Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. Public Finance

Information Confidentiality and Privacy Policy

advertisement 
Information
Confidentiality and
Privacy Policy
Purpose
This policy defines the guidelines for collecting, managing and storing
Department of . . . (”the Department”) information and protecting it
against improper or inappropriate use..
Replaces
<Previous Policy Document>
Commences
<date>
File:
<file reference or policy number>
Scope
This policy covers all Department information, including information
stored on computer hardware, in software programs, conveyed via
telecommunications, and data retained within Department information
systems, devices and paper files.
Public information such as the Department’s Internet site and Annual
Report, are exempt from this policy.
Principle
Department information must be protected.
Personal information may only be collected for business purposes and
may only be accessed for the business purposes for which it was
collected.
State legislation, regulations and policy restrict the use and disclosure of
information.
Responsibility This policy document applies to all employees, contractors, consultants
and authorised users of Department Facilities (herein after “staff”).
Custodian
Director, Information Services
Date
Executive Director, Corporate Services
Date
Director General or Commissioner or CEO
Date
Approver
Endorser
© State of Western Australia
106739204
Aug 2011
1 of 25
Department of . . .
Information Confidentiality and Privacy Policy
Table of Contents
1.
POLICIES .......................................................................................................................................... 3
1.1.
1.2.
1.3.
1.4.
1.5.
1.6.
1.7.
1.8.
2.
ACCOUNTABILITIES AND RESPONSIBILITIES ........................................................................... 9
2.1.
2.2.
2.3.
2.4.
2.5.
2.6.
3.
Staff....................................................................................................................................... 9
Managers .............................................................................................................................. 9
Manager, Audit ..................................................................................................................... 9
Manager, Information Security ............................................................................................. 9
Directors and Divisional Heads ............................................................................................ 9
Director, Information Services .............................................................................................. 9
POLICY ADMINISTRATION ........................................................................................................... 10
3.1.
3.2.
3.3.
4.
Department Information ........................................................................................................ 3
Collecting Information ........................................................................................................... 5
Storing Information ............................................................................................................... 5
Access to Information ........................................................................................................... 5
Requests for Information ...................................................................................................... 6
Disclosing Information .......................................................................................................... 7
Transmitting Information ....................................................................................................... 7
Breaches of This Policy ........................................................................................................ 8
Promulgation ....................................................................................................................... 10
Policy Review ..................................................................................................................... 10
Contact................................................................................................................................ 10
ATTACHMENTS – LEGISLATION ................................................................................................. 11
4.1.
4.2.
4.3.
4.4.
4.5.
4.6.
4.7.
4.8.
Add Other Agency specific Information Legislation as needed .......................................... 11
Corruption and Crime Commission Act 2003 [as at 17 September 2009] ......................... 11
Criminal Code Act Compilation Act 1913 [as at 27 June 2009].......................................... 12
Freedom of Information Act 1992 [as at 27 February 2009]............................................... 14
Public Sector Management Act 1994 [as at 10 Jun 2009] ................................................. 15
Public Service Regulations 1988 [as at 25 Nov 2005] ....................................................... 15
State Records Act 2000 [as at 01 February 2007] ............................................................. 16
Privacy Act 1988 (Cth) [as at 05 August 2009] .................................................................. 17
SCHEDULE 3—NATIONAL PRIVACY PRINCIPLES ............................................................................ 18
© State of Western Australia
Aug 2011
Page 2 of 25
Department of . . .
Information Confidentiality and Privacy Policy
1. Policies
1.1.
Policy 1:
Department Information
The Department will exercise due care in the treatment of its information.
Interpretation:The Department and its staff are subject to the laws of the land including:
a. Freedom of Information Act 1992
b. Health Services (Conciliation and Review) Act 1995
c. State Records Act 2000
d. Spent Convictions Act 1988
e. Surveillance Devices Act 1998
f. Telecommunications (Interception) Western Australia Act 1996
g. Magistrates Court Act 2004
Implementation: Staff must conduct themselves in the spirit of and without contravening:
h. Public Sector Management Act 1994
i. Criminal Code
j. Codes of Conduct
k. Premier’s Circulars
l. Public Sector Commissioner’s Circulars
Interpretation:‘Department information’ includes
m. all official information, government record or personal information
n. which is created or obtained by the Department, stored by the
Department or on Department facilities
including information:
o. stored on a computer
p. transmitted across networks
q. printed out or written on paper
r. sent by facsimile
s. stored on tapes or discs
t. spoken in conversations (including by telephone or radio) or overheard
u. incidentally seen or witnessed
v. sent via email
w. stored on databases
x. held on films or microfiche
y. sent via any other method used to convey knowledge or ideas.
Interpretation:‘Official information’ is defined in the Criminal Code as:
z. information, whether in a record or not
aa. that comes to the knowledge of, or into the possession of a person
bb. because the person is a public servant or government contractor
© State of Western Australia
Aug 2011
Page 3 of 25
Department of . . .
Information Confidentiality and Privacy Policy
Interpretation:A ‘Government record’ is defined in the State Records Act 2000 as a
record created or received by:
cc. a government organization
dd. a government organization employee in the course of the
employee’s work for the organization, but does not include an exempt
record.
Interpretation:A record is defined in the State Records Act 2000 as any record of
information however recorded and includes:
ee. any thing on which there is writing or Braille
ff. a map, plan, diagram or graph
gg. a drawing, pictorial or graphic work or photograph
hh. any thing on which there are figures, marks, perforations or symbols,
having a meaning for persons qualified to interpret them
ii. anything from which images, sounds or writings can be reproduced
with or without the aid of anything else
jj. any thing on which information has been stored or recorded, either
mechanically, magnetically or electronically.
