Privacy Bites Newsletter
Privacy It's Everybody's Business
Welcome
Welcome to the fourth edition of Privacy Bites, the newsletter of the Right to Information and Privacy Office. This edition will look closely at the requirements for the disclosure of personal information.
Disclosure of Personal Information
Information Privacy Principle (IPP) 11 - Limits on disclosure requires the University not to disclose personal information to another entity, other than the individual to whom the information relates, unless -
- the individual has expressly consented to the disclosure;
- the individual had been made aware, under a privacy statement, that it is the University's normal practice to disclose that type of personal information;
- the disclosure is authorised or required by law;
- the disclosure falls within a number of other exemptions, for example, for law enforcement purposes.
The University's Privacy Management Policy and Procedures provides further guidance on the circumstances under which personal information can be disclosed to a person or entity other than the individual to whom the personal information relates. Staff are reminded that any disclosure of personal information that is not permitted under IPP11 may be a breach of the Information Privacy Act 2009 and may give rise to a privacy complaint. If in doubt, please refer matters to the Right to Information and Privacy Coordinator for advice.
Request from law firms or insurance agencies
It is quite common for the University to receive requests from law firms or insurance agencies for access to staff or student information. Quite often, these requests are made under the Motor Accident Insurance Act 1994, the Personal Injuries Proceedings Act 2002, a subpoena issued by a court or other similar authority. These requests are to be referred to the Right to Information and Privacy Office, where they will be accessed against the requirements of IPP 11.
Sony cleared of any beach of the Privacy Act
The federal Privacy Commissioner has concluded his investigation into the potential disclosure of private details of 77 million Sony PlayStation customers as a result of a cyber-attack. The Commissioner found that Sony complied with the Privacy Act and the principles that require organisations to take reasonable steps to protect personal information and prevent unauthorised disclosure of the personal information.
However, the Commissioner was critical of the delay between when Sony became aware of the incident and notifying customers. The Commissioner said,
I would have liked to have seen Sony act more swiftly to let its customers known about the incident. Immediate or early notification of a data breach can allow individuals to take steps to mitigate the risks that arise from their information being compromised.
While it is not mandatory to notify data breaches, it is highly recommended in certain circumstances. The commissioner's comments highlight the importance of organisational units informing the Right to Information and Privacy Office of potential breaches so that a proper assessment can be carried to determine whether or not the University should notify individuals affected by a breach.
Handy tips
In dealing with personal information, staff are advised:
- to request to sight student cards to confirm proof of identity of students before disclosing any personal information;
- to be aware of their surrounds when discussing matters with students; the University can inadvertently disclose personal information as a result of discussing personal information about a student where the information can be overheard by others;
- to refer any requests from other individuals to the Right to Information and Privacy Office for consideration;
- to contact the Right to Information and Privacy Office if concerned about a particular practice or request to disclose personal information.
Remember, if you feel nervous about a particular act or disclosure of personal information; contact the Right to Information and Privacy Coordinator for specific information/advice.
Complaint Snapshot...
The University has received a number of privacy complaints concerning the inadvertent disclosure of personal information. The common element in recent complaints centres around mistakes in compiling or scanning documents containing personal information. Staff are reminded to check that any information sent electronically:
- only contains the personal information of the person/student receiving the information; and
- is sent to the correct email address.
The time taken to check that information is correct and being sent to the proper person or student is quicker than having to investigate a possible privacy breach.
Online Privacy Training
All University staff are reminded that the University has developed an online privacy training module. It is a requirement for all staff to complete the module and do so very two years. This module has been developed to give staff a better understanding of what privacy of information is, the issues surrounding personal and sensitive information, and how information can be managed to avoid breach of privacy legislation and ensure confidentiality in the workplace.
More specifically, it will outline the legal and ethical responsibilities of both employers and employees to ensure the privacy of personal or potentially sensitive information. Staff can access the online module from: elearn.com.au
Disclaimer
The information contained in this newsletter is of a general nature only and is not legal advice. Specific legal advice should be sought rather than relying on this newsletter.
Anthony Zgrajewski,
Right to Information and Privacy Coordinator
E-mail: a.zgrajewski@uq.edu.au
Ph: (07) 3365 2571 Fax: (07) 3365 1058
|
