privacy act 1988
TRANSCRIPT
PRIVACY ACT 1988
SECTION 27(1)(h)
PUBLIC TRUSTEE FOR THE AUSTRALIAN CAPITAL
TERRITORY
FINAL AUDIT REPORT
INFORMATION PRIVACY PRINCIPLES AUDIT
AUDIT UNDERTAKEN: NOVEMBER 2008 DRAFT REPORT ISSUED: APRIL 2009 FINAL REPORT ISSUED: MAY 2009
1
TABLE OF CONTENTS
1 INTRODUCTION
1.1 Background 2
2 DESCRIPTION OF AUDIT
2.1 Purpose 3 2.2 Scope 3 2.3 Timing and Location 3 2.4 Description of Auditee 3 2.5 Information sought prior to the audit 4 2.6 Audit Opinion 5 2.7 Follow up review 5 2.8 Reporting 5
3. AUDIT ISSUES
3.1 IPPs 1–3 Issues – Collection of personal information 6 3.2 IPP 4 Issues – Storage and security of personal information 7 3.3 IPP 5 Issues – Information relating to records kept by record keeper 10 3.4 IPP 6 Issues – Access to records containing personal information 11 3.5 IPP 7 Issues – Alteration of records containing personal information 11 3.6 IPP 8 Issues – Record-keeper to check accuracy etc of personal
information before use 12 3.7 IPP 9 Issues – Personal information to be used only for relevant purposes 12 3.8 IPPs 10-11 Issues – Limits on use and disclosure of personal information 12 3.9 Other Privacy Issues 14
4. SUMMARY OF RECOMMENDATIONS 15
APPENDIX A
Information Privacy Principles 18
2
1. INTRODUCTION 1.1 Background A Memorandum of Understanding (MoU) exists between the Commonwealth of Australia and the Australian Capital Territory (ACT) Government for the Provision of privacy services in relation to ACT Government Agencies. Under the terms of the MoU, the Office of the Privacy Commissioner (the Office) conducted an audit of the Public Trustee for the Australian Capital Territory (PTACT) under section 27(1)(h) of the Privacy Act 1988 (Cth) (the Act).
3
2. DESCRIPTION OF AUDIT 2.1 Purpose The purpose of the audit was to ascertain PTACT’s compliance with the Information Privacy Principles (IPPs) contained in section 14 of the Act, specifically in relation to:
• Wills; • Deceased estate files; • Trusts and court appointed trusts; • Safe custody facility; • Management and external management orders; • Enduring powers of attorney; • Unclaimed monies; and • Personnel records.
2.2 Scope
The audit involved a review of PTACT’s practices, policies and procedures for the collection, storage, use and disclosure of personal information. Enquiries were also made regarding information technology matters and staff training procedures. 2.3 Timing and Location The audit was conducted on 28 November 2008, at PTACT’s office, Ground Floor, ActewAGL House, 221 London Circuit, Canberra ACT. 2.4 Description of Auditee
PTACT is a Territory Authority, established on 8 March 1985 under section 5 of the Public Trustee Act 1985. Under the Fianncial Management Act 1996, the Public Trustee has responsbility as Chief Executive Officer.
PTACT is administratively responsible to the Chief Executive, ACT Department of Justice and Community Safety through a Deputy Chief Executive.
PTACT’s services include:
• will-making (where the Public Trustee is appointed executor); • administering deceased estates under will or intestacy; • asset services under Enduring Power of Attorney; • trustee for trusts created in Wills, Deeds and Court Orders for families, infants
and people with disabilities; • acting as agent for the Territory to receive, manage and dispose of assets
forfeited under the Confiscation of Criminal Assets Act 2003;
4
• administration of moneys declared unclaimed under the Unclaimed Moneys Act 1950, Legal Practitioners Act 1970 and Agents Act 2003, including receiving moneys, processing claims and investing funds;
• investing moneys held in specified government trust funds; • acting for people with disabilities where ordered by a Court; and • providing an annual examination of the accounts maintained by external
managers on behalf of people with impaired decision-making ability.
