Information Management – Privacy and Personal Information Protection Guideline Page 1 of 43 NSW Department of Commerce Government ChiefInformationOffice Information Management – Privacy and Personal Information Protection Guideline Issue No: 2.0 First Published: July 2002 Current Version: Mar 2005 TABLE OF CONTENTS 1. Introduction...............................................................................................................................................2 2. Purpose and Scope..................................................................................................................................3 3. What is privacy & personal data protection...............................................................................................4 3.1 Background.................................................................................................. 4 3.3 Privacy regulation in the private sector........................................................ 5 3.4 Privacy regulation in NSW public sector...................................................... 6 Figure 2. Privacy Legislation affecting NSW Public Sector Agencies................ 12 4. Managing personal information...............................................................................................................13 4.1 Collection...................................................................................................... 13 4.2 Storage......................................................................................................... 14 4.3 Access and disclosure................................................................................. 15 4.4 Use............................................................................................................... 17 4.5 Disposal........................................................................................................ 17 5. Other Issues ..........................................................................................................................................18 5.1 Tax file numbers (TFNs).............................................................................. 18 5.2 Credit information......................................................................................... 18 5.3 Transfer of personal information.................................................................. 19 5.4 Data matching.............................................................................................. 21 5.5 Research...................................................................................................... 21 5.6 Privacy in the workplace.............................................................................. 22 5.7 Video surveillance in public places.............................................................. 26 5.8 Electronic technology requirements............................................................. 27 5.9 Criminal misuse of personal information...................................................... 27 5.10 Privacy statements and the web............................................................. 28 6. Responsibilities for managing privacy.....................................................................................................30 6.1 Privacy Contact Officer (PCO)..................................................................... 30 6.2 Chief Information Officer (CIO).................................................................... 30 6.3 Custodians................................................................................................... 31 6.4 Librarians...................................................................................................... 31 6.5 Record managers......................................................................................... 31 6.6 FOI officers................................................................................................... 31 6.7 Web managers............................................................................................. 31 6.8 HR managers /workplace managers........................................................... 32 APPENDIX 1 -Privacy Management Plan (PMP) development checklist.........................................33 APPENDIX 2 -Human readable web privacy statement...................................................................36 APPENDIX 3 -Privacy references.....................................................................................................41 Table of Figures Figure 1: Information Management Framework............................................................................................2 1. Introduction Information, and the individuals assigned to handle it, are vital ingredients in the management of NSW Government business. Effective Information Management (IM) ensures that the true value of information is identified, understood and exploited to its best effect. The Government’s Information Management Memorandum requires each agency to develop and implement policies and plans that address all of the measures required for the effective collection, storage, access, use and disposal of information, to support agency business processes. Further, it requires that this be done within a whole-of-Government approach. To assist agencies and individuals, this Guideline on Privacy and Personal Information Protection has been developed. It represents one of a series of Guidelines on Information, Communications and Technology (ICT) for Government agencies. A full list of Policies and Guidelines relating to Information Management and other ICT issues is available at the Government Chief Information Office web site and should be researched as part of any review in this area. Within the information lifecycle of collection, storage, access, use and disposal, there exist a number of management responsibilities (based on the characteristics of information -definition, ownership, sensitivity, accessibility and quality) which need to be managed by an agency during each stage of the lifecycle. Each of these management responsibilities is supported by operational guidelines. Figure 1 (below) identifies this framework for IM. Figure 1: Information Management Framework Information Management – Privacy and Personal Information Protection Guideline Page 2 of 43 2. Purpose and Scope This Guideline is intended to assist NSW Government agencies develop policies and procedures to manage their obligations in relation to privacy and personal information protection. It provides a conceptual understanding of, and a practical guide to, the rights and responsibilities of agencies and individuals, stemming from the NSW Privacy and Personal Information Protection Act 1998. NSW Government agencies manage a range of private and personal information. This Guideline is provided to assist in the appropriate management of this information. The Guideline is targeted primarily at individuals with direct responsibilities in this area, however, the issues discussed are applicable to a much wider agency-related group. This group could include: • Permanent, temporary and casual staff; • Consultants, volunteers and work experience students; • Third parties such as contractors or outsourced organisations. The following points of reference are made for the reader: • The authors of this Guideline relied on various legislation, journal articles, Government reports and other secondary information sources; • Information sources were principally Australian; • The authors of this Guideline believe the information on which this Guideline is based, to be reliable and accurate; • This Guideline does not purport to be a definitive reference and should not be used as the sole reference point regarding privacy issues; • If any doubt exists regarding current or intended agency practice, written legal advice from a registered legal practitioner should be sought on the matter(s); • This Guideline is specifically for use in New South Wales. A variety of additional information regarding privacy is freely available from various sources. Whenever possible, readers should refer to the original references provided within this Guideline. Additionally, Privacy NSW provides detailed information and user guides to assist in interpreting legislation and implementing Privacy Management Plans and Privacy Codes of Practice (detailed further in this Guideline). Finally, it should be noted that this Guideline does not attempt to interpret the meaning of legislation or provide any legal guidance. It does not replace existing agency Codes of Practice, policies or legislation which address specific privacy issues such as in health management and law enforcement. Information Management – Privacy and Personal Information Protection Guideline Page 3 of 43 3. What is privacy & personal data protection 3.1 Background The importance of privacy is enshrined in both the United Nations Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, 1966 to which Australia is a signatory. Article 17 of the Covenant provides that: • "no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation”; • “…everyone has the right to the protection of the law against such interference or attacks". The Organisation for Economic Co-operation and Development (OECD) of which Australia is a member, developed guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980. These guidelines were developed to help protect personal data whose nature, context, intended use or process poses a danger to privacy and individual liberties regardless of whether this occurs in the public or private sector. For example, the approach of the OECD guidelines and subsequent legislation has been to define personal information very broadly, as all information relating to identifiable individuals. However, later legislation has tended to modify the definition by including biometric data such as fingerprints, genetic characteristics etc and by singling out more sensitive classes of personal information (health, ethnicity etc) for greater protection. The OECD guidelines provide eight basic principles of national application and four basic principles of international application. These principles are designed to facilitate the free flow of data between member states and limit the restrictions member states may impose. Members are encouraged to adopt appropriate domestic legislation, to encourage and support self-regulation and to provide adequate sanctions and remedies for non-compliance with the guideline principles. OECD’s group of experts on security and privacy affirmed the guidelines in May 1998. Although the concept of privacy is very broad and varies across countries and cultures, the OECD guidelines are constrained to the protection of individuals' privacy in relation to the information held about them. Privacy, as legislated in Australia, has a similar focus on the protection of information held about individuals. Therefore, this Guideline also focuses on information, more specifically personal information, which is defined as: • “information or an opinion… about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.” (Privacy and Personal Information Protection Act 1998, Section 4 (1)). This definition includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics. It does not include information about an Information Management – Privacy and Personal Information Protection Guideline Page 4 of 43 individual who has been dead for more than 30 years or information about an individual that is contained in a publicly available publication. It is important to note that personal information may be held in any medium, such as: • Paper; • Video or sound recording; • Computer systems; • CD-ROM, DVD. The OECD guidelines refer to protecting ‘data’, privacy legislation in Australia refers to protection of 'information'. Although the terms 'information' and 'data' are not equivalent in technical terms, they are used interchangeably for the purposes of this Guideline. 3.2 Privacy regulation in the Commonwealth public sector The Commonwealth Government adopted the OECD Guidelines in 1983, recommending that the States conform to them. In 1988 the Commonwealth Privacy Act 1988 (hereafter called the Federal Privacy Act) was enacted and contains Information Privacy Principles derived from the OECD guidelines. The Federal Act established the position of Privacy Commissioner and requires Commonwealth and Australian Capital Territory Government agencies to comply with eleven Information Privacy Principles (IPPs). It also applies to all States in both the public and private sectors for two specific categories of information: Tax File Number information and consumer credit information (unless there is relevant state legislation in place which provides for the privacy of these types of information). 