Interpretation:An ‘exempt record’ is defined in the State Records Act 2000 as a record:
kk. control of which is given by a State organization to another person in
the course of the organization’s operations
ll. that is part of publicly available library material held by a State
organization for reference purposes
mm. that was not created by a State organization and that is part of the
collection of a State collecting institution.
Interpretation:‘Personal Information’ is defined in the Freedom of Information Act 1992
as:
nn. ‘information or an opinion
oo. whether true or not
pp. whether recorded in a material form or not
qq. about an individual, whether living or dead:
rr. whose identity is apparent, or can reasonably be ascertained, from the
information or opinion; or
ss. who can be identified by reference to an identification number or
other identifying particular such as a fingerprint, retina print or body
sample’.
Policy 2:
Personal information is managed, where practicable, in accordance with
the National Privacy Principles.
Interpretation: The National Privacy Principles are defined in section 6 [and Schedule 3]
of the Privacy Act 1988 (Cth).
Implementation: Personal information may only be collected:
© State of Western Australia
Aug 2011
Page 4 of 25
Department of . . .
Information Confidentiality and Privacy Policy
a. by lawful means for lawful and clearly defined purposes that are linked
directly to Department business
b. where individuals are made aware of:
 the collection of their personal information
 the purposes of the collection
 whether the collection is required under law.
Implementation: Staff must familiarise themselves with the policies relevant to their
business area and work function.
Implementation: Personal information:
c. must be used in accordance with Department policies
d. may be shared within the Department as required for business
purposes
e. must be disclosed to other parties where required by law.
1.2.
Policy 3:
Collecting Information
Information must only be collected where directly needed for business
purposes.
Interpretation:Only collect as much information as is needed for business purposes.
Implementation: The purpose for collecting information should be indicated at the time of
collection.
1.3.
Policy 4:
Storing Information
All Department information must be stored in a manner which accords
with the State Records Act 2000.
Implementation: Refer to the relevant Record Keeping Plan and associated policies.
1.4.
Policy 5:
Access to Information
Staff must only access Department information required to perform their
duties.
Interpretation:Where the Department authorises access to information it is only an
authorisation to access that information when it is needed for business
purposes.
Implementation: It may be an offence under the Corruption and Crime Commission Act
2003 to access information that is not directly required to perform a duty.
Interpretation:The scrupulous use of official information, equipment and facilities
excludes access to information:
a. that is not directly required to perform an official duty
© State of Western Australia
Aug 2011
Page 5 of 25
Department of . . .
Information Confidentiality and Privacy Policy
b. that relates to yourself, a relative or associate.
Implementation: It may be a breach of discipline under the Public Sector Management Act
1994 to access information that is not directly required to perform a duty.
Interpretation:‘Access’ to information includes all:
c. viewing
d. use
e. transmission
f. modification
g. disclosure.
1.5.
Policy 6:
Requests for Information
Requests for Department information must be formal requests.
Interpretation:A formal request must be written request
Implementation: A written request may take the form of:
a. an appropriately authorised letter
b. a Memorandum of Understanding
c. an existing written agreement
d. a third Party Access application
e. an act of parliament
f. an order of a Court.
Interpretation:Staff must verify the identity and authority of any person requesting
access to Department information.
Interpretation:The purpose of the request must be:
g. for the same purposes for which the information was collected
h. otherwise provided for in legislation
Policy 7:
Staff must only approve requests for information in accordance with the
procedures relevant to their business area.
Interpretation:Staff may only disclose information that:
a. they have the delegation to disclose
b. they are authorised to disclose
Implementation: Staff must:
c. familiarise themselves with the legislation and policies relevant to the
disclosure of information for their business area
d. follow the correct procedures for processing requests for information.
© State of Western Australia
Aug 2011
Page 6 of 25
Department of . . .
Policy 8:
Information Confidentiality and Privacy Policy
Staff must refuse any request for information that would constitute a
breach of law or Department policy.
Interpretation:‘law’ or ‘policy’ means ‘written law’ or ‘written policy’.
Implementation: If it is determined that requested information cannot be disclosed, staff
must follow the procedures for advising the other party their request has
been declined, as outlined in the relevant legislation and policies for their
business area.
1.6.
Policy 9:
Disclosing Information
Department information must not be disclosed except where required or
authorised by law to do so.
Implementation: Disclosure includes:
a. casual conversation or discussion
b. internet sites, such as social media sites
c. email.
Implementation: Staff must not disclose the personal information of a Department client or
staff member to a third party unless:
d. the individual about whom the personal information relates has
consented to the disclosure, or has been made aware that information
of that kind is usually passed on to the person or agency requesting it
e. it is believed the disclosure is necessary to prevent or lessen a serious
and imminent threat to the life or health of the individual concerned or
of another person
f. the disclosure is required by law.
Interpretation:Department policies relating to the release of personal information,
include:
g. Personal Files Policy – Human Resources
h. Freedom of Information Policies and Procedures – Records and
Compliance
i. <>
1.7.
Policy 10:
Transmitting Information
Staff must exercise care when transmitting information.
Interpretation:The method of transmission must be appropriate to the confidentiality or
privacy of the content of the transmission.
Implementation: Staff must select suitable methods of physical or electronic transmission:
a. the Department does not use default encryption to protect information
sent via the Internet
© State of Western Australia
Aug 2011
Page 7 of 25
Department of . . .