Most of PTACT’s human resource functions are now managed off site through the ACT Government’s centralised Shared Services Centre, in collaboration with the Department of Justice and Community Safety. Most processing, advertising and administration functions are dealt with by the Shared Services Centre, which also operates as the custodian of all PTACT’s personnel records. Most of the PTACT’s IT services are now managed off site through InTACT. InTACT provides centralised information technology services to the ACT Government agencies including infrastructure, applications support and development, ICT policy, ICT project services, publishing and records management. The main computer programs which PTACT staff access include:
• MYOB Premier – used by PTACT for the business accounts of the organisation and includes client information;
• TACT – is the PTACT trust accounting package and includes all client information and financials; and
• COMMBIZ – is used by PTACT to send client funds and pay accounts for the office and clients.
2.5 Information sought prior to the audit The following documentation was provided by PTACT prior to the commencement of the audit:
• PTACT’s current organisation chart;
• a copy of PTACT’s latest annual report; • an outline of personal information data flows within PTACT and to any other
external third parties, including other ACT or Commonwealth government agencies or other organisations;
• copies of all forms, or a representative sample of forms, used to collect
personal information for inclusion in PTACT’s records; • copies of relevant computer systems documentation and specifications
including systems security and a copy of any IT Security Policy;
• PTACT’s Privacy Policy;
5
• copies of staff instructions/memorandums addressing the Act and/or information security;
• details of staff training concerning the Act, including a copy of any training
material presented to participants.
2.6 Audit Opinion The recommendations arising from this audit are outlined in Section 4 of this report. The audit revealed that PTACT generally manages the personal information contained in the records audited in accordance with the IPPs in the Act. Consequently, the opinion of the audit team was that PTACT was generally compliant in meeting its obligations under the Act. The auditors noted that while PTACT is generally aware of its privacy obligations, it could introduce certain practices in order to reduce the risk of possible future breaches of the IPPs. The auditors further noted a relatively low level of privacy training was provided to staff generally. Areas of concern were discussed with PTACT’s senior staff at the audit closing conference and are identified in Section 3 of this report. It is the view of the auditors that addressing each of these recommendations will assist PTACT to minimise the risk of future possible breaches of the IPPs. 2.7 Follow up review A follow up review may be undertaken after six months has elapsed from the date of the final report or as indicated by the Director, Compliance. 2.8 Reporting Completed audit reports of ACT and Australian government agencies commenced after 1 July 2002 are generally published on the Office of the Privacy Commissioner’s web site (available at http://www.privacy.gov.au/act/audits/index.html ). Findings and recommendations from IPP audits that are considered relevant to good privacy practice across the public sector generally are also discussed in the Office of the Privacy Commissioner’s Annual Report.
6
3. AUDIT ISSUES A copy of the IPPs is provided at Appendix A. 3.1 IPPs 1–3 Issues – Collection of personal information
IPP 1 provides that personal information shall not be collected unless the collection is for a lawful purpose directly related to the collector’s functions and activities and necessary or directly related to that purpose.
IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.
IPP 3 provides that, where a collector solicits and collects personal information generally it must take steps reasonable in the circumstances to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals’ personal affairs.
Observations 3.1.1 The auditors noted that in most cases PTACT collects information directly from its
clients or as authorised or required by the court in PTACT’s role as a court appointed trustee.
3.1.2 In cases where personal information is collected from third parties (such as the personal information of beneficiaries under wills), the auditors noted that the solicitation of information is conducted via court orders or with consent of the third party, and does not intrude to an unreasonable extent on the privacy of those individuals.
3.1.3 The auditors also noted that the information collected by PTACT is used to provide services to its clients and therefore the information is necessary for and directly related to PTACT’s functions and activities. It is noted that in many of its activities, the Public Trustee acts on behalf of its clients in a fiduciary capacity. This is in a similar manner to a legal practitioner.
3.1.4 In relation to the making of wills, the auditors reviewed PTACT’s standard will-making form and noted that PTACT advises clients in this form that information collected will be disclosed to the other party when creating mirror wills.
