have been identified for adoption by the Department as a whole and for adaptation where necessary by individual cost centres. These strategies have been grouped together below under the Information Protection Principles’ main areas of coverage.
12.2. Collection
12.2.1. Cost centres will review all application forms used to collect personal information from clients or employees to ensure that notification requirements (as per Principle 3) are met and consent to further disclosures is covered where necessary to the operation of the cost centre. The Lawlink website will be similarly posted. Where necessary, interim pamphlets and/or stickers for this purpose will be provided to clients.
12.2.2. All department staff will be notified of programs and policies for monitoring of telephone, e-mail and internet usage.
12.2.3. Staff in cost centres which collect personal information by telephone will be equipped with a form of words to notify clients of matters required by Principle 3 and to obtain consent to further disclosure where necessary. Alternatively, pro forma letters, confirming notification and consent will be forwarded to clients following telephone contact. In addition, where telephone conversations are monitored by recording for quality control and supervision purposes, clients will be advised of this at the outset of the conversation.
12.3. Storage
12.3.1. The Department will further develop and review separate policies for storage of electronic and paper information with reference to the Department’s Security of Information Systems Policy and the Government’s Security of Electronic Information Policy.
12.4. Use
12.4.1. Where information is stored in a computerised database, cost centres will ensure that appropriate descriptions are used to avoid errors or misinterpretation of data and standards are adopted which allow consistent transfer of information between cost centres or agencies within the Department.
12.4.2. Standards will be adopted, with reference to the functions and purposes of the particular cost centre, to ensure personal information is used only for the purposes for which it was collected.
12.4.3. Where information is proposed to be used for research purposes this will be done in accordance with guidelines to be prepared by the Office of the Privacy Commissioner or with a Code of Practice similar to that proposed to be made by the Bureau of Crime Statistics and Research.
12.5. Disclosure
12.5.1. Cost centres will develop written procedures to cover the main kinds of personal information staff can be expected to disclose and the authority for such disclosures. Staff with frequent contact with department clients will be given additional training in the application of the Information Protection Principles to disclosure in the context of their cost centre’s functions.
12.5.2. Information disclosed by the Department or any of its cost centres for research purposes will be anonymised.
12.5.3. The Community Relations Division of the Department will, in consultation with the Attorney General’s Office, develop a protocol for the disclosure of personal information by way of Ministerial correspondence. This protocol will take into account the exception contained in section 28(3) of the Act relating to disclosure for the purpose of informing the Minister or the Premier.
12.6. Internal Review
12.6.1. Staff of each cost centre will be made aware through training and Department circulars of the legal rights people have to internal review, and, in particular, what constitutes an internal review and the time limits for processing of internal reviews.
12.6.2. An internal review officer will be appointed for each cost centre and equipped by training and access to advice from the Privacy Commissioner’s Office to deal with issues arising in any complaint.
12.6.3. An officer in the Community Relations Division of the Department will be designated to be notified of each application for internal review and to be responsible for notifying the Privacy Commissioner and compiling statistics on internal review for the Department’s Annual Report.
12.6.4. Individuals will be told about their rights to internal and external review through the inclusion of statements about these rights on forms and notices completed by people providing personal information. The format of such statements will differ between cost centres and as between the information provided and the purpose for which it is provided. However the statement will contain advice that:
- people have the right of access to, and correction of personal information about them;
- if they consider that personal information about them is being handled incorrectly, then they may request the Department to undertake an internal review or they may contact the Office of the Privacy Commissioner;
- time limits apply to the making of applications, complaints and to the handling of internal reviews
12.6.5. Application forms for internal review will be provided to people wishing to apply for internal review. The application form will contain advice about:
- the range of action that may be taken by the department at the conclusion of the review;
- the time limits on the review; and
- the right of appeal to the Administrative Decisions Tribunal
12.7. Public Registers
12.7.1. The cost centres which administer registers of information will analyse the public register provisions of the Act and, to the extent to which those provisions apply to those registers, will adopt strategies for compliance with the Act’s requirements.