Do you collect or use information about people? If so, you need to think about how you're handling that information.
Here is an easy tool to help you get privacy right in your business or project.
The basics that you need to think about
The first thing you need to think about is purpose: what are you trying to achieve and what personal information do you need to achieve it?
Then you need to consider what responsibilities you have when you are handling personal information.
You also need to think about:
• How you will collect personal information fairly
• If your use of personal information is justifiable
• How long you will keep personal information for
• How you will dispose of it appropriately.
Lastly, think about what privacy risks you might face, and how you can reduce these.
Draw a diagram showing what will happen with the information
Whether your project is simple or complex, a good tool to help your thinking is to draw a diagram which shows how personal information will move through your organisation or system, from collection to destruction. If you are going to be disclosing information to others, show this in the diagram too.
Drawing a diagram makes you focus on exactly what information you need and what you need to do with it. The diagram will also help you to easily see possible trouble spots, or other things you need to manage particularly carefully.
Write up your analysis
Usually, it's useful to write up your thinking, to show what privacy issues you have identified, and how you'll deal with them. This written record is called a "privacy impact assessment".
A privacy impact assessment is a tool to help you get things right. Use it when you're making decisions, refer back to it frequently, and revise it if your project changes.
There is no "right" way of writing a privacy impact assessment. For a small project a simple table or bullet-point notes might do the trick. For more complex projects, we have a guidance handbook available to assist you to prepare your privacy impact assessment. Make your privacy impact assessment as detailed as it needs to be to help you make the right decisions.
Make your analysis available
Whatever format you choose, it is a good idea to make your privacy impact assessment available to the people whose information you're handling (such as your customers or staff). That way, they can see how well you manage their personal information.
Check any specific industry requirements, such as privacy codes of practice
Some industries are regulated by privacy codes of practice as well as the Privacy Act. These codes set out specific requirements about all aspects of privacy, including collection, use and disposal of personal information by the industry.
Other industries may also have specific industry standards (such as security standards) that you need to be aware of.
Make sure you're familiar with any standards that apply to you and work them into your privacy impact assessment.
Current privacy codes of practice include:
• Credit Reporting Privacy Code
• Health Information Privacy Code
• Justice Sector Unique Identifier Code
• Superannuation Schemes Unique Identifier Code
• Telecommunications Information Privacy Code