Privacy issues 3.1.3 There is a risk that where PTACT collects personal information about an individual
for inclusion in a record or in a generally available publication, it fails to provide the individual with appropriate notice as required by IPP 2. In such instances, individuals may be unaware of the reason PTACT is collecting their personal information or to whom PTACT usually discloses the information to.
7
3.1.4 Specifically, there is a risk where PTACT is collecting information for multiple
purposes that the individual is not provided with notice of what information is going to be used for what purpose. In particular, when PTACT collects information to be included in the will, it is also collecting information to be used in its role as executor once the individual has passed away.
Recommendation 3.1.5 That PTACT strengthen its IPP 2 notices provided when it is collecting information
from its clients in order to ensure that if information is collected for multiple purposes, that the individual is aware of those specific purposes and any bodies to which it is PTACT’s usual practice to disclose the information to.
3.2 IPP 4 Issues - Storage and security of personal information
IPP 4(a) requires a record keeper who has possession or control of a record that contains personal information to ensure that the record is protected by security safeguards reasonable in the circumstances against loss, unauthorised access, use, modification, disclosure and other misuse.
IPP 4(b) requires that, if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the record keeper’s power be done to prevent unauthorised use or disclosure of information contained in the record.
Observations 3.2.1 The auditors obverved that the PTACT office is located in a secured building, which
requires staff to use security swipe passes to access the office space.
3.2.2 During the audit, the auditors noted that staff did not keep personal information or files unattended, and made appropriate use of lockable filing cabinets to store active files after hours.
3.2.3 PTACT also advised that it had a safe custody facility and access to the safe and cabinet was restricted. A log of access was also kept and required two staff present in order for the safe custody facility to be accessed.
3.2.4 The auditors noted that while located in a secure section of the building, a work area in the PTACT Office held staff flex and leave absence forms, containing personal information, that were not secured within locked filing cabinets at the close of business. The auditors noted however that most personnel and recruitment information was kept separately in a lockable cabinet.
3.2.5 The auditors noted that PTACT uses a database named TACT as its trust accounting
package. All client information and financials are stored on this product. The auditors noted that security levels in this package can be set for every line item on each menu. Difference staff hold different levels of access depending on position,
8
experience and duties. The auditors noted that access to the TACT database is appropriately protected by an assigned individual password, and that unattended computer screens were protected by the use of an automatic lock-out feature.
3.2.6 The auditors reviewed the general ICT usage policies that applied to ACT government departments and agencies including: • Acceptable Use of ICT Resources Policy version 1.2; • Acceptable Use Policy for VPN/OWA version 1.4; • Access & Use of ICT Guidelines Guide version 1.1; • Access & Use of ICT Resources Policy vervsion 1.1; and • ICT Security Policy version 1.1
3.2.7 PTACT advised that service providers were required to adhere to a Code of Conduct for Service Providers. The auditors noted that under the Code of Conduct, service providers must “protect the dignity, privacy and confidentiality of the Public Trustee’s clients and disclose any limitations on their ability to guarantee full confidentiality”. PTACT also confirmed that the Code of Conduct is in addition to a standard explicit clause within individual contracts specifying that service providers must uphold the ACT Government’s personal information handling practices.
3.2.8 The auditors noted that security bins and shredders were located within the office and
PTACT’s staff destroyed personal information securely.
3.2.9 PTACT advised that records which it no longer needed but which it was required to keep were archived in a secured storage facility in Mitchell, ACT. PTACT confirmed that all records are taken to the storage facility by PTACT employees and no outside agency is involved in the transport or storage of these records. If PTACT is not required to keep the record, PTACT destroys personal information if it is no longer needed.
3.2.10 The auditors noted that some of the finalised records which were to be transported to
the secure storage facility were left unsecured in the Finance/Administration area.
3.2.11 In relation to the security of personal information that is taken outside the office, PTACT advised that staff do sometimes need to make house visits and if it is necessary to carry a file containing personal information, the file is stored in a briefcase and locked in the boot of the car.
3.2.12 The auditors were advised that there was no policy or guideline regarding the steps or processes staff should follow when transporting documents from the office to the storage facility or house visits.
