Welcome back! This is where you left us. Not what you wanted?

Module 3 Understanding privacy in your agency

20 minutes

Learning objectives

So far, we have looked at specific practices that you should adopt to handle personal information in accordance with the Privacy Act. These practices fit into the broader framework that your agency uses to manage personal information.

This module will cover some of the ways that your agency manages privacy issues, including the role of the Privacy Officer, Privacy Impact Assessments, and responding to data breaches.

At the end of this topic, you should be able to:

  • describe the ways in which personal information may be handled by your agency
  • explain the requirements of the Australian Government Agencies Privacy Code
  • explain the role of the Privacy Officer in your agency
  • understand what a Privacy Impact Assessment (PIA) is and when a PIA may need to be conducted.

Ready? Click the Play button to start the video.

Video transcript

Modules 1 and 2 looked at practices your agency should adopt to handle personal information lawfully and ethically. Those practices should fit into the broader privacy framework that your agency uses to handle personal information.

Every agency will have a different privacy framework in place, depending on the nature of the agency’s work and its size, as well as the amount and type of personal information that it holds. This framework will inform how you handle personal information in your day-to-day work.

For example, your agency will have its own unique:

  • Privacy Management Plan — to set out what it is doing or will do to meet its privacy obligations
  • Privacy Policy — to provide transparency to the public about how it handles personal information
  • Complaints handling process — which sets out how complaints and concerns from members of the public will be resolved, and
  • Data breach response strategy — so staff know what to do and who to tell if a data breach is suspected.

Some agencies will also have other legislative obligations governing what they can and cannot do with personal information, such as secrecy provisions.

Your Privacy Officer is the primary point of contact for advice on privacy issues, and will be able to tell you about any agency-specific legislation, policies and procedures that relate to privacy.

This module covers some practical privacy management steps — including having a Privacy Officer, conducing Privacy Impact Assessments, and preparing a data breach response plan.

Direct YouTube link: https://youtu.be/k-TjwhYMPK4. If YouTube is blocked, try this video.

General privacy responsibilities for Australian Government agency staff

Everyone working in an Australian Government agency has responsibilities relating to privacy.

All staff must:

  • handle personal information in accordance with the APPs and any other relevant legislation
  • familiarise themselves with their agency’s privacy policy
  • know who their agency’s Privacy Officer is
  • ensure that they understand when it is appropriate to collect, use and disclose personal information in the course of their employment
  • keep the personal information they handle secure.

Your work may intersect with privacy if you are, for example:

  • collecting personal information in order to deliver a service or benefit to a client, or to make a decision about whether to provide a service or benefit
  • developing new government initiatives with an impact on the privacy of individuals
  • working on a project or proposal that involves insights obtained from personal information
  • working in Human Resources and managing the personal information of employees
  • implementing new technologies or on-boarding new supplier relationships which may have an impact on privacy
  • managing risk, driving compliance and best practice, and responding to breaches in a legal, risk, compliance or ICT/cyber security role.

Key people in your agency

Privacy Officers

The Australian Government Agencies Privacy Code requires every agency covered by the Privacy Act to have at least one Privacy Officer.

Your agency’s Privacy Officer is the primary point of contact for advice on privacy issues. You can get in touch with the Privacy Officer if you have questions or concerns about how your agency handles personal information.

Your agency must ensure that a number of Privacy Officer functions are carried out. These functions include:

  • coordinating the handling of privacy enquiries and requests from the public for access and correction
  • keeping a record of the personal information held by the agency
  • coordinating the handling of complaints
  • assisting with PIAs and keeping a register of those assessments
  • keeping a record of the agency’s annual performance against its Privacy Management Plan.

Privacy Champions

Agencies must also have a Privacy Champion, who is a senior officer responsible for promoting a culture of privacy in the agency. Your Privacy Champion also reports to the agency’s executive about privacy issues within the agency, and is accountable for the agency’s Privacy Management Plan.

Your agency’s important privacy documents

Your agency’s Privacy Management Plan

All Australian Government agencies must have a Privacy Management Plan — a document that identifies specific, measurable privacy goals and targets and sets out how an agency will meet its privacy compliance obligations.

If you have questions about your Privacy Management Plan, including where you can find it, you should contact your Privacy Officer.

Your agency’s privacy policy

The privacy policy is an important document — it’s how your agency communicates with the public about how it is handling their personal information.

Privacy policies outline the types of personal information your agency collects, how it collects it, what it does with it, whether it sends it overseas and how individuals can access and correct their information or make a complaint. In many cases, the privacy policy can help answer questions from the public about how your agency deals with privacy. It can also help you to understand how you should be handling personal information in your day-to-day work.

You should familiarise yourself with your agency’s privacy policy and know where to find it. If you have questions about privacy policy good practice, you should contact your Privacy Officer.

Privacy Impact Assessments

A PIA is a systematic assessment of a project that:

  • identifies the impact that the project might have on the privacy of individuals, and
  • sets out recommendations for managing, minimising or eliminating that impact.