3.3 Privacy regulation in the private sector In Australia, prior to 2000, the only regulation of the private sector was by voluntary industry codes. There was no specific legislation dealing with privacy issues in the private sector other than that contained in Acts relating to particular industries, for example, telecommunications. In 1997, the Federal Privacy Commissioner issued a Consultation Paper, Information Privacy in Australia: A National Scheme for Fair Information Practices in the Private Sector (August 1997). This was followed by the release of National Principles for Fair Handling of Personal Information (February 1998 revised January 1999). In late 1998, the Commonwealth Government announced its intention to enact ‘default’ legislation to cover the private sector. The Privacy Amendment (Private Sector) Act 2000 was passed by Federal Parliament on 6 December 2000 and took effect as new provisions within the Federal Privacy Act from December 2001. These new provisions introduced National Privacy Principles (NPPs) based upon the National Principles for the Fair Handling of Personal Information. The Information Management – Privacy and Personal Information Protection Guideline Page 5 of 43 Federal Privacy Commissioner’s website has a section called Specific Privacy Information for Business which covers the private sector With some exceptions, small businesses with an annual turnover of less than $3 million are exempt from the legislation. Small business not exempt include those which: • Provide a health service and hold health information; • Disclose or receive personal information for benefit, service or advantage; • Provide a contracted service to a Commonwealth agency. Non-exempt small businesses, other than health service providers were given until 21 December 2001 to ensure compliance with the provisions and have their privacy provisions in place. Organisations which provide a contracted service to a Commonwealth agency are effectively exempted from the NPPs but must comply with contractual terms based on the Information Protection Principles in Part Two of the NSW PPIP Act (introduced in section 3.4 of this Guideline). Contracted service providers to State instrumentalities are permanently exempted in relation to information processed under the contract, as are State agencies to the extent that they are contracted service providers to the Commonwealth. See the Office of the Federal Privacy Commissioner Information Sheet 14-2001 – Privacy Obligations for Commonwealth Contracts for a more detailed discussion of the scope of contracted service providers eg, organisations which provide a service to an agency as distinct from organisations which are funded by the Commonwealth to provide a service to the public. Application of the new provisions to the Media, seeks to strike a balance between the protection of personal information for the public interest, and allowing a free flow of information to the public. Political representatives are also exempt from the provisions in so far as their actions relate to an election, referendum or other participation in the political process. State Owned Corporations (SOCs) are not automatically regulated under either the Federal Privacy Act or the NSW PPIP Act. However individual SOCs can be included under the Federal Act by regulation. To check whether a particular SOC has been included, contact that SOC's Privacy Contact Officer, the Commonwealth Attorney General's Department, or the Office of the Federal Privacy Commissioner. 3.4 Privacy regulation in NSW public sector New South Wales was one of the first States to introduce privacy legislation. In 1975, a New South Wales Privacy Committee was established through the Privacy Committee Act, 1975. In 1991 the Privacy Committee issued voluntary guidelines called the NSW Data Protection Principles. In 1998, the NSW Parliament passed the Privacy & Personal Information Protection Act, 1998 (hereafter called the PPIP Act) to regulate public sector agencies in the matter of safeguarding the privacy of individuals through the protection of personal information collected (Section 4(5)) and held (Section 4(4)) Information Management – Privacy and Personal Information Protection Guideline Page 6 of 43 by them. The PPIP Act does not affect the operation of the NSW Freedom of Information Act 1989 (hereafter called the FOI Act). Public sector agencies include, but are not restricted to, Government departments, statutory bodies representing the Crown, authorities under the Public Sector Management Act 1988, the Police Service, local Government authorities and a person or body that provides data services relating to personal information for a public sector agency. Note that persons or bodies that provide data services are only included as public sector agencies if gazetted. The PPIP Act took effect in stages to allow agencies to meet their compliance requirements and came into full effect on 1 July 2000. 3.4.1 INFORMATION PROTECTION PRINCIPLES (IPPS) The PPIP Act allowed for the creation of 12 Information Protection Principles (IPPs). The IPPs are not specifically numbered in the Act. The IPPs appear in the following order in the Act: PPIP Act Section No. Summary 8Collection of personal information for lawful purposes 9Collection of personal information directly from individual 10Requirements when collecting personal information 11Other requirements relating to collection of personal information 12Retention and security of personal information 13Information about personal information held by agencies 14Access to personal information held by agencies 15Alteration of personal information 16Agency must check accuracy of personal information before use 17Limits on use of personal information 18Limits on disclosure of personal information 19Special restrictions on disclosure of personal information Information Management – Privacy and Personal Information Protection Guideline Page 7 of 43 3.4.2 THE ROLE OF PRIVACY NSW The PPIP Act (Part 4) also allowed for the creation of Privacy NSW. The role of Privacy NSW is to promote and protect the right to privacy by: • Advising individuals, Government agencies and business organisations on what action they can take to protect the right to privacy; • Assisting NSW Government agencies to comply with their obligations under the PPIP Act; • Researching significant development in policy, law and technology which have an impact on privacy and making reports and recommendations to relevant authorities; • Investigating, and where possible conciliating, complaints about breaches of privacy. 3.4.3 THE ROLE OF PRIVACY COMMISSIONER In addition, The PPIP Act also allowed for the appointment of a Privacy Commissioner (Part 4). The executive power formerly exercised by the Privacy Committee in relation to advice, complaints and investigation is now exercised by the Privacy Commissioner and a Privacy Advisory Committee. Functions of the Privacy Commissioner include: • Promoting & monitoring compliance with the requirements of the PPIP Act; • Preparing guidelines; • Receiving and investigating complaints; • Conducting inquiries and investigations into privacy matters. The Commissioner has power (subject to some qualifications) under the PPIP Act to demand documents and summon witnesses in relation to investigations and may request an agency to provide a personal information digest to which an agency must comply. The Privacy Commissioner may also make directions which exempt agencies from complying with IPPs in specified circumstances and has the power to prepare Privacy Codes of Practice (see further in this Guideline) which apply to some or all agencies. 3.4.4 AGENCY COMPLIANCE WITH THE PPIP ACT Agency policies need to be supported by operational implementation of procedures which ensure that an agency’s internal practices are consistent with its stated policies and legal obligations. Agencies need to address how privacy safeguards will be incorporated into their internal processes, and should identify an individual who can take responsibility for the development and implementation of a Privacy Management Plan. 3.4.5 PRIVACY MANAGEMENT PLANS Each agency is required under the PPIP Act, to prepare a Privacy Management Plan detailing: • Policies and practices to ensure compliance to the requirements of the PPIP Act; • Dissemination of those policies and practices to persons within the agency; Information Management – Privacy and Personal Information Protection Guideline Page 8 of 43 • Proposed procedures in relation to internal reviews; • Other matters considered relevant by the agency in relation to privacy and the protection of personal information held by statutory, professional or other legal obligations of privacy. A copy of the agency Privacy Management Plan is to be provided to the Privacy Commissioner as soon as practicable after it is prepared and whenever it is amended. Privacy NSW has created an outline for a Privacy Management Plan which is available from their web site. Appendix 1 of this outline document provides a checklist of considerations in developing a Privacy Management Plan. It is important to note at this stage that privacy is not an all-encompassing concern and that it must be balanced with the requirement for open and accountable Government. Agencies need to establish the policies to create this balance when preparing their Privacy Management Plan. 3.4.6 PRIVACY CODES OF PRACTICE The PPIP Act allows agencies to seek exemptions from the IPPs, but only with the approval of the Attorney General, following consultation with the Privacy Commissioner, and as drafted by Parliamentary Counsel. Notes: • Either the PPIP Act’s Information Protection Principles (IPPs) or a Privacy Code of Practice must be in effect and enforceable for each public sector agency; • Privacy Codes of Practice must not impose on any public sector agency any requirements that are more stringent (or of a higher standard) than the information protection principles (Section 29 (7)(b)). In the case of agency information sharing clusters, individual cluster Privacy Codes of Practice will need to be developed in accordance with Privacy NSW. 3.4.7 INTERNAL A person who is aggrieved by conduct of an agency that constitutes a possible contravention of the PPIP Act, is entitled to an Internal Review (Part 5) to be conducted by the agency concerned. The PPIP Act stipulates certain requirements in the conduct of that Internal Review. Should the person be dissatisfied with the result, they have the right of review by the Administrative Decisions Tribunal (ADT). Agencies are required to ensure that the NSW Privacy Commissioner is kept aware of all stages of the review process. The Tribunal may make binding orders against agencies and may award compensation where an applicant has suffered loss or damage. The PPIP Act also includes offence provisions for disclosures of personal information by public sector officers which are not made in connection with the exercise of their official functions. Information Management – Privacy and Personal Information Protection Guideline Page 9 of 43 The Ombudsman Act 1974 established the position of Ombudsman with powers to investigate complaints against NSW agencies or their employees. However, the Ombudsman does not have jurisdiction to investigate breaches of privacy except when monitoring complaints against Police under the NSW Police Act 1990 (formerly Police Service Act). See also Ombudsman Act 1974 Schedule 1.17 3.4.8 PUBLIC REGISTERS The IPPs relating to disclosure (Sections 18 and 19) are overridden by Section 57 and Section 58 in relation to information disclosed from Public Registers. Section 57 of the PPIP Act requires a public sector agency not to disclose any personal information kept in a Public Register, unless the agency is satisfied about the purpose for disclosure. That purpose for disclosure must relate to the purpose of the Register or the purpose of the Act under which the Register is kept. Persons who apply to inspect personal information contained in Public Registers may be required to give particulars of their request in the form of a statutory declaration. The application of the IPPs or the Public Register provisions to any given agency or function, may be further modified by: • an exemption within the PPIP Act itself (Section 6 and Sections 20-28) • a Regulation made under the PPIP Act; • a Direction made by the Privacy Commissioner under Section 41; • a Privacy Code of Practice made by the Attorney General. Public Registers are subject to the requirements of the law under which the Register was established. Part 6 (Sections 57-59) dictates further specific requirements which relate to the disclosure and suppression of personal information held within a Public Register. Where there are any inconsistencies between the law which established the Register and the PPIP Act, the requirements under the PPIP Act prevail. The Privacy and Personal Information Protection Regulation 2000 exempted several Public Registers from the requirements of the PPIP Act. Disclosure of personal information contained in public registers – Section 57: An agency responsible for keeping a register may not disclose personal information from that register unless it is satisfied that the information will be used for a purpose related to the purpose of the register. The agency may request from the applicant, a statutory declaration as to the intended use of the information. Suppression of personal information – Section 58: A person may request that their personal information not be made publicly available or disclosed to the public. In deciding whether or not to comply with the request, it is for the agency responsible for keeping that register to be satisfied that the safety or well-being of that person would be affected by not suppressing the Information Management – Privacy and Personal Information Protection Guideline Page 10 of 43 information and whether the public interest in maintaining access outweighs the individual interest. In the same way that an agency may create a Privacy Code of Practice which modifies the Principles (IPPs) within the PPIP Act, a Code of Practice may also cover the treatment of Public Registers in a way which modifies the requirements under the Act. Agencies responsible for keeping a register are then bound by the law which established the register and either the PPIP Act or the Agency's Code of Practice. Contraventions of either the Code of Practice or PPIP Act requirements relating to Public Registers, are subject to the same internal review procedures as the Principles (IPPs) in the Act 3.4.9 EXEMPTIONS For a range of exemptions from individual IPPs, refer to Part 2 Division 3 of the PPIP Act. The Independent Commission Against Corruption (ICAC), the NSW Police, the Police Integrity Commission (PIC) and the New South Wales Crime Commission are exempt from compliance with the Principles except in connection with the exercise of their administrative and educative functions. Other exemptions relating primarily to law enforcement and investigative agencies, apply to IPPs within the PPIP Act. Under Section 25 of the PPIP Act, an agency does not have to comply with a number of important Sections when its actions are governed by other laws. This would include legislative powers or requirements, court orders or other powers exercised under the common law. The NSW Privacy & Personal Information Protection Regulation 2000 commenced on 30th June 2000 and introduced: • An exemption from the requirement to create a separate Privacy Management Plan where an agency or its staff are included in another agency and have adopted that agency's Privacy Management Plan; • Exemptions for specific Public Registers under the Real Property Act 1900, Conveyancing Act 1919 and Valuation of Land Act 1916; • A general exemption from the provisions of the PPIP Act for the Council of the Law Society and the Council of the Bar Association. Agencies which hold Tax File Number or Consumer Credit Information are also bound by certain sections of the relevant Acts the Privacy Act 1988 and the Taxation Administration Act 1955. 