Information Confidentiality and Privacy Policy
b. staff must not record or use information received via the Department
website for any other purpose other than as defined in the website
privacy statement.
Policy 11:
Information sharing arrangements between government agencies must
follow the Policy Framework and Standards for Information Sharing
Between Government Agencies.
Interpretation:The Policy Framework and Standards for Information Sharing Between
Government Agencies is mandated by the Public Sector Commissioner’s
Circular 2009-29 which states that:
a. Agencies must act within the limits of relevant legislation
b. Open and accountable processes and procedures are required for
information sharing
c. Information sharing should be consistent with appropriate minimum
privacy standards such as the National Privacy Principles
d. Procedures need to provide for security of confidential information
e. Agencies sharing information do so within the context of information
policies, procedures and practices, relevant legislation and privacy
principles.
Please note:
1.8.
Policy 12:
Refer to Law Compass > The Department Home >
Services to Government > Policy Directorate
(http://www.department.dotag.wa.gov.au/P/policy_directora
te.aspx?uid=168)
Breaches of This Policy
Suspected breaches of this policy will be investigated and disciplinary or
legal action may be taken.
Interpretation:Investigations of suspected breaches may be conducted:
a. internally, by Management Assurance Governance and Improvement
or any person appointed by the Director General
b. by the Crime and Corruption Commission
c. externally by the Western Australian Police Service or the Australian
Federal Police.
Implementation: Internal investigations will be conducted:
d. according to the principles of natural justice, transparency of process
and accountability
e. according to relevant policy and procedure.
Implementation: Disciplinary matters will be dealt with in accordance with the relevant
legislation, including:
f. the Public Sector Management Act 1994
© State of Western Australia
Aug 2011
Page 8 of 25
Department of . . .
2.
Information Confidentiality and Privacy Policy
Accountabilities and Responsibilities
This section identifies personnel and summarises their responsibilities under this policy.
2.1.
Staff
Staff are responsible for:
a. complying with this policy
b. understanding the applicable law, policies and procedures relevant to
their business area
c. communicating any suspected breach of this policy to their Manager.
2.2.
Managers
Managers are responsible for:
a. staff awareness of this policy
b. monitoring staff compliance with this policy
c. reporting any suspected breaches of this policy to their Director
d. ensuring staff are aware of and have access to the applicable
legislation, policies and procedures.
2.3.
Manager, Audit
The Manager, Audit is responsible for:
a. the investigation of all suspected breaches arising from Department
Divisions
b. investigations as directed by the Director General
2.4.
Manager, Information Security
The Manager, Information Security is responsible for:
a. monitoring and reviewing compliance with this policy
b. reviewing currency of this policy.
2.5.
Directors and Divisional Heads
Directors and Divisional Heads are responsible for:
a. delegating responsibility for investigations into suspected breaches
where appropriate
b. authorising disciplinary action.
2.6.
Director, Information Services
The Director, Information Services is responsible for:
a. the retention of reports and information relating to security violations
b. referring suspected breaches to Directors, Divisional Heads, and the
Director General.
© State of Western Australia
Aug 2011
Page 9 of 25
Department of . . .
3.
3.1.
Information Confidentiality and Privacy Policy
Policy Administration
Promulgation
Commencement date
Communication process
3.2.
Policy Review
The Department reviews and updates this policy as needed.
3.3.
Contact
Questions related to this policy document may be directed to the Director, Information
Services on (08) 9999-9999.
© State of Western Australia
Aug 2011
Page 10 of 25
Department of . . .
Information Confidentiality and Privacy Policy
4. Attachments – Legislation
For the most recent legislation, please refer to the website of the State Law
Publisher, http://www.slp.wa.gov.au/legislation/statutes.nsf/default.html
4.
4.1.
Add Other Agency specific Information Legislation as needed
4.2.
Corruption and Crime Commission Act 2003 [as at 17 September 2009]
Term “misconduct”
Misconduct occurs if —
(a) a public officer corruptly acts or corruptly fails to act in the performance of
the functions of the public officer’s office or employment;
(b) a public officer corruptly takes advantage of the public officer’s office or
employment as a public officer to obtain a benefit for himself or herself or for
another person or to cause a detriment to any person;
(c) a public officer whilst acting or purporting to act in his or her official capacity,
commits an offence punishable by 2 or more years’ imprisonment; or
(d) a public officer engages in conduct that —
(i) adversely affects, or could adversely affect, directly or indirectly, the
honest or impartial performance of the functions of a public authority
or public officer whether or not the public officer was acting in their
public officer capacity at the time of engaging in the conduct;
(ii) constitutes or involves the performance of his or her functions in a
manner that is not honest or impartial;
(iii) constitutes or involves a breach of the trust placed in the public officer
by reason of his or her office or employment as a public officer; or
(iv) involves the misuse of information or material that the public officer
has acquired in connection with his or her functions as a public officer,
whether the misuse is for the benefit of the public officer or the benefit
or detriment of another person,
and constitutes or could constitute —
(v) an offence against the Statutory Corporations (Liability of Directors)
Act 1996 or any other written law; or
(vi) a disciplinary offence providing reasonable grounds for the termination
of a person’s office or employment as a public service officer under
the Public Sector Management Act 1994 (whether or not the public
officer to whom the allegation relates is a public service officer or is a
person whose office or employment could be terminated on the
grounds of such conduct).
[Section 4 inserted by No. 78 of 2003 s. 6.]
