State and local government organisations collect, handle and store personal information from clients as part of their regular business activities.
What is personal information?
Personal information is defined in the Glossary to the Freedom of Information Act 1992 (WA), as:
鈥渋nformation or an opinion, whether true or not, and whether recorded in a material form or not, about an individual, whether living or dead -
(a) whose identity is apparent or can reasonably be ascertained from the information or opinion; or
(b) who can be identified by reference to an identification number or other identifying particular such as a fingerprint, retina print or body sample.鈥
Some examples of personal information can include:
- name
- contact details (address, telephone number or email)
- medical information; or
- financial information.
How do I manage personal information?
Western Australian State and local government organisations are not regulated by privacy legislation; however, some controls for personal information are provided for in the Freedom of Information Act 1992 and the State Records Act 2000.
The Commonwealth鈥檚 Privacy Act 1988 lists 13 Australian Privacy Principles (APP) which, whilst not legally binding in Western Australia provide a framework for managing personal information. The APP advise organisations 鈥榤ust take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure鈥. Following these principles makes good business sense.
Organisations that are obliged to collect and handle personal information for business purposes should consider the risks involved in keeping details of, or copies of, personal information and must take the necessary steps to manage that information appropriately.
There are several factors to consider:
Does the information need to be held, or will sighting it be sufficient?
Organisations should not collect personal information unless it is absolutely necessary for business purposes. In most cases simply noting and recording that a person has the relevant qualifications, licences etc. is sufficient.
Who will have access to the personal information?
Policies and procedures must be in place within the organisation to limit access to only those roles / individuals who need to access personal information for business purposes. This could be as simple as locking hardcopy files in an area where only appropriate staff have access, or by having access permissions embedded in systems which manage records.
How will the information be used?
Organisations should have a privacy statement on their website which states how the organisation will use personal information and the conditions upon which it may be disclosed to third parties.
As an example, upon phoning many organisations you may hear a message saying, 鈥渢his call may be used for quality and training purposes鈥. If there is a possibility that this recording could be used for purposes other than those stated, the organisation must advise customers of this in advance. This can be achieved by extending the initial message to include more detail, or by referring customers to the privacy statement on the organisation鈥檚 website.
How will the information be destroyed?
All records must be retained and disposed of in accordance with an approved Retention and Disposal Authority. When destroying any records, especially those containing personal and sensitive information, organisations must ensure it is done completely so that no information is retrievable.
Acknowledgement:
Office of the Australian Information Commissioner.
Australian Law Reform Commission.
Office of the Information Commissioner.