3.4.10 STATE-OWNED CORPORATIONS State-owned corporations are not covered the PPIP Act. However, some state-owned corporations are voluntarily aiming at compliance with the PPIP Act. Privacy NSW encourages others to adopt the same practice. 3.4.11 SUMMARY OF PRIVACY LEGISLATION AFFECTING NSW PUBLIC SECTOR Figure 2 indicates the various Acts affecting NSW public sector agencies, as regards privacy matters. This figure is meant to be illustrative only, and not definitive. Its purpose is solely to summarise the preceding discussion of the Information Management – Privacy and Personal Information Protection Guideline Page 11 of 43 privacy provisions of different legislation which affects the different types of agencies and topic areas. Note that the definition of public sector agency differs between the PPIP Act and NSW FOI Act. The definition provided in the PPIP Act is more detailed than can be described here. Readers should refer to the definition of 'public sector agency' in Section 3 of the PPIP Act and Section 6 of the FOI Act, for more complete definitions. Also, note that there are various exemptions in force for each of the Acts described here. For more information about these exemptions, please refer to the Acts directly. NSW FOI Act 1989 NSW Privacy & PersonalInformation Protection Act 1998Federal Privacy Act 1988Public Sector Agency Government departments Statutory Authorities Authority under Public Sector Management Act 1988 Local Government Authority Providers of Data Services to NSW Public Sector Agencies Credit Providers/Credit Reporting Agencies Tax File Number recipients Figure 2. Privacy Legislation affecting NSW Public Sector Agencies Information Management – Privacy and Personal Information Protection Guideline Page 12 of 434. Managing personal information The Information Protection Principles (IPPs) in the NSW PPIP Act outline requirements in relation to the collection, storage, access, use and disposal of personal information. These Principles are further described here with links to the relevant sections of the PPIP Act. Some rewording of the Principles has taken place so they must be read in conjunction with the Act itself. Information taken from sources other than the Act has been included where relevant. The Principles apply to all forms of personal information held by an agency and managed by information custodians. The different forms of information, including electronic information, are described in the GCIO Information Management – Inventory Guideline. Information custodianship is described in the GCIO Information Management – Custodianship Guideline. In this section of the Guideline, the term ‘information ‘ is deemed (for brevity) to mean ‘personal information’. 4.1 Collection Unsolicited information, that is information which has not been collected but rather given freely, would appear to be exempt from the Principles relating to collection (refer Section 4(5)). However, note that agencies are still obliged to protect the privacy of all unsolicited information and information collected before 1 July 2000, throughout the remainder of its lifecycle, by applying the other Principles relating to storage, access /disclosure, use and disposal. The following IPPs apply to information collected by an agency since 1 July 2000: • Section 8: Agencies must not collect personal information unless: − it is for a lawful purpose directly related to a function or activity of the agency; − the collection of the information is reasonably necessary for that purpose. The means of collection must be lawful. • Section 9: Agencies must collect information from the individual about whom that information relates unless: − that individual authorises collection from someone else; − the individual is under the age of 16 years old -in which case the information must be provided by a parent or guardian; − collection from a third party is authorised under a relevant exemption. • Section 10: Agencies must take such steps as are reasonable in the circumstances, to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following: − the fact that information is being collected; − the purpose for that collection; − the intended recipients of the information; − whether the individual is required by law to supply the information or whether supply is voluntary, and any consequences for not supplying the information; − what rights of access and correction to the information exist; − the name and address of the agency collecting and the agency holding the information. The individual must be advised of the Information Management – Privacy and Personal Information Protection Guideline Page 13 of 43 above details either at the time of collection of the information or as soon as practicable afterwards. • Section 11: Agencies must take reasonable steps to ensure that, with regard to the purpose for collecting information: − the information collected is relevant, is not excessive, and is accurate, up-to-date and complete; − the collection of that information does not unreasonably intrude on the personal affairs of the individual about whom the information relates. 4.2 Storage It is important to note that, in addition to the PPIP Act, other Australian or international standards may also be applicable to the storage of specific kinds of records eg, health records. The following principles apply to the storage of all personal information held by an agency: • Section 12(a): Agencies must not keep information for longer than necessary for the purposes for which the information may lawfully be used. • Section 12(c): Agencies must ensure that information is protected by reasonable security safeguards against loss, unauthorised access, use, modification or disclosure and all other misuse. In this regard, GCIO has published Information Security Guidelines for NSW Government agencies in three companion documents: − Part 1 – Information Security Risk Management provides an overview of the information security risk management process; − Part 2 – Examples of Threats and Vulnerabilities provides examples of threats and vulnerabilities which an agency may face; − Part 3 – Information Security Baseline Controls provides guidance for selecting controls and establishing a minimum set of controls to protect all or some of an agency's information. • Section 13: Agencies must take reasonable steps to enable any person to ascertain: − Whether the agency holds personal information. For example, in some circumstances it may be appropriate for an agency to pro-actively notify cases where it has acquired information from third parties; − Whether the agency holds personal information relating to the individual concerned; − If the agency does hold personal information relating to them: − the nature of that information; − the main purposes for which that information is used; − the person's entitlement to access that information. • Section 15: At the request of the individual concerned ie, the person to whom the subject information relates, an agency must make appropriate amendments (corrections, deletions or additions) to ensure that the information is accurate, relevant, up to date, complete and not misleading with regard to the purpose for which the information was collected or is to be used. If an agency is not prepared to make the amendments, the agency must, if requested by the individual concerned, take reasonable Information Management – Privacy and Personal Information Protection Guideline Page 14 of 43 steps to attach a statement provided by the individual concerned to the information, in such a way that it is capable of being read with the information. If amendments are made, the individual concerned is entitled, if reasonably practicable, to have the recipients of that information notified of the amendments made. In general terms, the requirements of Section 15 of the PPIP Act override Section 21 of the State Records Act 1998, which deals with protection of State Records. 4.3 Access and disclosure 4.3.1 ACCESS The term ‘access’ refers to allowing the person who is the subject of the information (the individual concerned) to inspect and /or be provided with a copy of their personal information. The requirements with respect to first party access are contained in Section 14 of the PPIP Act. The following Principle applies to the access of all personal information held by an agency: • Section 14: An agency must, at the request of an individual, provide that individual with access to their personal information without excessive delay or expense. 4.3.2 DISCLOSURE Disclosure usually involves third parties. This can be deemed to include disclosures to people within an agency, who have no reason to receive the information eg, gratuitous disclosure of personnel information to other employees. Disclosure requirements are mainly covered in Sections 12, 18 & 19 of the PPIP Act, but disclosures from Public Registers are regulated by Section 57. The following Principles apply to the disclosure of personal information held by an agency: • Section 18(1): Agencies must not disclose personal information to anyone except the individual concerned, unless: − the disclosure directly relates to the purpose for collecting that information and the agency has no reason to believe that the individual concerned would object to that disclosure; − the individual concerned is reasonably likely to be aware or have been made aware that their information may be disclosed to that person or body; − the agency has reasonable grounds to believe that the disclosure of that information is necessary to prevent or lessen a serious and imminent threat to the life or health of any person. • Section 18(2): Where personal information is given to another person or body that is a public sector agency, the agency receiving the information may not use or disclose it for a purpose other than that for which the information was given to it. (Note that disclosure may be far more selective eg, it may involve revealing one piece of information from a file held on an individual. A disclosure may also be at the initiative of an officer of the agency, rather than in response to a request from an individual or third party). • Section 12 (d): If it is necessary for an agency to give personal information to a person in connection with the provision of a service to the agency, the agency is to do everything reasonable within its power to prevent unauthorised use or disclosure of the information. Information Management – Privacy and Personal Information Protection Guideline Page 15 of 43 • Section 19(1): There are special restrictions on the disclosure of some information, specifically, agencies must not disclose personal information relating to a person's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual activities, unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of any person. • Section 19(2): Disclosures to individuals or organisations in a jurisdiction outside NSW may be further regulated by a specific Privacy Code of Practice on Inter-Jurisdictional Transfers. No such Code has yet been made. Disclosures outside NSW are therefore currently subject to the normal rules about disclosure, that is, Section18 and /or Section 19 for most information and Section 57 for disclosures from public registers. Exemptions, such as those discussed in Section 23(5) with respect to disclosures for law enforcement purposes, do not mean the agency concerned is compelled to so disclose. Exemptions merely provide further discretion for the agency. This can be seen by Section 23(6) which compels agencies to disclose by virtue of a subpoena, warrant or other lawful requirement. 