3.2.13 The auditors noted that some PTACT staff advised that when calls are placed to them
they rely on voice recognition rather than taking steps to verify the caller. On the other hand, other PTACT staff advised that it is their personal practice to request identifying details prior to speaking to the client.
9
Privacy issues 3.2.13 In terms of PTACT’s IPP 4 obligations, what constitutes “security safeguards …
reasonable in the circumstances” will depend on a number of factors. These factors include the sensitivity of the information and the level of risk of unauthorised access, use, modification or disclosure, or other misuse of the information.
3.2.14 Physical security and access controls to buildings reduce the risk that ‘external’ individuals may access personal information inappropriately. Securing individual files within the work space in locked cabinets at the close of business minimises the risk of inadvertant use and disclosure from both ‘external’ individuals with access to the office such as cleaners as well as ‘internal’ individuals such as staff who may not require access to the information in the performance of their duties.
3.2.15 Where files containing personal information need to be transferred between the office and the storage facility or house visits, there is a risk that the information will be subject to loss, unauthorised access, use, modification or inadvertent disclosure. The absence of a PTACT policy or guideline for staff to follow to ensure the secure transfer of documents increases the risk that PTACT is not protecting these records by security safeguards reasonable in the circumstances when this information is in transit.
3.2.16 Similarly, unclear or inconsistent ID verification practices across PTACT (in relevant circumstances) may increase the possibility that staff may inadvertantly/improperly disclose personal information to a third party.
Recommendations
3.2.17 That PTACT consider referencing the Act in its Code of Conduct for Service
Providers to ensure that service providers are made aware of their obligations under the Act.
3.2.18 That PTACT considers ensuring that all records containing personal information (including personnel information) are securely stored including when they are stored prior to being transported to an off-site secure storage facility.
3.2.19 That PTACT develops and implements a policy or guideline to assist staff identify the minimum security requirements and processes staff should follow when personal information needs to be physically transferred between the office, the storage facility and house visits. The policy or guideline should set out clearly the minimum security safeguards that PTACT expects all staff to follow when the transfer of physical files, documents or other records containing clients’ personal information (e.g. USB drives, laptops) is required.
3.2.20 That PTACT reviews its business activities to identify relevant, higher-risk transactions where a consistent ID verification process may need to be developed to provide guidance to staff discussing personal information with individuals over the telephone.
10
3.3 IPP 5 – Information relating to records kept by record-keeper
IPP 5.1 requires that, where a record keeper has possession or control of records containing personal information, the record keeper will take reasonable steps in the circumstances to enable any person to ascertain the nature of the information held, the main purposes for which the information is used, and the steps a person should take to obtain access to the record.
IPP 5.3 and 5.4 also requires that, where a record keeper has possession or control of records containing personal information, the record keeper will maintain and make available to the public and the Privacy Commissioner a listing of the personal information it holds. The listing will include the nature and purposes of keeping the record, the classes of individuals about whom records are kept, retention periods and access conditions to the records, and steps that should be taken by persons wishing to access the record. This listing is known as the Department of Justice and Community Safety’s Personal Information Digest (PID).
Observations 3.3.1 The auditors noted that PTACT has a Privacy Policy which is available at
www.publictrustee.act.gov.au and also has an internal Privacy Policy.
3.3.2 In addition, PTACT has a Complaints Policy which provides members of the public with guidance and established procedures for making, receiving, handling and resolving complaints about PTACT.
3.3.3 The auditors noted that PTACT should consider including references to the Office of the Privacy Commissioner in its Complaints Policy and its Privacy Policy to ensure that:
• individuals who have a privacy complaint are directed to this Office where appropriate; and
• PTACT staff are aware of the role of this Office in relation to privacy complaints which remain unresolved by PTACT.
3.3.4 The auditors observed that PTACT’s PID is found at:
www.jcs.act.gov.au/eLibrary/personal_information_digest_2008.html . 3.3.5 The auditors noted that some information contained in the PID does not appear to be
accurate in relation to the information observed by the auditors during the inspection period. In particular, the auditors noted that whilst the PID states that PTACT collects sensitive religious and ethnicity information about individuals for storage in its safe custody facility, PTACT confirmed that it does not store this type of information in safe custody.