This term ‘project’ is used loosely and is intended to cover the full range of activities and initiatives that may have privacy implications, including:

  • policy proposals
  • new or amended legislation
  • new or amended programs, activities, systems or databases
  • new methods or procedures for service delivery or information handling
  • changes to how information is stored.

Why conduct a PIA?

The Australian Government Agencies Privacy Code requires agencies to complete PIAs for all high privacy risk projects. According to the Code, high privacy risk projects involve any new or changed ways of handling personal information which are likely to have a significant impact on the privacy of individuals.

There are many other reasons that your agency might want to conduct a PIA. It’s an opportunity to not only make sure a project complies with privacy laws, but also to go beyond compliance to consider the project’s broader privacy implications and risks. It can help to identify whether the community is likely to accept the planned uses of personal or sensitive information in the project.

Your agency’s Privacy Officer can give you advice on PIAs, including whether your project requires a PIA and who can help you do one.

The OAIC also has some training on how to conduct PIAs. You can learn more on the OAIC website.

Activity Risk or benefit?

Categorise the following statements as either a benefit of doing a PIA or a risk of not doing a PIA.
Start
An organisation’s reputation could be damaged if the project fails to meet expectations about how personal information will be protected
Non-compliance with the letter or the spirit of the Privacy Act.
There may be an increased risk of a privacy breach.
Privacy risks could be identified too late in the project development to do anything about them.
An agency’s credibility could be damaged through lack of transparency in response to public concern.
The project is more likely to be compliant with privacy laws.
Community values and expectations around privacy will be reflected in the project design.
Stakeholders will know that the project has been designed with privacy in mind.
Risk Benefit
Complete

Risks of not doing a PIA

  • An organisation’s reputation could be damaged if the project fails to meet expectations about how personal information will be protected
  • Non-compliance with the letter or the spirit of the Privacy Act.
  • There may be an increased risk of a privacy breach.
  • Privacy risks could be identified too late in the project development to do anything about them.
  • An agency’s credibility could be damaged through lack of transparency in response to public concern.

Benefits of doing a PIA

  • The project is more likely to be compliant with privacy laws.
  • Community values and expectations around privacy will be reflected in the project design.
  • Stakeholders will know that the project has been designed with privacy in mind.

Data breaches

A data breach occurs when personal information an agency or organisation holds is lost or subjected to unauthorised access or disclosure.

Data breaches may be caused by malicious action (by an external or internal party), human error or a failure in information handling or security systems.

Click on each heading below to find out more.

  • Unauthorised access

    Unauthorised access occurs when personal information that an entity holds is accessed by someone who is not permitted to access it. This includes an employee browsing customer records without any legitimate purpose, or a computer network being compromised by an external attacker resulting in personal information being accessed without authority.

  • Unauthorised disclosure

    Unauthorised disclosure occurs where an entity makes personal information accessible or visible to others outside the entity, and loses effective control of that information in a way that is not permitted by the Privacy Act. This includes inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person, or disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.

  • Loss

    Loss refers to the accidental or inadvertent loss of personal information. For example, where an employee leaves personal information on public transport, such as hard copy documents, a laptop or a storage device.

Harms caused by a data breach

Data breaches can cause harm in multiple ways. Individuals whose personal information is involved in a data breach may be at risk of serious harm, including harm to their physical or mental well-being, financial loss or damage to their reputation. Examples of harm include:

  • identity theft causing financial loss or emotional and psychological harm
  • financial fraud including unauthorised credit card transactions or credit fraud
  • threats to physical safety, including family violence
  • loss of business or employment opportunities
  • humiliation
  • damage to reputation or relationships
  • harassment or bullying.

The Notifiable Data Breaches scheme

There are certain data breaches that must be reported to affected individuals and the OAIC.

When a data breach occurs that is likely to result in serious harm to an individual whose personal information is involved, your agency must notify affected individuals and the OAIC, in accordance with the Notifiable Data Breaches scheme (NDB scheme) in the Privacy Act.

This is known as an ‘eligible data breach’.

An eligible data breach occurs when the following criteria are met:

  • There is unauthorised access to, or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
  • This is likely to result in serious harm to any of the individuals to whom the information relates.
  • The entity has been unable to prevent the likely risk of serious harm with remedial action.

It may not always be clear if a suspected data breach meets the criteria for an ‘eligible data breach’. Your agency must conduct an assessment to determine whether the breach is an ‘eligible data breach’ which triggers the notification obligations.

It is important to let the right person in your agency know if you suspect that a data breach has occurred, as they will need to consider the obligations under the NDB scheme.

There is an important practical function to this requirement to notify affected individuals. It allows individuals to take steps to reduce their risk of harm, such as by changing their password and being alert to identity fraud or scams.

The NDB scheme also serves the broader purpose or enhancing agencies’ accountability for privacy protection. By demonstrating that breaches of privacy are taken seriously, the NDB scheme works to build trust in personal information handling practices across the government.