4.3.3 FREEDOM OF INFORMATION (FOI) The NSW FOI Act was created to allow individuals access to, and disclosure of, the documents of Government as well as the right of the individual to modify their personal information held by Government agencies. Therefore, there is a significant overlap with the PPIP Act. Section 5 specifically addresses the relationship between the PPIP Act and the FOI Act. Fundamentally, the obligations and exemptions existing under the FOI Act remain in force. The FOI Act details exempt documents which an agency has the right to refuse to disclose. One such category of exempt documents are documents whose release "…would involve the unreasonable disclosure of information concerning the personal affairs of any person (whether living or deceased)" (Schedule 1). The term 'personal affairs' could be taken to encompass 'personal information'. An agency can refuse to release a document that contains information about the personal affairs of another person. In this regard, both the FOI Act and the PPIP Act protect the privacy of individuals and overlap. There are other exemptions within the FOI Act which could be applied in refusing access to personal information requested under the PPIP Act. For more information see Guidelines for using Freedom of Information in NSW (pdf) from the NSW Premier's Department and FOI Policies and Guidelines, (pdf) from the NSW Ombudsman's Office. For example, the Premier of NSW, as the Minister responsible for FOI, has the right to issue a Ministerial Certificate stating that a specific document is exempt and restricted. However, an individual may be denied right of access to information only where, for example, there is a legitimate need for confidentiality or where another person’s privacy may be invaded. Information Management – Privacy and Personal Information Protection Guideline Page 16 of 43 4.4 Use Use normally relates to communication within an agency or where the agency maintains control over the subsequent use or disclosure. The following Principles apply to the use of all personal information held by an agency: • Section 16: Agencies must not use the personal information it holds, without taking reasonable steps to ensure that the information is relevant, accurate, up-to-date, complete and not misleading with regard to the purpose for which the information is to be used. • Section 17: An agency must not use personal information for any other purpose than that for which the information was collected unless: − the individual concerned has consented to the use for the other purpose; − the other purpose is directly related to the purpose for which the information was collected; − the use of the information for the other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of an individual. • Section 4(4) of the PPIP Act states that when personal information is being used by a contractor, such as an auditor or consultant, it is still considered to be “held” by the original agency. Therefore the agency remains accountable for the use of that information by the contractor. 4.5 Disposal The following Principle applies to the disposal of all personal information held by an agency: • Section 12(b): Agencies must ensure that information is disposed of securely and in accordance with any requirements relating to the retention and disposal of personal information. In this regard, Part 3 -Information Security Baseline Controls of GCIO's Information Security Guidelines for NSW Government highlights the need for security measures for the secure disposal or reuse of equipment and media. Information Management – Privacy and Personal Information Protection Guideline Page 17 of 43 5. Other Issues 5.1 Tax file numbers (TFNs) Tax file numbers are unique identifiers for individuals and other entities such as corporations. The protection of tax file number information of individuals receives specific attention within the Federal Privacy Act. The protection of tax file number information for individuals as well as corporations etc is addressed in the Taxation Administration Act 1953. Tax File Number Annotated Guidelines issued by the Federal Privacy Commissioner are legally binding on all file number recipients, regardless of how that information was collected. The Federal Privacy Commissioner has compiled classes of lawful tax file number recipients which includes employers and Government bodies or authorities of the Commonwealth, State or Territories in their capacity as investment bodies. The guidelines state that tax file numbers must not be used as a national identification system except by the Commissioner of Taxation for taxation law purposes. This effectively prevents the use of tax file numbers as an ‘identifier’ in an information system. Other requirements relate to the collection, storage, access /disclosure, use and disposal of individuals' tax file information as well as obligations of the Commissioner of Taxation (ATO), Australian Securities and Investments Commission (ASIC), Australian Prudential Regulation Authority (APRA) and assistance agencies. Specific mention is made that tax file numbers are not to be used or disclosed to match personal information (see Section 5.4 Data Matching further in this Guideline). Tax file number recipients also have a responsibility under the Federal Privacy Commissioner’s guidelines to ensure that all staff are aware of the need to protect the privacy of individuals in relation to their tax file number information. Where staff members' duties require the handling of tax file number information, staff need to be adequately trained to protect the privacy of individuals' tax file number information. Any breach of the Federal Privacy Act 2001 may become the subject of a complaint to the Federal Privacy Commissioner. However, a breach of privacy relating to tax file number information may also be an offence under the Taxation Administration Act 1953. Tax file number rules are also partly contained in the Income Tax Assessment Act 1936. The Federal Privacy Commissioner has powers under the Act to conduct investigations, undertake audits and demand information digests from any tax file number recipient. 5.2 Credit information The Federal Privacy Commissioner has issued various Credit Reporting Codes of Conduct concerning the management of personal information contained within consumer credit information files and the handling of disputes relating to credit reporting. All credit reporting agencies and credit providers must abide by this Code. Under the Federal Privacy Act, the Federal Privacy Commissioner is also empowered to issue determinations which allow for acts or practices which would otherwise be in breach of the Act, for reasons of the greater public interest. For Information Management – Privacy and Personal Information Protection Guideline Page 18 of 43 further information, refer to the Government section of the Federal Privacy Commissioner's website. Breaches of privacy relating to consumer credit information may be the subject of a complaint under the Federal Privacy Act. The Federal Privacy Commissioner has powers to conduct investigations, undertake audits and demand information digests from any credit provider or credit reporting agency. 5.3 Transfer of personal information Transferring personal information is governed under the same regulations as disclosing information. This section should be read in conjunction with section 4.3.2 Disclosure of this Guideline. Transferring or disclosing personal information from one agency to another places information at the risk of privacy violations which may arise from the lack of adequate privacy protection’s governing the receiver of that information. The following types of data transfers are considered in this section: • Transfer of information to other NSW Government agencies; • Transfer of information to organisations outside the NSW jurisdiction; • Transfer of information to the private sector as part of a contract between a NSW agency and a service provider. 5.3.1 TRANSFER TO OTHER NSW GOVERNMENT AGENCIES The NSW Privacy Commissioner has issued a Direction on Information Transfers Between Public Sector Agencies. This Direction is effective until the date stated, or until the making of a Privacy Code which substantially covers one or more provisions of this Direction. The Direction allows for the transfer of information from one agency to another for the purposes of: • Exchanges of information for the purpose of responding to or dealing with Ministerial or other correspondence; • Exchanges of information for the purpose of referring inquiries between agencies; • Exchanges of information for audit purposes; • Exchanges of information for law enforcement purposes; • Other exchanges of personal information which were subject to agreements (whether formal or informal) and operated in the 12 month period prior to 1 July 2000 and which have continued to operate since 1 July 2000 under the directions referred to in Paragraph 4 of this Direction. For up-to-date information on the status of Privacy NSW Directions please refer to Privacy NSW Section 41 directions The PPIP Act also permits transfers of information between agencies under the administration of the same Minister (including the Premier) in order to inform the Minister of administrative matters The second Draft Code for Inter-Agency Transfers of Information was issued by the Privacy Commissioner pursuant to Section 31 of the Act. The Draft Information Management – Privacy and Personal Information Protection Guideline Page 19 of 43 Code outlines permitted departures from certain sections of the PPIP Act dealing with the disclosure of personal information in response to unsolicited correspondence from the public, information audits and obligations of agencies disclosing and receiving law enforcement information. However, unlike Directions, Draft Privacy Codes of Practice have no legislative authority. They only become legally binding when they have been made by the Attorney-General. Because of this, agencies must continue to comply with the Act as modified by the current Section 41. 5.3.2 TRANSFER TO ORGANISATIONS OUTSIDE NSW JURISDICTION The PPIP Act does not permit transfer or disclosure of personal information by any public sector agency to any person or body outside the jurisdiction of NSW, unless a relevant privacy law is in place in the jurisdiction to which that information is being transferred Section 19(2). Whether or not the receiving jurisdiction's privacy laws are adequate is determined by the Privacy Commissioner and communicated to Government bodies by notice published in the NSW Government Gazette. The existence of an agency-based draft Privacy Code of Practice does not change an agency’s obligations with respect to disclosures to organisations outside NSW. Agencies must continue to comply with the IPPs in Sections 18 and 19(1) until advised otherwise. The Privacy Commissioner has issued a Draft code for disclosures of personal information outside NSW. The draft code provides guidance in certain circumstances in which disclosures of information may be made by identifying permissible: • Disclosing agencies; • Classes of information to be disclosed; • Receiving organisations; • Purposes of disclosure. The Draft Code however, is not legally binding. Agencies should review Privacy NSW’s Section 41 webpage for updated Directions which deal with this matter. 5.3.3 TRANSFER TO THE PRIVATE SECTOR Agencies should be aware that if personal information is transferred or disclosed to the private sector because of a contractual or service agreement the agency is still considered to be holding that personal information and is therefore liable for the actions of the contractor. There is therefore a strong need for contracts with the public sector to include adequate provisions regarding their obligations under the PPIP Act. The definition of 'public sector agency' in Section 3 includes a person or body that provides data services for a Government department, local Government or other statutory authority. The provisions in Section 3 dealing with data service providers only apply where these are prescribed by the regulations. Data service providers are indirectly covered by Section 12. This has the effect of binding that data service provider under the requirements of the PPIP Act or an agency's Code of Practice (if in place). Information Management – Privacy and Personal Information Protection Guideline Page 20 of 43 However, contracted data service providers to State instrumentalities are exempted (as far as the information used in relation to a State contract is concerned) from the scope of the private sector amendments to the Federal Privacy Act. 5.4 Data matching Data Matching is the large scale comparison of records or files of personal information, collected or held for different purposes, with a view to identifying matters of interest. Data Matching of personal information is governed by the Principles or by an agency's Code of Practice, where they relate to collection and use. The use of Tax File Numbers for Data Matching may only be performed by the Australian Taxation Office and its ‘assistance agencies’ such as Centrelink and the Department of Veteran's Affairs. No NSW Agency is an assistance agency for the purposes of the relevant legislation (see Data-Matching Program (Assistance And Tax) Act 1990). The Federal Privacy Commissioner has issued voluntary Guidelines for Data Matching programs conducted by Commonwealth agencies. These guidelines encourage a higher compliance for privacy than is required by the National Privacy Principles (NPP) in the Federal Privacy Act. Any adoption of all or part of these guidelines by a State agency would need to ensure that the Principles under the PPIP Act or the agency Code of Practice, are observed. There is the potential in a Data Matching exercise to change the nature of the original information. Information, which in its nature was not 'personal' prior to the exercise, may have become personal information by the end of the process. In this way, Data Matching may be used to derive personal information. Care must be taken to recognise this potential for incremental breach of the Principles. 