3.3.6 The auditors also noted that the PID states that certain classes of information are kept indefinitely whereas PTACT’s Record Disposal Schedule indicates that there are specific time periods for the destruction of these records. In particular, PTACT confirmed that it retains will documents for one hundred years after execution, rather than ‘indefinitely’.
11
Privacy issues 3.3.7 IPP 5 reflects the fact that, in order to be able to exercise their other rights in relation
to the personal information that agencies hold about them, people must be able easily to find out:
• the existence of personal information systems that affect them; • the nature and extent of those systems; • the main purposes and uses of those systems; and • how to gain access to personal information held in them.
3.3.8 There is a risk that, if PTACT’s PID is inaccurate or incomplete, individuals will not
be able to identify accurately the type of information PTACT may hold on them, and how that information is handled. This may mean that PTACT is not meeting its obligations under IPPs 5.3 and 5.4.
Recommendation
3.3.9 That PTACT reviews the PID and ensures that it accurately reflects the personal
information held by PTACT including the nature and purposes of keeping the record, the classes of individuals about whom records are kept, retention periods and access conditions to the records, and steps that should be taken by persons wishing to access the record.
3.4 IPP 6 Issues – Access to records containing personal information IPP 6 provides that, where a record keeper has possession or control of a record that contains
personal information, the individual concerned shall be entitled to have access to that record except where one or more of certain exceptions under Commonwealth law apply.
Observation 3.4.1 There were no specific issues identified in the audit in relation to individuals’ access
to records containing their personal information held by PTACT. 3.5 IPP 7 Issues - Alteration of records containing personal information
IPP 7 requires a record keeper who has possession or control of a record that contains personal information to take such steps that are reasonable in the circumstances to ensure the record is accurate, and, having regard for the purpose for which the information was collected, relevant, up to date, complete and not misleading.
Where, despite an individual’s request, the record keeper is not willing to correct, delete or amend personal information in the record and no decision or recommendation under an applicable Commonwealth law applies, the record keeper shall, following an individual’s request, take reasonable steps to attach to the record any statement provided by that individual of the correction, deletion or addition sought.
12
Observations 3.5.1 PTACT advised that it takes steps to ensure that the records it holds are accurate by
creating file notes and recording actions taken.
3.5.2 In addition, PTACT advised that while it is not common for individuals to seek to alter records held by the PTACT, PTACT does correct personal information in the record if the information can be shown to be incorrect.
3.5.3 PTACT advised that any changes that need to be made to information on its database (including personal information) requires a written request to its Finance team to minimise the risk that information is inappropriately modified.
3.6 IPP 8 Issues - Record-keeper to check accuracy etc of personal information before use
IPP 8 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information without taking steps that are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.
Observation 3.6.1 There were no specific issues identified in the audit in relation to how PTACT checks
the accuracy of the personal information before making use of the information.
3.7 IPP 9 – Personal information to be used only for relevant purposes IPP 9 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information except for a relevant purpose.
Observation
3.7.1 There were no specific issues identified in the audit in relation to personal information being used by PTACT for an irrelevant purpose.
3.8 IPPs 10-11 – Limits on use and disclosure of personal information IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.
IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use.
13
IPP 11 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply.
IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure.
Observations 3.7.2 There were no specific issues identified in the audit in relation to personal
information being used or disclosed by PTACT in circumstances not consistent with either IPP 10 or IPP 11.
3.8.2 The auditors noted that PTACT usually discloses information to the following:
• Individuals to whom the records relate; • Legal representatives of individuals and beneficiaries; • Other Commonwealth or ACT Government agencies; and • Courts.
3.8.3 The auditors noted that PTACT’s approach to the disclosure of personal information
had a strong privacy focus. For example, PTACT uses certificates of administration as evidence where it is appointed as a trustee by the court. This ensures that the court order is not used when PTACT is required to provide proof of its role. This reduces the risk that unnecessary personal information contained in the court order is disclosed.