© State of Western Australia
Aug 2011
Page 11 of 25
Department of . . .
4.3.
81.
Information Confidentiality and Privacy Policy
Criminal Code Act Compilation Act 1913 [as at 27 June 2009]
Disclosing official secrets
(1)
In this section —
disclosure includes —
(a) any publication or communication; and
(b) in relation to information in a record, parting with possession of the record;
government contractor means a person who is not employed in the Public Service
but who provides, or is employed in the provision of, goods or services for the
purposes of —
(a) the State of Western Australia;
(b) the Public Service; or
(c) the Police Force of Western Australia;
information includes false information, opinions and reports of conversations;
official information means information, whether in a record or not, that comes to the
knowledge of, or into the possession of, a person because the person is a public
servant or government contractor;
public servant means a person employed in the Public Service;
unauthorised disclosure means —
(a) the disclosure by a person who is a public servant or government contractor
of official information in circumstances where the person is under a duty
not to make the disclosure; or
(b) the disclosure by a person who has been a public servant or government
contractor of official information in circumstances where, were the person
still a public servant or government contractor, the person would be under a
duty not to make the disclosure.
(2)
A person who, without lawful authority, makes an unauthorised disclosure is guilty of
a crime and is liable to imprisonment for 3 years.
Summary conviction penalty: imprisonment for 12 months and a fine of $12 000.
[Section 81 inserted by No. 4 of 2004 s. 59; amended by No. 70 of 2004 s. 35(1).]
83.
Corruption
Any public officer who, without lawful authority or a reasonable excuse —
(a) acts upon any knowledge or information obtained by reason of his office or
employment;
(b) acts in any matter, in the performance or discharge of the functions of his
office or employment, in relation to which he has, directly or indirectly, any
pecuniary interest; or
© State of Western Australia
Aug 2011
Page 12 of 25
Department of . . .
(c)
Information Confidentiality and Privacy Policy
acts corruptly in the performance or discharge of the functions of his office or
employment,
so as to gain a benefit, whether pecuniary or otherwise, for any person, or so as to
cause a detriment, whether pecuniary or otherwise, to any person, is guilty of a crime
and is liable to imprisonment for 7 years.
[Section 83 inserted by No. 70 of 1988 s. 16; amended by No. 8 of 2002 s. 4.]
84.
Application of s. 121 to judicial corruption not affected
In sections 82 and 83 public officer does not include the holder of a judicial office
within the meaning of section 121.
[Section 84 inserted by No. 70 of 1988 s. 16.]
85.
Falsification of records by public officer
Any public officer who, in the performance or discharge of the functions of his office
or employment, corruptly —
(a) makes any false entry in any record;
(b) omits to make any entry in any record;
(c) gives any certificate or information which is false in a material particular;
(d) by act or omission falsifies, destroys, alters or damages any record;
(e) furnishes a return relating to any property or remuneration which is false in a
material particular; or
(f) omits to furnish any return relating to any property or remuneration, or to give
any other information which he is required by law to give,
is guilty of a crime and is liable to imprisonment for 7 years.
[Section 85 inserted by No. 70 of 1988 s. 16; amended by No. 8 of 2002 s. 5; No. 70
of 2004 s. 8.]
440A.
(1)
Unlawful use of computers
In this section —
computer system includes —
(a) a part of a computer system;
(b) an application of a computer system;
password includes a code, or set of codes, of electronic impulses;
restricted-access computer system means a computer system in respect of which —
(a) the use of a password is necessary in order to obtain access to information
stored in the system or to operate the system in some other way; and
(b) the person who is entitled to control the use of the system —
(i) has withheld knowledge of the password, or the means of producing it,
from all other persons; or
(ii) has taken steps to restrict knowledge of the password, or the means of
producing it, to a particular authorised person or class of authorised
person;
© State of Western Australia
Aug 2011
Page 13 of 25
Department of . . .
Information Confidentiality and Privacy Policy
use a computer system means —
(a) to gain access to information stored in the system; or
(b) to operate the system in some other way.
(2)
For the purposes of this section a person unlawfully uses a restricted-access computer
system —
(a) if the person uses it when he or she is not properly authorised to do so; or
(b) if the person, being authorised to use it, uses it other than in accordance with
his or her authorisation.
(3)
A person who unlawfully uses a restricted-access computer system is guilty of a crime
and is liable —
(a) if by doing so the person —
(i) gains a benefit, pecuniary or otherwise, for any person; or
(ii) causes a detriment, pecuniary or otherwise, to any person,
of a value of more than $5 000, to imprisonment for 10 years;
(b) if by doing so the person —
(i) gains or intends to gain a benefit, pecuniary or otherwise, for any
person; or
(ii) causes or intends to cause a detriment, pecuniary or otherwise, to any
person,
to imprisonment for 5 years;
(c) in any other case, to imprisonment for 2 years.
Summary conviction penalty in a case to which paragraph (c) applies: imprisonment
for 12 months and a fine of $12 000.
[Section 440A inserted by No. 70 of 2004 s. 30.]
4.4.
109.
Freedom of Information Act 1992 [as at 27 February 2009]
Offence of unlawful access
A person who, in order to gain access to a document containing —
(a) personal information about another person; or
(b) information about the business, professional, commercial or financial affairs
of another person,
knowingly deceives or misleads a person performing functions under this Act
commits an offence.
Penalty:
(a) for an individual — $6 000;
(b) for a body corporate — $10 000.
[Section 109 amended by No. 50 of 2003 s. 64(3).]
