The digital transformation of all organisations has made it easier to inadvertently disclose personal information and all the more important for organisations to review internal processes for collecting and storing information and their processes for sharing information when requested.
Privacy Act, Australian Privacy Principles, FOI Act and GDPR govern behaviours
The key legislation and guidelines for Australians to understand are the Privacy Act including state and territory related legislation, Australian Privacy Principles (APP) and the Freedom of Information (FOI) Act, which work together as a guiding framework, along with the European Union’s General Data Protection Regulation. The Privacy Act covers Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, but excludes intelligence organisations for good reason. The Privacy Principles are guidelines outlining the mandatory requirements of the Privacy Act and matters to take into account when implementing by stakeholders. Although the framework can be intimidating to understand, it really just applies common sense to the respectful use of private information and are guidelines deemed fair for all citizens, businesses and government organisations.
In 2018, the European Union implemented the General Data Protection Regulation (GDPR) to consolidate all privacy and data protection laws and regulations within the EU for the protection of individuals in our increasing digital world. While it overlaps with the Privacy Act, it enforces serious penalties and applies more stringent “consent” definitions to sharing of information. It affects all Australian organisations with entities in the European Union or conducting trade with entities in the EU and requires organisations to implement privacy “by design” to all processes, be able to demonstrate compliance and to adopt transparent information handling practices.
GDPR simply enforces what individuals would expect from respectful organisations; not to share personal information; not to process personal information unless consented to in advance; to minimise the processing of personal data full stop; and to provide a formal process for readdress if privacy is violated. Implementation of GDPR has had a substantial impact on the way organisations acquire personal data, profile individuals and use digital means to market their services.
The Privacy Act regulates the way individuals’ personal information is handled; why it is being collected; how it will be used; and who it will be disclosed to. It gives individuals the right to access
personal information, stop receiving unwanted direct marketing and rectify incorrect information or disclosure.
The APP guides organisations on how to implement and interpret the Privacy Act by detailing rights, setting minimum access requirements and defining personal information as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not’. Importantly, the guidelines also list ten grounds for which an organisation can refuse to give access to personal information, including insufficient resources.
Redaction Software enables organisations to manage both disclosure and privacy
While most organisations are not going to refuse reasonable requests, they should review all documents to ensure information regarding other persons is redacted. Beyond disclosing the personal information of others, redaction is used to remove information and protect against threats to public health or safety, interference in legal proceedings or actions of enforcement agencies.
The FOI Act provides individuals with a right of access to documents held by most Australian Government agencies apart from those exempts by secrecy, public interest or provision.
In summary, the Privacy Act is the groundwork Australian legislation for protecting individual privacy, while the Australian Privacy Guidelines help organisations implement the Act’s measures, and the FOI Act provides broader clarity to government entities on how to provide access to all information, personal and otherwise. The GDPR is complimentary in that by protecting individuals in the European Union from privacy violations relating primarily to the processing of personal information by organisations, it raises standards of behaviour for global organisations. Digital transformation of business processes is bringing privacy concerns to the forefront as we leverage the benefits of an online world and simultaneously learn to protect people from the adverse impacts on personal lives.
Information, IT and risk managers need to be across this legislation and ensure all business processes are protecting the privacy of individuals. This involves reviewing exactly how personal information is processed and stored and developing efficient and safe means for providing access to information by the public. The FOI Act makes this particularly relevant for the public sector as they respond to reactive requests for general and personal information from individuals and entities along with proactive disclosure of public information.
Growth in digital data is driving the need for efficiency and Redaction Software
Disclosure processes can require considerable effort to manage within recommended guidelines unless using dedicated workflow solutions and automated redaction software. With the regular doubling of digital data and heightened sensitivity to privacy breaches, automated redaction software is the only effective and efficient manner for balancing the need to respond to disclosure requests or safely archiving documents whilst ensuring sensitive content is not revealed.
If you need assistance with your disclosure process feel free to contact one of our account managers or download a free trial of Objective Redact from our website.
Objective Redact, Redaction Software for Security Conscious Organisations, like yours.