3.8.4 The auditors also noted that PTACT requires a court order or a request in writing if individuals or organisations are seeking information about a client of PTACT.
3.8.5 The auditors note that this practice strongly reduces the possibility that PTACT would disclose information improperly under the Act.
14
3.9 Other Privacy Issues Privacy Training Observations 3.9.1 PTACT advised that new starters to PTACT attend the Department of Justice and
Community Safety’s induction program which consists of ACTPS E-Induction, JACS Induction, and Business Unit/Work Area Induction.
3.9.2 The ACTPS E-Induction is an on-line course which provides new starters with essential information about working effectively as an ACT Public Servant and the conditions of service. Topics in the course include Code of Ethics, Freedom of Information, Privacy Act and Record Keeping.
3.9.3 In addition, PTACT’s staff receive on the job training about their privacy obligations and they attend in-house training.
3.9.4 As part of the on the job training, staff are advised of their obligations under the Code of Conduct and Ethics which details the legislative requirements and internal policies which impact staff. The auditors noted that there is reference to the Act as one of the main pieces of legislation which impacts on staff.
3.9.5 PTACT advised that the last in-house staff training on privacy issues was provided by the ACT Government Solicitor’s Office in September 2006.
Privacy issues 3.9.6 There is a risk that, where PTACT's staff are provided limited privacy training by an
external agency and limited internal training in the requirements of the Act, PTACT’s staff will not be familiar with the requirements of the Act.
3.9.7 Whilst this raises the risk of non-compliance with all privacy principles, the auditors
are of the opinion that in practice this would most likely manifest itself in a failure by PTACT’s staff to meet the requirements of IPP 4 to ensure reasonable security safeguards in the circumstances to protect the personal information held against loss, unauthorised access, use, modification, disclosure or other misuse.
Recommendations 3.9.8 That PTACT provides regular and on-going privacy training for all staff around
meeting their obligations in the handling of personal information under the IPPs.
15
4. SUMMARY OF RECOMMENDATIONS 4.1 That PTACT strengthen its IPP 2 notices provided when it is collecting information
from its clients in order to ensure that if information is collected for multiple purposes, that the individual is aware of those specific purposes and any bodies to which it is PTACT’s usual practice to disclose the information to. Auditee Response
The auditee accepted this recommendation and made the following comments: PTACT agrees in general with the auditors’ comments and has prepared a document titled “Our Privacy Commitment” to be provided to all clients attending the office to provide information. A version of the notice will also be made available at the PTACT Reception. PTACT had a Privacy Policy in place at the time of the audit, a copy of which was provided to the auditors.
4.2 That PTACT consider referencing the Act in its Code of Conduct for Service Providers to ensure that service providers are made aware of their obligations under the Act. Auditee Response
The auditee accepted this recommendation and made the following comments: PTACT has amended its Code of Conduct for Service Providers to its clients to include a reference to the Act.
4.3 That PTACT considers ensuring that all records containing personal information (including personnel information) are securely stored including when they are stored prior to being transported to an off-site secure storage facility. Auditee Response
The auditee accepted this recommendation and made the following comments: During fit-out, PTACT provided and built a lockable storage facility in the Finance/Administration area of the office specifically for the storage of material prior to transport to archive. PTACT will ensure that it is used in future.
16
4.4 That PTACT develops and implements a policy or guideline to assist staff identify the minimum security requirements and processes staff should follow when personal information needs to be physically transferred between the office, the storage facility and house visits. The policy or guideline should set out clearly the minimum security safeguards that PTACT expects all staff to follow when the transfer of physical files, documents or other records containing student personal information (e.g. USB drives, laptops) is required. Auditee Response
The auditee accepted this recommendation and made the following comments: PTACT has included a paragraph in its Privacy Policy to establish minimum required standards or care when transporting material containing personal information.