© State of Western Australia
Aug 2011
Page 14 of 25
Department of . . .
110.
Information Confidentiality and Privacy Policy
Destruction of documents
A person who conceals, destroys or disposes of a document or part of a document or
is knowingly involved in such an act for the purpose (sole or otherwise) of preventing
an agency being able to give access to that document or part of it, whether or not an
application for access has been made, commits an offence.
Penalty: $6 000.
[Section 110 amended by No. 50 of 2003 s. 64(4).]
4.5.
9.
Public Sector Management Act 1994 [as at 10 Jun 2009]
General principles of official conduct
The principles of conduct that are to be observed by all public sector bodies and
employees are that they —
(a) are to comply with the provisions of —
(i) this Act and any other Act governing their conduct;
(ii) public sector standards and codes of ethics; and
(iii) any code of conduct applicable to the public sector body or employee
concerned;
(b) are to act with integrity in the performance of official duties and are to be
scrupulous in the use of official information, equipment and facilities; and
(c) are to exercise proper courtesy, consideration and sensitivity in their dealings
with members of the public and employees.
80.
Breaches of discipline
An employee who —
(a) disobeys or disregards a lawful order;
(b) contravenes —
(i) any provision of this Act applicable to that employee; or
(ii) any public sector standard or code of ethics;
(c) commits an act of misconduct;
(d) is negligent or careless in the performance of his or her functions; or
(e) commits an act of victimisation within the meaning of section 15 of the Public
Interest Disclosure Act 2003,
commits a breach of discipline.
[Section 80 amended by No. 29 of 2003 s. 28.]
4.6.
8.
Public Service Regulations 1988 [as at 25 Nov 2005]
Public comment
An officer shall not —
(a) publicly comment, either orally or in writing, on any administrative action, or
upon the administration of any Department or organization; or
© State of Western Australia
Aug 2011
Page 15 of 25
Department of . . .
(b)
4.7.
3.
Information Confidentiality and Privacy Policy
use for any purpose, other than for the discharge of official duties as an
officer, information gained by or conveyed to that officer through employment
in the Public Service.
State Records Act 2000 [as at 01 February 2007]
Interpretation
(1)
In this Act —
government organization employee means —
(a) a person who, whether or not an employee, alone or with others governs,
controls or manages a government organization;
(b) a person who, under the Public Sector Management Act 1994, is a public
service officer of a government organization; or
(c) a person who is engaged by a government organization, whether under a
contract for services or otherwise,
and includes, in the case of a government organization referred to in item 5 or 6 of
Schedule 1, a ministerial officer (as defined in the Public Sector Management Act
1994) assisting the organization;
government record means a record created or received by —
(a) a government organization; or
(b) a government organization employee in the course of the employee’s work
for the organization,
but does not include an exempt record;
record means any record of information however recorded and includes —
(a) any thing on which there is writing or Braille;
(b) a map, plan, diagram or graph;
(c) a drawing, pictorial or graphic work, or photograph;
(d) any thing on which there are figures, marks, perforations, or symbols,
having a meaning for persons qualified to interpret them;
(e) anything from which images, sounds or writings can be reproduced with or
without the aid of anything else; and
(f) any thing on which information has been stored or recorded, either
mechanically, magnetically, or electronically;
record keeping plan means —
(a) in relation to a parliamentary department, the record keeping plan approved
in respect of the department under Part 2, as the plan is amended from time
to time under that Part;
(b) in relation to a government organization, the record keeping plan approved
in respect of the organization under Part 3, as the plan is amended from
time to time under that Part;
reproduce, in relation to a record, has the meaning affected by subsection (3);
State record means —
(a) a parliamentary record; or
© State of Western Australia
Aug 2011
Page 16 of 25
Department of . . .
Information Confidentiality and Privacy Policy
(b) a government record;
unauthorized possession, in relation to a government record, means possession that
is not authorized by any of the following —
(a) the record keeping plan of the government organization that last had
possession of, or that has the control of, the record;
(b) the government organization that last had possession of, or that has the
control of, the record;
(c) the archives keeping plan;
(d) the Director;
(e) a written law;
(f) an order or determination of a court or tribunal.
[Section 3 amended by No. 77 of 2006 s. 17.]
78.
Offences
(1)
A government organization employee who does not keep a government record in
accordance with the record keeping plan of the organization, commits an offence.
(2)
A government organization employee who, without lawful authority, transfers, or who
offers to transfer, the possession of a government record to a person who is not
entitled to possession of the record, commits an offence.
(3)
A government organization employee who destroys a government record commits an
offence unless the destruction is authorized by the record keeping plan of the
organization.
(4)
A person who destroys a government record while the record is the subject of a notice
under section 52 or an application made, or order or warrant issued, under section 53,
commits an offence.
(5)
A person who has unauthorized possession of a government record and who destroys
that record, commits an offence unless the person owns the record.
(6)
It is a defence to a charge of an offence under subsection (2), (3), (4) or (5) to prove
that the alleged act was done pursuant to —
(a) a written law; or
(b) an order or determination of a court or tribunal.
(7)
It is a defence to a charge of an offence under subsection (5) to prove that the person
had no reasonable cause to suspect that the record was a government record.
Penalty: $10 000.
4.8.
Privacy Act 1988 (Cth) [as at 05 August 2009]
[The Privacy Act 1988 (Cth) applies to Commonwealth Agencies and the private sector.
The National Privacy Principles within the Act are adopted by the Department as a guide.]