5.5 Research Research only raises privacy compliance problems where it involves the use or disclosure for a secondary purpose or involves access to records deposited with an agency and unrelated to its normal functions. An agency’s use of its own records to assess its performance or client base would usually be permitted as a use directly related to the function for which the records are created. The NSW Privacy Commissioner has issued a Direction on Collection and Disclosure for Research which had effect until 31 October 2002 or until such time as a Privacy Code of Practice for Research is written. The Direction is not compulsory and agencies may prefer instead to comply with the Principles under the Act. The Direction permits the disclosure of personal information, provided the agency follows any existing agency guidelines or policies covering the disclosure of personal information for research purposes. Sometimes, an agency will hold deposited records (records which were created by another organisation which is not a public sector agency and inadvertently acquired by the agency) for the purposes of research. In this case, the agency is exempt from the Principles Information Management – Privacy and Personal Information Protection Guideline Page 21 of 43 provided it takes reasonable steps to protect the privacy of any person whose personal information is contained in those deposited records. The NSW Privacy Commissioner has also issued a Draft Code of Practice for the Use of Public Sector Agency Records for Research Purposes. The Draft Code permits agencies to: • Acquire and hold deposited records; • Disclose personal information to approved research projects (approved by a research ethics committee); • Support research in other circumstances through modifications to the Principles and requirements of the Act. Because draft Privacy Codes of Practice have no legislative authority and only become legally binding when they have been made by the Attorney-General, agencies must continue to comply with the Act as modified by Section 41 until advised otherwise. Where research does not require the ability to identify individuals, agencies could aggregate information to a level where personal information cannot be identified. Agencies should also be aware that organisations they deal with in relation to research, may be bound by research guidelines under the Federal Privacy Act, or ethical guidelines applicable to academic research eg, The National Statement on Ethical Conduct in Research Involving Humans. 5.6 Privacy in the workplace 5.6.1 PERSONNEL RECORDS Employee records by their very nature contain personal information. Therefore, the management of these records is subject to the Principles in the PPIP Act. This fact, and the implications for the maintenance of employee records, are reflected in the NSW Government Personnel Handbook. The application of the Principles to personnel records needs to be viewed in the light of the Administrative Decisions Tribunal (ADT) in the case of “Y v Department of Education and Training, [2001] NSW ADT 149” in relation to Section 4(3)(j) of the PPIP Act This Section excludes information or an opinion about an individual’s suitability for appointment or employment as a public sector official, from the definition of personal information. The exemption was inserted into the PPIP Act to allow agencies to gain and give references where the person has applied for a position as a public sector official. The ADT found that this exemption need not be limited to selection, promotion, disciplinary or involuntary retirement processes, and that it could include management reviews of work practices, work arrangements, and performance [paras 34-35]. The approach which the ADT adopted shifts the focus from the function of records to their content. Therefore, in one sense, the approach could be seen to narrow the Section 4(3)(j) exemption in the PPIP Act. However, the practices prescribed in the Personnel Handbook would still apply. Information Management – Privacy and Personal Information Protection Guideline Page 22 of 43 The following chapters of the Personnel Handbook are of particular relevance: 5.6.1.1 EMPLOYMENT SCREENING FOR CHILD RELATED WORK Chapter 2-14 relates to the screening of new employees or existing employees who are transferring to child-related employment. Such screening is permitted only upon applicants who are being considered for employment. The Commission for Children and Young People has published guidelines for employment screening -Working with Children Check Guidelines –to assist employers with their responsibilities for employing staff who have direct contact with children. 5.6.1.2 CRIMINAL RECORDS CHECKS Chapter 2-15 relates to criminal records checks on applicants for employment. In considering applicants for 'sensitive' positions, an agency may authorise the checking of applicants' criminal records with the Criminal Records Section of the Police Service. The sensitivity of a position is to be determined by the department head. This chapter of the Handbook outlines procedures for performing such checks and the considerations to be made where an applicant's name is not cleared from the check. Convictions for certain offences become 'spent' after a crime-free period of time, usually 10 years. This means that an individual is not obliged to disclose information about that conviction, nor is it lawful for an employer to request or use information about those spent convictions. However, there are exceptions to this latter restriction, in the cases of applications for employment relating to various occupations eg, judge, magistrate. In addition, certain convictions may never be spent including sexual offences. The use of information about a person's convictions is legislated in the Criminal Records Act 1991. 5.6.1.3 RETAINING DOCUMENTATION Chapter 2 -16.7 relates to the period of retention of application forms for both successful and unsuccessful applicants considered for employment. 5.6.1.4 EMPLOYEE RECORDS Chapter 5 -3.2.1 outlines what information should be maintained in an employee record. 5.6.1.5 PERSONAL INFORMATION & PRIVACY Chapters 5 -3.3 & 5 -3.4 outline the legislative obligations upon agencies for managing employee records, as well as practical considerations in the application of the Principles to employee records. Reference is made to the “NSW Public Sector Workforce Profile” which is an initiative of the NSW Government's Corporate Services Reform strategy. The Profile is a regular collection of anonymous data on public sector employees for the purposes of policy development and workforce planning for the sector. The management of employee data is governed by The Privacy Code of Practice for the NSW Public Sector Workforce Information Management – Privacy and Personal Information Protection Guideline Page 23 of 43 Profile (pdf). Individual employee serial numbers rather than individuals' names are collected, so that individuals cannot be identified and all reports are based on aggregate data to protect the privacy of the employees about whom the information relates. 5.6.1.6 ADMINISTERING EMPLOYEE RECORDS Chapter 5 -3 provides information on procedures where a subpoena has been received regarding personal information. 5.6.1.7 PERFORMANCE MANAGEMENT SYSTEM DOCUMENT Chapter 5 -3.7 provides guidance on the management of documents arising from the performance management system. 5.6.1.8 CONFIDENTIALITY OF ILLNESS Chapter 6 -18.12 states that an employee wishing the nature of an illness to remain confidential, need not record the nature of illness on the sick leave application form. 5.6.1.9 DISCIPLINE Chapter 9 outlines the principles and procedures for discipline in the NSW Public Service. Disciplinary action may be taken where a breach of discipline is deemed to have occurred. Breaches of discipline include cases of misconduct such as the contravention of established policies. Potentially, actions which endanger the privacy of personal information may be subject to disciplinary action. More extreme actions may be a criminal offence under the PPIP Act and subject to legal proceedings, further details are contained in Section 5.9 of this Guideline. 5.6.2 VIDEO SURVEILLANCE IN THE WORK PLACE Video surveillance is often described as being either overt or covert in nature. In general terms, overt surveillance is conducted with the prior knowledge of individuals, with clearly visible cameras and signs indicating that surveillance may be taking place. Covert surveillance is the opposite of overt surveillance in that individuals may not be aware of the existence of the cameras nor of the possibility that surveillance may be taking place. The Workforce Video Surveillance Act 1998 reinforces the distinction between overt and covert surveillance and regulates the use of covert surveillance in the workplace. A guide to this Act is available through the Privacy NSW website. 5.6.2.1 OVERT VIDEO SURVEILLANCE The NSW Office of Industrial Relations and the Attorney General have developed a Code of Practice for the Use of Overt Video Surveillance in the Workplace (pdf). The Code details procedures associated with the implementation and ongoing use of overt video surveillance in the workplace. Special attention is drawn to: • Restrictions on areas for surveillance areas; • Notification of employees before conducting surveillance; • Consultation with employees prior to surveillance; • Appropriate signage; ethical operation of surveillance camera; • Restricted access to tape recordings; • Period of retention of tape recordings; • Employee access to tape recordings. Information Management – Privacy and Personal Information Protection Guideline Page 24 of 43 The Code is not enforceable, although Privacy NSW may conciliate complaints against employers who contravene the Code. Creators of agency policy and practice might also wish to become familiar with Invisible Eyes: Report on Video Surveillance in the Workplace, also administered by Privacy NSW. The document examines, amongst other things, the justification, nature, extent and purposes of both overt and covert video surveillance in workplaces in NSW. The NSW Law Reform Commission in its recent Report 98 (2001) Surevillance: an Interim report on various aspects of surveillance recommends a substantial overhaul of the various pieces of legislation in this area. 5.6.2.2 COVERT VIDEO SURVEILLANCE Under Section 4 of the Workplace Video Surveillance Act 1998, employers must apply to a Magistrate for the issue of an authority, which authorises covert video surveillance, to establish whether one or more employees are involved in unlawful activity in the workplace. If an authority is issued, the surveillance must be conducted by a security operator holding a Class 1 Licence issued under the Security Industry Act 1997. Surveillance will only be permitted for a finite period as specified in the authority, and the licensed operator may only supply the employer with those portions of the video recording which are relevant to establishing unlawful activity by an employee. Further, the operator must erase or destroy all parts of the video recording which are not required as evidence within 3 months of expiry of the authority. Employers are required to submit a report to the Magistrate who issued the authority, within 30 days of expiry of the authority. 5.6.3 LISTENING DEVICES IN THE WORKPLACE Listening devices are defined as "any instrument, apparatus, equipment or device capable of being used to record or listen to a private conversation simultaneously with it taking place" in Section 3 of the NSW Listening Devices Act 1984. According to the Privacy NSW publication Privacy and your telephone calls, there is some doubt as to whether this legislation covers equipment to monitor private telephone conversations. Further discussion concerning this topic can be gained in Participant Monitoring of Voice Communications, first published by the Australian Communications Industry Forum in July 1998 and updated in 2004 (ACIF G516:2004). The Listening Devices Act 1984 details lawful and unlawful use of listening devices, information disposal requirements and consequences for non-observance of the law for individuals and corporations. 5.6.4 PRIVACY AND CONTACT CENTRES 5.6.4.1 RESPONSIBILITIES Contact centres have an added level of complexity with regard privacy. In the normal course of business for example, the active monitoring of telephone conversations is not generally undertaken. However, monitoring may routinely take place for training and quality control purposes within contact centres. Agencies should therefore ensure that Information Management – Privacy and Personal Information Protection Guideline Page 25 of 43 both staff and clients are aware that this occurs and that recruitment and training practices reflect this situation. Relevant staff must have a clear working knowledge of both the agency’s Privacy Policy and the Privacy Management Plan and ensure that they are relevant and applicable to the operations of the contact centre, its staff and clients. 