4.5 That PTACT reviews its business activities to identify relevant, higher-risk transactions where a consistent ID verification process may need to be developed to provide guidance to staff discussing personal information with individuals over the telephone. Auditee Response
The auditee accepted in part this recommendation and made the following comments: PTACT is required under the “know your client” provisions in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) to establish the identity of clients from the outset. In addition to this, there is a genuine attempt on the part of PTACT staff in ongoing matters to ensure that the clients are who they say they are prior to discussing high risk (e.g. Power of Attorney and Estate) matters with them. It must also be noted that PTACT cannot have a consistent blanket policy in this regard as some five hundred of its clients (financial management and trust) suffer from a decision-making disability which may render an identification process either unwieldy or ineffective. Formal identification is also a fundamental part of the process of identifying claimants for unclaimed money. In any event, the PTACT Privacy Policy has been amended to reflect this. This will be reinforced in future training.
17
4.6 That PTACT reviews its PID and ensures that it accurately reflects the personal information held by PTACT including the nature and purposes of keeping the record, the classes of individuals about whom records are kept, retention periods and access conditions to the records, and steps that should be taken by persons wishing to access the record. Auditee Response
The auditee accepted this recommendation and made the following comments: PTACT has amended its PID as recommended.
4.7 That PTACT provides regular and on-going privacy training for all staff around meeting their obligations in the handling of personal information under the IPPs. Auditee Response
The auditee accepted this recommendation and made the following comments: PTACT will identify sources of privacy training and seek to provide annual privacy training to all staff in the IPPs in accordance with its Privacy Policy.
18
APPENDIX A
Information Privacy Principles under the Privacy Act 1988 Principle 1 - Manner and purpose of collection of personal information 1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless: (a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and (b) the collection of the information is necessary for or directly related to that purpose. 2. Personal information shall not be collected by a collector by unlawful or unfair means. Principle 2 - Solicitation of personal information from individual concerned Where: (a) a collector collects personal information for inclusion in a record or in a generally available publication; and (b) the information is solicited by the collector from the individual concerned; the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of: (c) the purpose for which the information is being collected; (d) if the collection of the information is authorised or required by or under law - the fact that the collection of the information is so authorised or required; and (e) any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information. Principle 3 - Solicitation of personal information generally Where: (a) a collector collects personal information for inclusion in a record or in a generally available publication; and (b) the information is solicited by the collector: the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected: (c) the information collected is relevant to that purpose and is up to date and complete; and (d) the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.
19
Principle 4 - Storage and security of personal information A record-keeper who has possession or control of a record that contains personal information shall ensure: (a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and (b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record. Principle 5 - Information relating to records kept by record-keeper 1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain: (a) whether the record-keeper has possession or control of any records that contain personal information; and (b) if the record-keeper has possession or control of a record that contains such information:
(i) the nature of that information; (ii) the main purposes for which that information is used; and (iii) the steps that the person should take if the person wishes to obtain access to the record.
2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents. 3. A record-keeper shall maintain a record setting out: (a) the nature of the records of personal information kept by or on behalf of the record-keeper; (b) the purpose for which each type of record is kept; (c) the classes of individuals about whom records are kept; (d) the period for which each type of record is kept; (e) the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and (f) the steps that should be taken by persons wishing to obtain access to that information. 4. A record-keeper shall: (a) make the record maintained under clause 3 of this Principle available for inspection by members of the public; and (b) give the Commissioner, in the month of June in each year, a copy of the record so maintained.
20
Principle 6 - Access to records containing personal information Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents. Principle 7 - Alteration of records containing personal information 1. A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record: (a) is accurate; and (b) is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading. 2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents. 3. Where: (a) the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and (b) no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth; the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought. Principle 8 - Record-keeper to check accuracy etc of information before use A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete. Principle 9 - Personal information to be used only for relevant purposes A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant. Principle 10 - Limits on use of personal information 1. A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless: (a) the individual concerned has consented to use of the information for that other purpose; (b) the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person;
21
(c) use of the information for that other purpose is required or authorised by or under law; (d) use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or (e) the purpose for which the information is used is directly related to the purpose for which the information was obtained. 2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use. Principle 11 - Limits on disclosure of personal information 1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless: (a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency; (b) the individual concerned has consented to the disclosure; (c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person; (d) the disclosure is required or authorised by or under law; or (e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue. 2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure. 3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.