Responding to a data breach

Not all data breaches will be ‘eligible data breaches’ for the purposes of the NDB scheme. However, your agency should have a data breach response plan in place, setting out how it will respond to actual or suspected data breaches, including eligible data breaches under the NDB scheme. You should familiarise yourself with this data breach response plan.

If you think that your agency may have experienced a data breach, you should follow the steps in your data breach response plan or contact your Privacy Officer or other relevant staff.

Generally, the actions taken following a data breach should follow four key steps:

Step 1: Contain the data breach to prevent any further compromise of personal information.

Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.

Step 3: Notify individuals affected and the OAIC if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the agency to notify.

Step 4: Review the incident and consider what action can be taken to prevent future breaches.

Scenario Which of these is a data breach?

A letter is sent

A letter or email containing personal information is sent to the wrong address. Is this a data breach?

Correct.

This is an unauthorised disclosure of personal information, so it is a data breach. It will be an ‘eligible data breach’ under the NDB scheme if it likely to result in serious harm to the individual or individuals whose personal information was contained in the letter or email, and the entity has been unable to prevent the likely risk of serious harm with remedial action.

Incorrect — try again.

Stolen laptop

A staff member has their laptop stolen. They have written their username and password on the bottom of the laptop. Is this a data breach?

Correct.

Since the thief can access personal information on the laptop, or use it to access agency systems, this is a data breach. It will be an ‘eligible data breach’ under the NDB scheme if it likely to result in serious harm to the individual or individuals whose personal information is stored on the laptop, and the entity has been unable to prevent the likely risk of serious harm with remedial action.

Incorrect — try again.

Folder on public transport

A staff member leaves a folder of documents on public transport, including names and contact details of individuals. Is this a data breach?

Correct.

This is an unauthorised disclosure and a data breach. It will be an ‘eligible data breach’ under the NDB scheme if it likely to result in serious harm to individuals whose personal information was contained in the folder, and the entity has been unable to prevent the likely risk of serious harm with remedial action.

Incorrect — try again.

Forgotten security pass

A staff member leaves their security pass at home. Is this a data breach?

Incorrect — try again.

Correct.

There has been no unauthorised access, disclosure or loss of personal information.

Viewing personal records

A staff member uses their access to agency systems to look at the records of their ex-partner to see if they can find out their phone number. Is this a data breach?

Correct.

This would be unauthorised access as it is outside the scope of the staff member’s work. It will be an ‘eligible data breach’ under the NDB scheme if it likely to result in serious harm to the ex-partner, and the entity has been unable to prevent the likely risk of serious harm with remedial action.

Incorrect — try again.

False information

A fraudster impersonates someone using their stolen personal details and tricks a staff member into releasing their personal information. Is this a data breach?

Correct.

This would be unauthorised disclosure and a data breach. It will be an ‘eligible data breach’ under the NDB scheme if it likely to result in serious harm to the individual or individuals whose personal information was released, and the entity has been unable to prevent the likely risk of serious harm with remedial action.

Incorrect — try again.

Hacked system

Hackers break into your agency’s systems and extract personal information and other data. Is this a data breach?

Correct.

This would be unauthorised access and a data breach. It will be an ‘eligible data breach’ under the NDB scheme if it likely to result in serious harm to the individual or individuals whose personal information was stolen, and the entity has been unable to prevent the likely risk of serious harm with remedial action.

Incorrect — try again.

Forgotten password

A staff member forgets their password and cannot log into agency systems. Is this a data breach?

Incorrect — try again.

Correct.

There has been no unauthorised access, modification or loss of personal information so it is not a data breach.

Case study

What a morning. As you arrive for work at your agency this morning, you run into Alex.

‘Hey Claire,’ says Alex. ‘Did you hear what happened to Dan the other day? He accidentally left a work file on the train.’

‘Uh oh!’

‘Yeah… he felt so embarrassed about it that he decided to ignore it and hope for the best.’

‘Yikes!’

‘One week later, the person who found the file on the train had photocopied the documents and sent them to a journalist, who published them online.’

‘Gosh, that’s much more embarrassing than telling a manager in the first place! They might have been able to do something to recover the file, or at least manage the consequences.’

You make your way to your desk, where there is a message for you: Jill has asked you to come by and chat to her about something…

This is an exploratory activity — don’t worry about getting it right or wrong, just explore the options and have fun!

Click on Jill to start
the conversation.
Complete

Completed

Knowledge check

You are now ready for the final Module 3 knowledge check. Answer the five questions.

Question 1

When does the Australian Government Agencies Privacy Code require an agency to undertake a Privacy Impact Assessment?

Question 2

Which of these is not a data breach?

Question 3

The Privacy Officer is the primary point of contact for advice on privacy issues in your agency. Which of these is not a Privacy Officer function?

Question 4

True or false: an agency’s privacy policy should be published on its website.

Question 5

If you think your agency may have experienced a data breach, there are several steps you could take. Which of the following is not an appropriate step?

Course recap and certificate