5.6.4.2 OTHER POINTS OF REFERENCE Additional information on privacy issues can be found in the following documents: • The ACIF Industry Guideline: Participant Monitoring of Voice Communications 2004; • Telecommunications (Interception) Act 1979 (Commonwealth); • The Listening Devices Act 1984 (NSW); • Privacy Act 1988 (Cth). 5.6.5 USE OF EMPLOYER-PROVIDED COMMUNICATION DEVICES It is commonly accepted that employees will, on occasion, have a need to use facilities provided by their employer for personal reasons. In a public sector context, such usage needs to be balanced against the management of public resources in an efficient, economical and ethical manner. However, employees should be made aware that they have no absolute right of privacy with regard their use of employer provided communication devices. Employers have the right to monitor files, e-mails etc. which are stored, processed or transmitted using agency equipment and services. The NSW Premier's Department has developed relevant policy and guidelines on this subject, entitled Policy and Guidelines for the Use by Staff of Employer Communication Devices. The guideline provides a framework for the development of individual agency policy for the use of employer-provided communication devices, such as telephones and the Internet, for both business and personal use. Within this document the guidelines for "Personal Use of Communication Devices" mention specific uses of communication devices which are not permitted under any circumstance such as gambling and transmitting inappropriate jokes. Appended to this document is a Protocol for Acceptable Use of the Internet and Electronic Mail which outlines the rights and responsibilities for both employees and agencies in relation to the use of the Internet and e-mail in the workplace. Together, these two documents place a responsibility upon public sector agencies to develop a suitable policy and ensure that employees are notified of this policy. Privacy NSW in Privacy and Private Mail, E-mail, Lockers, Drawers recommends that private mail be marked ‘Private and Confidential’. If an agency has a policy of opening all mail including any marked ‘Private and Confidential’, the recipient of that mail should be present when it is opened. Privacy and your telephone calls discusses privacy concerns related to the monitoring of telephone calls in the workplace. 5.7 Video surveillance in public places Any agency considering the introduction of video surveillance in public areas is encouraged to refer to the NSW Government Policy Statement and Guidelines Information Management – Privacy and Personal Information Protection Guideline Page 26 of 43 for the Establishment and Implementation of Closed Circuit Television (CCTV) in Public Places. The guidelines are aimed principally at local councils and transport authorities as the most appropriate and relevant owners of CCTV schemes in public places. Private organisations which operate, or are considering operating CCTV schemes in privately owned spaces, will also find the guidelines useful. The guidelines outline nine principles to underpin the operation of CCTV schemes and provides consideration of the issues relating to privacy and liability. The definition of personal information in the PPIP Act would apply to the handling of recorded video material made under a CCTV scheme, because recorded video may contain film of individuals. 5.8 Electronic technology requirements The definition of personal information within the PPIP Act is technology neutral. That is, it may be held in any medium including paper and electronic. It is important to be aware of this fact in developing agency policies and procedures, so that all forms of personal information are protected by the Principles or agency's Code of Practice. However, the speed and ease with which electronic technology allows individuals to transmit information does warrant specific precautions in relation to privacy. Staff must be aware that the sending of material into the public domain via telephone or e-mail, is deemed as much to be granting access as sending a printed letter in the mail. In this regard, the NSW Premier's Department has suggested the use of Disclaimers (Circular No. 2001–29) to provide a level of protection in cases where litigation may occur resulting from faxes and e-mails sent by employees which do not reflect the views of the agency. There are also limitations to the level of security which can be expected of particular communications devices. For example, mobile telephone calls, e-mail and Internet transactions can all be intercepted, potentially placing transmissions of personal information via these mediums at risk. Part 3 – Information Security Baseline Controls of GCIO's Information Security Guidelines for NSW Government provides more detailed information on security controls which may mitigate these risks. Agencies should always consider which electronic technologies are appropriate for collecting, storing and accessing /disclosing sensitive personal information. 5.9 Criminal misuse of personal information The use of information for any other purpose than that for which it was collected, may be the subject of complaint under the PPIP Act. However, certain types of misuse may be subject to fines and possible imprisonment. Public sector officials may be fined or imprisoned for the corrupt disclosure or use of personal information to which they have or had access to in their official position. Officials include anyone currently or formerly employed in or engaged by the public service or local Government authority. Information Management – Privacy and Personal Information Protection Guideline Page 27 of 43 There are also penalties for the corrupt disclosure, use and unlawful supply of personal information which may be levied at any individual whether or not a public sector official. Other relevant laws include: • The Independent Commission Against Corruption Act 1988 defines the nature of corrupt conduct by serving or former public sector officials. This conduct includes "the misuse of information which he or she acquires in the course of his/her official functions". The definition also extends to the conduct of any person whether or not a public official which adversely affects the honest or impartial exercise of any official functions by any public official or authority. • The Defamation Act 1974 provides for proceedings and damages to be taken against a person who publishes any document defaming another person. The Act outlines various defences which may be taken in civil proceedings. • The Anti-Discrimination Act 1977 renders unlawful racial, sex and other types of discrimination with the aim to promote equal opportunity. The use of information pertaining to a person's sex, age, race etc. to discriminate against that person, is an offence under the Act (note the PPIP Act makes specific reference to certain types of information which are relevant in this context -refer Special Restrictions). Under the Anti-Discrimination Act, public sector employment authorities are required to prepare and implement an equal opportunity management plan which shall include provisions relating to "the collection and recording of appropriate information" • The Criminal Records Act 1991 acts to limit the effect of a person's conviction for various offences where that person has completed a period of crime free behaviour. Unlawful disclosure and improper obtaining of information concerning spent convictions attract penalties and possible imprisonment under the Act • Part 6 of the Crimes Act 1900 details various computer offences relating to unauthorised access, modification or impairment of data or electronic communication and the penalties and possible imprisonment if convicted • It is an offence under the Workplace Video Surveillance Act 1998 to use video recordings obtained by an authority issued by a Magistrate for an irrelevant purpose, that is, a purpose not related to establishing or prosecuting unlawful activity by an employee. Licensed security operators are bound by the conditions of the covert surveillance authority and commit an offence by contravening any part of those conditions. This list is by no means conclusive. There may be other legislation in place which may be applied for various types of misuse of information. For more information on liabilities, please refer to the GCIO Information Management -Liability Guideline. 5.10 Privacy statements and the web It is recommended that agencies place information on their websites, as to how they manage personal information collected via the site. Agencies should definitely use a ‘human-readable’ Privacy Statement on the site, with a link to the Information Management – Privacy and Personal Information Protection Guideline Page 28 of 43 agencies Privacy Management Plan but may also wish to consider using a ‘machine-readable’ Privacy Preference which is technology currently under development. 5.10.1 HUMAN-READABLE PRIVACY STATEMENT The human-readable privacy statement should be a reflection of the agency Privacy Policy and Privacy Management Plan, relating to web-based personal information. Agencies collect and use personal information in different ways and for different purposes. It is therefore not possible to give a single form of wording which would be appropriate in all cases. Appendix 2 of this Guideline contains detailed information provided by Privacy NSW regarding the content of a human-readable Privacy Statement. It suggests that the Privacy Statement should include the following information: In all cases: • The fact that the agency is covered by the PPIP Act; • The Act’s definition of personal information; • How unsolicited personal information (automatically derived) is managed eg, IP address, pages visited, use of cookies; • How solicited personal information (provided by the user when doing business via the site) is managed eg, the right to seek access and correction; • How the agency deals with e-mail messages from users eg, retention periods; • A warning that the security of e-mail communications cannot be guaranteed during its transmission to the agency; • Steps taken to protect user’s privacy via the agency Privacy Management Plan; • Where additional information about the Act can be found eg, from the agency Privacy Contact Officer or Privacy NSW. Where relevant: • The fact that there are legal issues affecting the agency’s privacy obligations eg, exemptions; • The fact that users have the right to seek suppression of their personal details in an agency Public Register. 5.10.2 MACHINE-READABLE PRIVACY PREFERENCE The Platform for Privacy Preferences (P3P) is an emerging technical standard developed by the World Wide Web Consortium (W3C). At its most basic, P3P delivers a standardised set of automated multiple-choice questions and answers that allow P3P-enabled browsers to match an end-user’s privacy preference with those generated by any P3P-enabled website. The P3P project is not a privacy policy, nor does it deal with the content of an agency’s Privacy Policy. Agencies should make themselves aware of the P3P project by visiting the W3C/P3P web site. Information Management – Privacy and Personal Information Protection Guideline Page 29 of 43 6 Responsibilities for managing privacy Responsibilities for the management of personal information are the domain of any individual within an agency with access to, or responsibilities for, such information. In restricting the following discussion to specific roles, the aim is to ensure that certain individuals are aware of the issues relating to privacy. Those individuals will then be in a position to ensure that all staff are suitably instructed either through training or the introduction of policies and procedures, as to their obligations in relation to the protection of personal information in their handling. 6.1 Privacy Contact Officer (PCO) As a matter of good practice, each agency should have a designated officer to whom members of the public can direct any queries or complaints in the first instance. Privacy Contact Officers are also the primary point of contact for liaison with Privacy NSW. Privacy NSW sends bi-annual newsletters to Privacy Contact Officers, and more frequent e-mail updates. To notify Privacy NSW of a new Privacy Contact Officer for your agency, e-mail privacy_nsw@agd.nsw.gov.au. The PCO News Alerts are available on the Privacy NSW website. 