© State of Western Australia
Aug 2011
Page 17 of 25
Department of . . .
Information Confidentiality and Privacy Policy
6 Interpretation
(1) In this Act, unless the contrary intention appears:
National Privacy Principle means a clause of Schedule 3. A reference in this Act to a
National Privacy Principle by number is a reference to the clause of Schedule 3 with that
number.
Schedule 3—National Privacy Principles
Note:
See section 6.
1 Collection
1.1 An organisation must not collect personal information unless the information is necessary
for one or more of its functions or activities.
1.2 An organisation must collect personal information only by lawful and fair means and not
in an unreasonably intrusive way.
1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an
organisation collects personal information about an individual from the individual, the
organisation must take reasonable steps to ensure that the individual is aware of:
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) the organisations (or the types of organisations) to which the organisation usually
discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is
not provided.
1.4 If it is reasonable and practicable to do so, an organisation must collect personal
information about an individual only from that individual.
1.5 If an organisation collects personal information about an individual from someone else, it
must take reasonable steps to ensure that the individual is or has been made aware of the
matters listed in subclause 1.3 except to the extent that making the individual aware of the
matters would pose a serious threat to the life or health of any individual.
2 Use and disclosure
2.1 An organisation must not use or disclose personal information about an individual for a
purpose (the secondary purpose) other than the primary purpose of collection unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the
personal information is sensitive information, directly related to the primary
purpose of collection;
(ii) the individual would reasonably expect the organisation to use or disclose the
information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) if the information is not sensitive information and the use of the information is for
the secondary purpose of direct marketing:
(i) it is impracticable for the organisation to seek the individual’s consent before
that particular use; and
© State of Western Australia
Aug 2011
Page 18 of 25
Department of . . .
(d)
(e)
(ea)
(f)
(g)
(h)
Information Confidentiality and Privacy Policy
(ii) the organisation will not charge the individual for giving effect to a request by
the individual to the organisation not to receive direct marketing
communications; and
(iii) the individual has not made a request to the organisation not to receive direct
marketing communications; and
(iv) in each direct marketing communication with the individual, the organisation
draws to the individual’s attention, or prominently displays a notice, that he or
she may express a wish not to receive any further direct marketing
communications; and
(v) each written direct marketing communication by the organisation with the
individual (up to and including the communication that involves the use) sets
out the organisation’s business address and telephone number and, if the
communication with the individual is made by fax, telex or other electronic
means, a number or address at which the organisation can be directly contacted
electronically; or
if the information is health information and the use or disclosure is necessary for
research, or the compilation or analysis of statistics, relevant to public health or
public safety:
(i) it is impracticable for the organisation to seek the individual’s consent before
the use or disclosure; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by
the Commissioner under section 95A for the purposes of this subparagraph; and
(iii) in the case of disclosure—the organisation reasonably believes that the recipient
of the health information will not disclose the health information, or personal
information derived from the health information; or
the organisation reasonably believes that the use or disclosure is necessary to lessen
or prevent:
(i) a serious and imminent threat to an individual’s life, health or safety; or
(ii) a serious threat to public health or public safety; or
if the information is genetic information and the organisation has obtained the
genetic information in the course of providing a health service to the individual:
(i) the organisation reasonably believes that the use or disclosure is necessary to
lessen or prevent a serious threat to the life, health or safety (whether or not the
threat is imminent) of an individual who is a genetic relative of the individual to
whom the genetic information relates; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by
the Commissioner under section 95AA for the purposes of this subparagraph;
and
(iii) in the case of disclosure—the recipient of the genetic information is a genetic
relative of the individual; or
the organisation has reason to suspect that unlawful activity has been, is being or
may be engaged in, and uses or discloses the personal information as a necessary part
of its investigation of the matter or in reporting its concerns to relevant persons or
authorities; or
the use or disclosure is required or authorised by or under law; or
the organisation reasonably believes that the use or disclosure is reasonably
necessary for one or more of the following by or on behalf of an enforcement body:
(i) the prevention, detection, investigation, prosecution or punishment of criminal
offences, breaches of a law imposing a penalty or sanction or breaches of a
prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
© State of Western Australia
Aug 2011
Page 19 of 25
Department of . . .
Information Confidentiality and Privacy Policy
(iv) the prevention, detection, investigation or remedying of seriously improper
conduct or prescribed conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or
implementation of the orders of a court or tribunal.
Note 1:
It is not intended to deter organisations from lawfully co-operating with agencies performing law
enforcement functions in the performance of their functions.
Note 2:
Subclause 2.1 does not override any existing legal obligations not to disclose personal information.
Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation
is always entitled not to disclose personal information in the absence of a legal obligation to
disclose it.
Note 3:
An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers
personal information to a person in a foreign country.
2.2 If an organisation uses or discloses personal information under paragraph 2.1(h), it must
make a written note of the use or disclosure.
2.3 Subclause 2.1 operates in relation to personal information that an organisation that is a
body corporate has collected from a related body corporate as if the organisation’s primary
purpose of collection of the information were the primary purpose for which the related
body corporate collected the information.
2.4 Despite subclause 2.1, an organisation that provides a health service to an individual may
disclose health information about the individual to a person who is responsible for the
individual if:
(a) the individual:
(i) is physically or legally incapable of giving consent to the disclosure; or
(ii) physically cannot communicate consent to the disclosure; and
(b) a natural person (the carer) providing the health service for the organisation is
satisfied that either:
(i) the disclosure is necessary to provide appropriate care or treatment of the
individual; or
(ii) the disclosure is made for compassionate reasons; and
(c) the disclosure is not contrary to any wish:
(i) expressed by the individual before the individual became unable to give or
communicate consent; and
(ii) of which the carer is aware, or of which the carer could reasonably be expected
to be aware; and
(d) the disclosure is limited to the extent reasonable and necessary for a purpose
mentioned in paragraph (b).