6.2 Chief Information Officer (CIO) The role of the CIO is to ensure that agency ICT resources support the business needs of the agency and reflect the Government’s strategic priorities. In respect to managing privacy policy within the agency, the CIO is responsible for ensuring that policies and procedures are developed and implemented consistently. These are to be in accordance of the requirements of the PPIP Act, other related legislation and relevant codes of practice and procedures. A CIO is required to ensure that each agency has: • A Privacy Management Plan which prescribes how the Principles or the Privacy Code of Practice are to be implemented; • The required practices to ensure that the Privacy Management Plan is implemented. This will include the introduction of relevant technology to support privacy management and the required training to ensure that employees are aware of, and implement, the Privacy Management Plan; • Developed procedures for the Internal Review requirements under the PPIP Act; • A Privacy Code of Practice if it is deemed to be necessary for that agency to modify the Principles and/or other requirements under the Act. This Code is to be developed in consultation with the NSW Privacy Commissioner and must be approved by the Minister. The CIO may also be required to provide a personal information digest at the request of the Privacy Commissioner. The digests are reports on the “..nature and source of personal information held by public sector agencies.” For more information regarding the role and responsibilities for a CIO, refer to the GCIO Chief Information Officer Guideline. Information Management – Privacy and Personal Information Protection Guideline Page 30 of 43 6.3 Custodians Information Custodians are responsible for the maintenance and effective use of specific information holdings within an agency. Therefore, some Custodians will be directly responsible for personal information within their agency. The PPIP Act adds another level of responsibility to those already held by the Custodians. Custodians must be familiar with the Agency’s Privacy Management Plan and, working closely with the CIO, ensure that any personal information in their charge is managed according to the Plan. For more information regarding Custodianship, refer to the GCIO IM -Custodianship Guideline. 6.4 Librarians Librarians sometimes hold and curate data on behalf of Custodians. Their particular responsibility therefore will be in managing the storage, security, access to and possible disposal of the personal information in their charge according to the Agency’s Privacy Management Plan. 6.5 Record managers Records are defined in the NSW State Records Act 1998 as “… any document or other source of information compiled, recorded or stored in written form or on film, or by electronic process, or in any other manner or by any other means.” Record Managers are responsible for managing State records held by the agency, and are required by the State Records Act, 1998 and, more specifically, State Records’ Standard on Full and Accurate Records to collect and maintain these records according to the requirements of the Act and the regulations. It is inevitable that these records will include personal information. Such personal information can include the identity of the person creating the document, the people involved in the transaction of business or the conduct of affairs, or other people involved in some way. 6.6 FOI officers Nothing in the PPIP Act affects the operation of the FOI (Freedom of Information) Act. Agencies will need to recognise this in their Privacy Management Plan and in the personal details required to be stored in their records. FOI Officers have always had to deal with issues of privacy in considering the release of documents under FOI. FOI Officers need to be fully aware of the provisions of the PPIP Act, as there are different appeal criteria depending upon which Act – FOI or PPIP an applicant makes a request. 6.7 Web managers Web managers need to recognise that consideration of privacy issues will effect web content in a number of ways: • Personal information of staff presented to the public or other staff; • Personal information of members of the public included in web documents; Information Management – Privacy and Personal Information Protection Guideline Page 31 of 43 • Obtaining personal information from the public through their visit to the website. The agency's Privacy Management Plan should canvass the concerns associated with these issues and establish transparent procedures and standards in dealing with personal information in these situations. A Privacy Statement should also be published on the agency's web site. 6.8 HR managers /workplace managers Personal information also applies to information relating to staff and employees of agencies. Human resource (HR) and workplace managers are responsible for: • Ensuring training practices are in place for employee training in privacy requirements; • Protecting staff and employee privacy in the workplace. 6.9 Outsourced data providers The PPIP Act includes any “person or body that provides data services….. For or on behalf of [a public sector Agency] or that receives funding from any such body in connection with providing data services…” (Section 3) Thus, any information managed for, or on behalf of, a public sector agency (including collecting, storing, gaining access, using or disposing of personal information) is also covered by the PPIP Act. This means that any agent managing public sector-related personal information is required to abide by any relevant Privacy Codes of Practice and the agency's Privacy Management Plan. The agency purchasing the outsourcing data management services will require proof of the agent’s policies and procedures confirming compliance with the Codes and Privacy Management Plan. Section 4(4) of the PPIP Act provides that when personal information is being used by a contractor, such as an auditor or consultant, it is still considered to be “held” by the original agency. Therefore the agency remains accountable for all dealings with that information by the contractor. As agencies will be liable for anything the contractor does with the personal information, it is best to write compliance with the IPPs into all contracts. Information Management – Privacy and Personal Information Protection Guideline Page 32 of 43 Information Management – Privacy and Personal Information Protection Guideline – Appendix 2 Page 33 of 43 NSW Department of Commerce Government ChiefInformationOfficeAPPENDIX 1 -Privacy Management Plan (PMP) development checklist Review Identify what legislation, Codes of Practice, Privacy Management Plans or other documents or guidelines are in effect for the agency. Considerations include: • NSW Privacy & Personal Information Protection Act 1998 (PPIP Act); • NSW Privacy Regulation 2000; • Commonwealth Privacy Act 1988 (in relation to tax file numbers and consumer credit information); • Freedom of Information Act; • Other legislation with requirements relating to the handling of personal information; • Any relevant Privacy Code of Practice (made by the Attorney General); • Existing agency or whole-of-Government policies; • Any applicable exemptions. Identify classes of personal information held by the agency and the information contained within them. A class of information will be a set of logically related records collected for the same or similar purpose eg, personnel records. See the GCIO IM – Inventory Guideline. For each class of personal information, determine: • The purpose for collecting and holding the information; • Who is /are the custodian(s) of the information; • Who handles the information (internal staff, contractors, other agencies /organisations etc.); • Whether the information is disclosed outside the agency and if so, if it is disclosed outside the NSW jurisdiction. Develop Policies & Procedures For each class of information, develop procedures for compliance with the Principles in the PPIP Act (or as amended by another other requirement identified above). Considerations include: • How to authenticate the individual concerned; • The level of sensitivity of the information; • The introduction of relevant clauses in contracts with service providers /other agencies to ensure the protection of personal information transferred outside the agency's control; • Developing criteria by which to assess requests to alter personal information (including FOI exemptions); • Introducing a Privacy Contact Officer for each class of information to handle requests to be informed of, gain access to, or alter information contained in Information Management – Privacy and Personal Information Protection Guideline – Appendix 2 Page 34 of 43 that class of information (alternatively, the agency Privacy Contact Officer may perform this function for all classes). For each class of information, develop procedures for internal reviews required under the PPIP Act. For this purpose, Privacy NSW has published a hardcopy document “A Guide to Internal Reviews”. Copies have been supplied to all agencies and additional copies may be purchased from Privacy NSW. Consideration will need to be given to: • Who will conduct the reviews (potentially an individual or group which may differ for different classes of information etc.); • How the complainant will be kept informed of the progress of the review; • How the NSW Privacy Commissioner will be kept informed of the progress of the review; • What outcomes might arise from the review. Develop a policy for the use by staff, of employer-provided communication devices. Implementation Privacy NSW has published a hardcopy document “A Guide to Making Privacy Management Plans”. Copies have been supplied to all agencies and additional copies may be purchased from Privacy NSW. The following points should be considered: • Produce an agency-wide Privacy Management Plan; • Appoint Custodians for all classes of information held; • Establish responsibilities for data custodians and other staff with responsibilities for handling personal information; • For each class of information, develop an awareness plan to inform custodians and staff who handle personal information, of their responsibilities in relation to privacy. Consideration will need to be given to: − the training of new staff in the general requirement to protect the privacy of individuals in relation to their personal information; − more specific training of new staff whose job functions will involve the handling of personal information; − the continuing awareness of staff of both general and specific requirements (if any) in relation to privacy; − including reference to privacy requirements and the Privacy Management Plan, in position descriptions; − placing the agency's Privacy Management Plan on the agency's Intranet. • Establish responsibilities for external agencies, organisations etc. in relation to personal information held by the agency but disclosed to that organisation for a specific purpose. Education • Advise /train custodians of their responsibilities in relation to privacy; • Advise /train staff of their responsibilities in relation to privacy; • Implement a general awareness campaign for all staff in relation to privacy issues; • Ensure that the agency's Privacy Management Plan is available to all staff. Information Management – Privacy and Personal Information Protection Guideline – Appendix 2 Page 35 of 43 Monitoring • Review the inventory of personal information collections on a regular basis; • Review legislative and other requirements for the maintenance of personal information, on a regular basis; • Review the agency's Privacy Management Plan on a regular basis; • Review staff training and awareness of privacy issues on a regular basis. Information Management – Privacy and Personal Information Protection Guideline – Appendix 2 Page 36 of 43 APPENDIX 2 -Human readable web privacy statement The following text on the content of a privacy statement for public sector agency websites, is provided without prejudice by Privacy NSW. A Introduction All public sector agencies should have a website privacy statement which is easily accessible from their home page and from any page where the agency solicits information from clients, customers or members of the public. The privacy statement needs to strike a balance between providing sufficient information to make users aware of privacy issues without going into so much detail that it becomes confusing. We recommend that this be done by creating a hyperlink to a separate privacy statement page or pages rather than trying to cram the whole statement on an introductory page. As agencies collect and use personal information in different ways and for different purposes, it is not possible to give a single form of wording which would be appropriate in all cases. However, a Web statement should include the following information: B Include in all cases Covered by the Act The fact that the agency is covered by the NSW Privacy and Personal Information Protection Act 1998 which gives people the right to know how their personal information will be used and some control over the information they provide to the agency Personal information defined The fact that the Act defines personal information as any information or opinion about an individual whose identity is apparent or can be readily identified from the information or opinion Unsolicited information (automatically derived) The fact that the agency records data as part of any Internet browsing transaction which in some circumstances will involve the collection of personal information, together with an explanation of how this information is used and the circumstances in which individual users may be identified, for example: “When you visit our website to read pages or download information, we automatically collect and store the following non-identifying information: − the Internet protocol (IP address) from which you access our website − the type of browser and operating system you are using − the date and time of access − the pages visited − the last site you visited if that site contains a link to our website. Information Management – Privacy and Personal Information Protection Guideline – Appendix 2 Page 37 of 43 We store this data in system logs and use it to monitor demand and improve access to our website. We do not track or record information about identifiable individuals and their visits. We use /do not use cookies, (files or file entries placed on your computer's hard drive by a website which allow monitoring of your use of a site, including repeat visits) for the purpose of (specify generally the function of cookies eg, to speed up access, expedite interactive sessions, monitor navigation). For security purposes we use software programs to monitor network traffic and identify unauthorised attempts to up-load or change information or otherwise cause damage. It is a criminal offence to interfere with computers and data. We may disclose data which provides evidence of such offences to law enforcement agencies.” Solicited information (provided by the user) Notification as required by Section 10 of the Act as to how personal information provided by you when transacting business with us on the website will be stored, used and disclosed, and your right to seek access and correction: in some circumstances this may need to be tailored to the different kinds of use, for example forms or e-mail-if requests are made by e-mail, consider notifying under the e-mail heading below: “By requesting a copy of [insert publication] you have provided us with personal information needed to contact and bill you. This information will be held at our office at [insert office address] and disposed of in accordance with the State Records General Disposal Authority for Administrative Records. Under the NSW Privacy and Personal Information Protection Act and the Freedom of Information Act, you may apply to access the records we hold about you, and to apply to amend or correct information which is inaccurate, irrelevant, out of date, incomplete or misleading. You are legally required to provide a street /business /residential address when registering a [insert registration details]. Failure to provide an address will mean that you cannot be registered” E-mail messages Details of how the agency deals with e-mail messages from members of the public /clients /customers, for example: “Your e-mail messages will be a) retained and stored electronically in accordance with standards and authorities under the State Records Act which fix variable retention periods depending on the transaction which is recorded b) used and disclosed for the purpose of replying to you /filling your order, and subject to the requirements of the Privacy and Personal Information Protection Act.” Information Management – Privacy and Personal Information Protection Guideline – Appendix 2 Page 38 of 43 E-mail security A warning that the security of e-mail communications cannot be guaranteed, for example: “Electronic mail is not a secure form of communication and we cannot guarantee that your message will not be viewed by someone else when being sent to us. We strongly recommend that you write to us if the information you wish to provide is highly confidential.” Steps taken to protect your privacy That the agency has prepared a Privacy Management Plan, describing the steps it has taken to protect privacy and the procedures to be followed when people seek internal review of conduct which they claim breaches an information protection principle, a privacy code of practice or a public register provision: also the address or contact number where people can obtain copies of the plan. Additional information about the Act That more information about the PPIP Act can be obtained from Privacy NSW. For example: “For more information about the NSW privacy legislation call our Privacy Contact Officer on XXXX XXXX, from Privacy NSW, or by visiting the Privacy NSW website at: http://www.lawlink.nsw.gov.au/privacynsw C. Include where relevant Legal issues affecting privacy obligations • Address any legal issues directly relevant to the agency's privacy obligations eg privacy codes or regulatory provisions which exempt the agency from requirement to comply with the IPPs or public register provisions. Some examples would be: “Under the Department's Privacy Code of Practice we may depart from the requirements of the Act to obtain consent when collecting and disclosing information about individuals with certain disabilities, for information see…” OR “Under the Privacy and Personal Information Protection Act, the Commission is defined as an investigative agency and is exempted from some provisions of the Act relating to the collection, use and disclosure of personal information when performing its investigative functions.” OR “Under the Department’s Privacy Code of Practice, the Department may use personal information collected from this website for a secondary purpose where Information Management – Privacy and Personal Information Protection Guideline – Appendix 2 Page 39 of 43 this is considered necessary to promote and maintain a safe and disciplined learning environment in a public school” OR “Clause 5 of the Privacy and Personal Information Protection Regulation 2000 exempts Land and Property Information Services from having to comply with sections 57 and 58 of the Privacy and Personal Information Protection Act in relation to public registers maintained under the Real Property Act 1900 and the Conveyancing Act 1919.” Public registers Notify clients /customers who provide information to the agency through its website for inclusion in a public register operated by the agency that they have the right to seek suppression of personal details, for example: “On request, we may suppress your personal details from the publicly available version of the [named Register] provided that you explain to us how the safety or well-being of any person would be affected if the information is not suppressed.” D. Notes for further consideration What is personal information? Transactions with an agency through its website often raise complex issues about whether the data being collected and stored or used is personal information, that is, information or an opinion about an individual whose identity is apparent or can reasonably be identified. As a general rule, it is safer to recognise that electronic data is dynamic, that the individual user may come to be identified over the course of a transaction or series of transactions, and that their use of your site does therefore involve a collection of personal information. Solicitation Similar considerations apply in determining whether personal information is solicited or unsolicited. Under Section 4(5) of the Privacy and Personal Information Protection Act, IPPs dealing with collection of personal information do not apply to unsolicited information. Information is clearly solicited where a user fills in the data fields on an electronic form. It is less clear whether an agency solicits personal information by allowing people to visit its website or send e-mail messages, although a good case could be made that it does. IP addresses All transactions with an agency's website involve the recording of the IP address of the user's terminal or an IP address allocated by the server from which access is made for a particular session. While this may not automatically constitute personal information, the pattern of usage from a particular IP address may indirectly disclose the identity of the user. In normal circumstances, this will not be an issue. However, where a website downloads cookies to a user's hard drive to maintain continuity of service, or when the agency identifies and seeks to investigate suspected illegal access, there is much greater potential for identifying a user. This potential does not mean that the agency has to launch Information Management – Privacy and Personal Information Protection Guideline – Appendix 2 Page 40 of 43 into a detailed explanation of how the use of the site may give rise to personal information. All that is needed is a brief explanation of the circumstances in which non-identified information may become personal. E-mail addresses A person's e-mail address is more likely to identify personal information about them contained in a message, given that it will be also used by the agency in a variety of personal and business contexts. You should be realistic when giving undertakings about how your agency stores e-mail messages to explain how these undertakings are fulfilled. For example, don't make blanket claims about confidentiality if e-mails are routinely forwarded or printed off within your agency. Information Management – Privacy and Personal Information Protection Guideline – Appendix 3 Page 41 of 43 NSW Department of Commerce Government ChiefInformationOfficeAPPENDIX 3 -Privacy references A International Privacy Legislation /Guidelines • United Nations, Universal Declaration of Human Rights; • Office of the United Nations High Commissioner for Human Rights, International Covenant on Civil and Political Rights; • Organisation for Economic Co-operation and Development, Protection of Privacy and Transborder Flows of Personal Data. B National legislation & related information • Privacy Act 1988 (Cth); • Federal Privacy Commissioner's web site; • Privacy Amendment (Private Sector) Bill 2000 (Cth), Revised Explanatory Memorandum; • Australian Privacy Charter Council, Australian Privacy Charter, 1994; • Privacy Commissioner, “Information Privacy in Australia: a National Scheme for Fair Information Practices in the Private Sector” August 1997. C NSW legislation • Privacy & Personal Information Protection Act, 1998 (NSW); • NSW Privacy & Personal Information Protection Regulation 2000 (NSW); • Privacy NSW; • Freedom of Information Act 1989 (NSW); • NSW Premier's Office, Guidelines for using Freedom of Information in NSW (pdf) • NSW Privacy Committee, NSW Data Protection Principles; • Anti-Discrimination Act 1977 (NSW); • Crimes Act 1900 (NSW); • Criminal Records Act 1991 (NSW); • State Records NSW; • About the State Records Act 1998; • Defamation Act 1974 (NSW); • Independent Commission Against Corruption Act 1988 (NSW); • Ombudsman Act 1974 (NSW); • NSW Ombudsman's; Workplace Video Surveillance Act 1998 (NSW); ICAC on fraud and security; • Cases decided in the Administrative Decisions Tribunal under the PPIP Act; • Privacy Contact Officer News Alerts. D GCIO Guidelines • Information Management -Framework Guideline; • Information Management -Inventory Guideline; Information Management – Privacy and Personal Information Protection Guideline – Appendix 3 Page 42 of 43 Information Security Guideline: • Part 1 -Information Security Risk Management; • Part 2 -Examples of Threats and Vulnerabilities; • Part 3 -Information Security Baseline Controls; • Chief Information Officer (CIO) Guideline; • Information Management -Liability Guideline; • Information Management -Custodianship Guideline. E Tax File Number Information • Privacy Act 1988 (Cth); • Federal Privacy Commissioner's web site; • Federal Privacy Commissioner, Tax File Number Guidelines 1992 (annotated version with all amendments to Mar 2004); • Taxation Administration Act 1953 (Cth); • Income Tax Assessment Act 1936 (Cth). F Credit Information • Privacy Act 1988 (Cth); • Federal Privacy Commissioner's web site. G Data Transfers /Data Matching • Privacy & Personal Information Protection Act, 1998 (NSW); • NSW Privacy Commissioner, Direction On Information Transfers Between Public Sector Agencies; • Data Matching Program (Assistance and Taxation) Act 1990 (Cth); • Federal Privacy Commissioner, The Use of Data Matching in Commonwealth Administration Guidelines (Word doc). H Research • NSW Privacy Commissioner, Direction on Collection and Disclosure for Research. I Privacy in the Workplace • New South Wales Government Personnel Handbook (2004); • Criminal Records Act 1991 (NSW); • NSW Privacy Commissioner, Criminal record checks and public sector employment; • NSW Privacy Commissioner, Criminal Records Act 1991 and Spent Convictions; • Commission for Children and Young People website; • NSW Premier's Department, The Privacy Code of Practice for the NSW Public Sector Workforce Profile, 2004 (pdf); Information Management – Privacy and Personal Information Protection Guideline – Appendix 3 Page 43 of 43 • NSW Premier's Department, Management Arrangements for the NSW Public Sector Workforce Profile; • Workplace Video Surveillance Act 1998 (NSW); • Privacy Committee of NSW, Invisible Eyes: Report on Video Surveillance in the Workplace • Listening Devices Act 1984 (NSW); • NSW Privacy Commissioner, Privacy and your telephone calls; • NSW Premier's Department, Policy & Guidelines for the use by Staff of Employer Communication Devices; • NSW Premier's Department, Memorandum 2002-04 Acceptable Use of the Internet and Electronic Mail; • NSW Premier's Department, Circular No. 99-09 Use of Employer Communication Devices; • NSW Premier's Department, Circular No. 2000-37 Monitoring Of Use Of Communication Devices (Including Internet Access); • NSW Privacy Commissioner, Privacy and Your Private Mail, E-mail, Lockers, Drawers J Video Surveillance in Public Places • Interdepartmental Committee on Closed Circuit Television (CCTV) established under the auspices of the Premier's Council on Crime Prevention, NSW Government Policy Statement and Guidelines for the Establishment and Implementation of Closed Circuit Television (CCTV) in Public Places. K Technology neutral requirements • NSW Premier's Department, Policy & Guidelines for the use by Staff of Employer Communication Devices; • NSW Premier's Department, Circular No. 2000-37 Monitoring Of Use Of Communication Devices (Including Internet Access); • GCIO Information Security Guideline Part 3 -Information Security Baseline Controls.