2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:
(a) a parent of the individual; or
(b) a child or sibling of the individual and at least 18 years old; or
(c) a spouse or de facto partner of the individual; or
(d) a relative of the individual, at least 18 years old and a member of the individual’s
household; or
(e) a guardian of the individual; or
(f) exercising an enduring power of attorney granted by the individual that is exercisable
in relation to decisions about the individual’s health; or
(g) a person who has an intimate personal relationship with the individual; or
(h) a person nominated by the individual to be contacted in case of emergency.
2.6 In subclause 2.5:
© State of Western Australia
Aug 2011
Page 20 of 25
Department of . . .
Information Confidentiality and Privacy Policy
child: without limiting who is a child of an individual for the purposes of this clause, each
of the following is the child of an individual:
(a) an adopted child, stepchild, exnuptial child or foster child of the individual; and
(b) someone who is a child of the individual within the meaning of the Family Law Act
1975.
de facto partner has the meaning given by the Acts Interpretation Act 1901.
parent: without limiting who is a parent of an individual for the purposes of this clause,
someone is the parent of an individual if the individual is his or her child because of the
definition of child in this subclause.
relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of
the individual.
sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive
sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.
stepchild: without limiting who is a stepchild of an individual for the purposes of this
clause, someone is the stepchild of an individual if he or she would be the individual’s
stepchild except that the individual is not legally married to the individual’s de facto
partner.
2.7 For the purposes of the definition of relative in subclause 2.6, relationships to an individual
may also be traced to or through another individual who is:
(a) a de facto partner of the first individual; or
(b) the child of the first individual because of the definition of child in that subclause.
2.8 For the purposes of the definition of sibling in subclause 2.6, an individual is also a sibling
of another individual if a relationship referred to in that definition can be traced through a
parent of either or both of them.
3 Data quality
An organisation must take reasonable steps to make sure that the personal information it
collects, uses or discloses is accurate, complete and up-to-date.
4 Data security
4.1 An organisation must take reasonable steps to protect the personal information it holds
from misuse and loss and from unauthorised access, modification or disclosure.
4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal
information if it is no longer needed for any purpose for which the information may be
used or disclosed under National Privacy Principle 2.
5 Openness
5.1 An organisation must set out in a document clearly expressed policies on its management
of personal information. The organisation must make the document available to anyone
who asks for it.
5.2 On request by a person, an organisation must take reasonable steps to let the person know,
generally, what sort of personal information it holds, for what purposes, and how it
collects, holds, uses and discloses that information.
© State of Western Australia
Aug 2011
Page 21 of 25
Department of . . .
Information Confidentiality and Privacy Policy
6 Access and correction
6.1 If an organisation holds personal information about an individual, it must provide the
individual with access to the information on request by the individual, except to the extent
that:
(a) in the case of personal information other than health information—providing access
would pose a serious and imminent threat to the life or health of any individual; or
(b) in the case of health information—providing access would pose a serious threat to
the life or health of any individual; or
(c) providing access would have an unreasonable impact upon the privacy of other
individuals; or
(d) the request for access is frivolous or vexatious; or
(e) the information relates to existing or anticipated legal proceedings between the
organisation and the individual, and the information would not be accessible by the
process of discovery in those proceedings; or
(f) providing access would reveal the intentions of the organisation in relation to
negotiations with the individual in such a way as to prejudice those negotiations; or
(g) providing access would be unlawful; or
(h) denying access is required or authorised by or under law; or
(i) providing access would be likely to prejudice an investigation of possible unlawful
activity; or
(j) providing access would be likely to prejudice:
(i) the prevention, detection, investigation, prosecution or punishment of criminal
offences, breaches of a law imposing a penalty or sanction or breaches of a
prescribed law; or
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(iii) the protection of the public revenue; or
(iv) the prevention, detection, investigation or remedying of seriously improper
conduct or prescribed conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or
implementation of its orders;
by or on behalf of an enforcement body; or
(k) an enforcement body performing a lawful security function asks the organisation not
to provide access to the information on the basis that providing access would be
likely to cause damage to the security of Australia.
6.2 However, where providing access would reveal evaluative information generated within
the organisation in connection with a commercially sensitive decision-making process, the
organisation may give the individual an explanation for the commercially sensitive
decision rather than direct access to the information.
Note:
An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an
explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not
apply.
6.3 If the organisation is not required to provide the individual with access to the information
because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if
reasonable, consider whether the use of mutually agreed intermediaries would allow
sufficient access to meet the needs of both parties.
6.4 If an organisation charges for providing access to personal information, those charges:
(a) must not be excessive; and
(b) must not apply to lodging a request for access.
© State of Western Australia
Aug 2011
Page 22 of 25
Department of . . .
Information Confidentiality and Privacy Policy
6.5 If an organisation holds personal information about an individual and the individual is able
to establish that the information is not accurate, complete and up-to-date, the organisation
must take reasonable steps to correct the information so that it is accurate, complete and
up-to-date.
6.6 If the individual and the organisation disagree about whether the information is accurate,
complete and up-to-date, and the individual asks the organisation to associate with the
information a statement claiming that the information is not accurate, complete or
up-to-date, the organisation must take reasonable steps to do so.
6.7 An organisation must provide reasons for denial of access or a refusal to correct personal
information.
7 Identifiers
7.1 An organisation must not adopt as its own identifier of an individual an identifier of the
individual that has been assigned by:
(a) an agency; or
(b) an agent of an agency acting in its capacity as agent; or
(c) a contracted service provider for a Commonwealth contract acting in its capacity as
contracted service provider for that contract.
7.1A However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a
prescribed identifier in prescribed circumstances.
Note:
There are prerequisites that must be satisfied before those matters are prescribed: see subsection
100(2).
7.2 An organisation must not use or disclose an identifier assigned to an individual by an
agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:
(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the
agency; or
(b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure;
or
(c) the use or disclosure is by a prescribed organisation of a prescribed identifier in
prescribed circumstances.
Note:
There are prerequisites that must be satisfied before the matters mentioned in paragraph (c) are
prescribed: see subsections 100(2)
and (3).
7.3 In this clause:
identifier includes a number assigned by an organisation to an individual to identify
uniquely the individual for the purposes of the organisation’s operations. However, an
individual’s name or ABN (as defined in the A New Tax System (Australian Business
Number) Act 1999) is not an identifier.
8 Anonymity
Wherever it is lawful and practicable, individuals must have the option of not identifying
themselves when entering transactions with an organisation.
9 Transborder data flows
An organisation in Australia or an external Territory may transfer personal information
about an individual to someone (other than the organisation or the individual) who is in a
foreign country only if:
© State of Western Australia
Aug 2011
Page 23 of 25
Department of . . .
Information Confidentiality and Privacy Policy
(a) the organisation reasonably believes that the recipient of the information is subject to
a law, binding scheme or contract which effectively upholds principles for fair
handling of the information that are substantially similar to the National Privacy
Principles; or
(b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a contract between the individual and
the organisation, or for the implementation of pre-contractual measures taken in
response to the individual’s request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in
the interest of the individual between the organisation and a third party; or
(e) all of the following apply:
(i) the transfer is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the individual to that transfer;
(iii) if it were practicable to obtain such consent, the individual would be likely to
give it; or
(f) the organisation has taken reasonable steps to ensure that the information which it
has transferred will not be held, used or disclosed by the recipient of the information
inconsistently with the National Privacy Principles.
10 Sensitive information
10.1 An organisation must not collect sensitive information about an individual unless:
(a) the individual has consented; or
(b) the collection is required by law; or
(c) the collection is necessary to prevent or lessen a serious and imminent threat to the
life or health of any individual, where the individual whom the information concerns:
(i) is physically or legally incapable of giving consent to the collection; or
(ii) physically cannot communicate consent to the collection; or
(d) if the information is collected in the course of the activities of a non-profit
organisation—the following conditions are satisfied:
(i) the information relates solely to the members of the organisation or to
individuals who have regular contact with it in connection with its activities;
(ii) at or before the time of collecting the information, the organisation undertakes
to the individual whom the information concerns that the organisation will not
disclose the information without the individual’s consent; or
(e) the collection is necessary for the establishment, exercise or defence of a legal or
equitable claim.
10.2 Despite subclause 10.1, an organisation may collect health information about an individual
if:
(a) the information is necessary to provide a health service to the individual; and
(b) the information is collected:
(i) as required or authorised by or under law (other than this Act); or
(ii) in accordance with rules established by competent health or medical bodies that
deal with obligations of professional confidentiality which bind the
organisation.
10.3 Despite subclause 10.1, an organisation may collect health information about an individual
if:
(a) the collection is necessary for any of the following purposes:
(i) research relevant to public health or public safety;
© State of Western Australia
Aug 2011
Page 24 of 25
Department of . . .
Information Confidentiality and Privacy Policy
(ii) the compilation or analysis of statistics relevant to public health or public
safety;
(iii) the management, funding or monitoring of a health service; and
(b) that purpose cannot be served by the collection of information that does not identify
the individual or from which the individual’s identity cannot reasonably be
ascertained; and
(c) it is impracticable for the organisation to seek the individual’s consent to the
collection; and
(d) the information is collected:
(i) as required by law (other than this Act); or
(ii) in accordance with rules established by competent health or medical bodies that
deal with obligations of professional confidentiality which bind the
organisation; or
(iii) in accordance with guidelines approved by the Commissioner under
section 95A for the purposes of this subparagraph.
10.4 If an organisation collects health information about an individual in accordance with
subclause 10.3, the organisation must take reasonable steps to permanently de-identify the
information before the organisation discloses it.
10.5 In this clause:
non-profit organisation means a non-profit organisation that has only racial, ethnic,
political, religious, philosophical, professional, trade, or trade union aims.
© State of Western Australia
Aug 2011
Page 25 of 25
Related documents
Module B * References
Module B * References
How to structure your report
How to structure your report
MM Assignment briefing - Jun-Sep 2013
MM Assignment briefing - Jun-Sep 2013
Corresponding Members Form
Corresponding Members Form
DTI TECHNOLOGY PROGRAMME - UK Government Web Archive
DTI TECHNOLOGY PROGRAMME - UK Government Web Archive
Native-Title-Officer-Funding-Scheme-Application-form
Native-Title-Officer-Funding-Scheme-Application-form
New membership application form - The International Humanist and
New membership application form - The International Humanist and
Font Graphics Colour - Classroom Multimedia
Font Graphics Colour - Classroom Multimedia
Download
advertisement