Scenario Answers
Accessing Personal Information
Under Information Protection Principle (IPP 6) of the Privacy and Personal Information Protection Act 1998 Jennifer should be given access to her employee file. Jennifer may be asked by Human Resource Services Staff to make an appointment to view her employee file thus enabling Human Resource Services to remove or cover any documents on the file which may breach the privacy of other individuals. The Act exempts documents containing information or an opinion about an individual’s suitability for appointment or employment. The Privacy Commissioner has stated that the information must contain within it language which indicates to an objective observer that the information canvasses the aptitude and competence of the employee with respect to their current or prospective employment. An example of documents which may be removed prior to Jennifer viewing her employee file could include referee reports or information relating to promotion or disciplinary matters.
IPP 6 states that the University will take reasonable steps to enable any person to find out:
1) Whether the University holds any personal information about them;
2) The nature of the information;
3) The main purposes for which the information is used and stored;
4) How the person may gain access to the information.
IPP 7 requires the University where it holds personal information on an individual to provide that person with access to the information without excessive delay or expense.
Accuracy of Personal Information
IPP 9 requires the University to check the accuracy of personal information before use. The fact that the letter contained sensitive information adds to the seriousness of the breach. If the letter is opened by the owners of number 9 Dixon Street, then the University are in breach of IPP11 which states that the University will not disclose personal information to a person (other than the person to whom the information relates). Since the letter contained sensitive information IPP12 has been breached, IPP 12 places special restrictions on disclosure of personal information relating to a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities unless exempt.
Collecting Person Information
Yes, the Faculty is in breach of the Privacy and Personal Information Act 1998. Under this act the collection of personal information is covered by Information Protection Principles (IPPs) 1, 2, 3 and 4.
IPP 1 of the PPIP Act requires that personal information is collected for a lawful purpose which is directly related to a function or activity of the University and reasonably necessary for that purpose. In this scenario the Faculty form may result in individuals’ unfairly providing unnecessary information because they mistakenly believed they were required to do so by law.
IPP 3 requires the X Faculty to clearly indicate on the form why the information is being collected, which information must be provided by law, which information is required but not compelled by law and which information is optional and the consequences for the individual if they do not supply the information. The form should also detail to whom the Faculty usually discloses this kind of information, where the information will be held and how applicants can access and correct information provided.
The Faculty should consider whether there is a need to collect information on marital status and age. IPP4 requires individuals who are collecting personal information from a person to take reasonable steps to ensure that the information collected is relevant to the purpose for which it is collected, is not excessive and is accurate, up-to-date and complete; and that collection of the information does not intrude to an unreasonable extent on the personal affairs of the person to whom the information relates. The Faculty should carefully consider the relevancy and necessity of the information sought. Given that the Faculty are collecting information they may use in the future when applicants circumstances have changed, there is a risk the Faculty may use information which is no longer accurate, up-to-date and complete.
Considering Privacy at the Planning Stage
Considering privacy from the outset of the project will prevent a need for the tool to be redesigned late in the development stage. Taking a proactive approach to privacy can save the University time and money through avoiding:
1) legal action;
2) inquiries and complaints from customers;
3) investigation by the Privacy Commissioner;
4) inefficiencies resulting from poor information management practices and the retention of inaccurate, incomplete or outdated information;
5) negative publicity/public concern, loss of credibility;
6) damage control following privacy breach;
7) A need for systems to be redesigned late in the development stage at considerable expense.
Disclosing Personal Information to External Agents
In this scenario it is possible that the employee may have asked the rental agency to confirm these details with HR, however John has no way of knowing this, and should refuse to provide the personal information to the Rental Agency until he receives written consent from the employee specifying what personal information can be released to the agency. John should take care not to include additional information that was not requested. Where the University intends to disclose personal information to another person or agency, it will notify the person concerned at the time of collection that the information will be disclosed and to whom. IPP 11 of the Privacy and Personal Information Act, 1998, sets out when personal information can be disclosed to a person other than the person to whom the information relates. Under IPP 11, personal information can only be disclosed to another person or agency if:
1) the disclosure is directly related to the purpose for which the information was collected and the University has no reason to believe that the person concerned would object to the disclosure;
2) the person concerned is reasonably likely to have been aware, or has been made aware, that the information is usually disclosed to that other person or body;
3) the University believes on reasonable grounds that disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the person concerned or another person;
4) where an exemption applies or the person expressly consents to the disclosure
Where requests are received from agencies such as Centre link which state there is a legal requirement on the University to meet their request, the staff member should not provide such information over the telephone and should ask that the request and applicable legislative clause be put in writing before supplying information requested.
IPP 9 (Privacy and Personal Information Act, 1998 and the Health Records and Information Act, 2002) place an obligation on agencies to take ‘reasonable steps’ to ensure that all personal and health information used by them is relevant and accurate. John should check with the staff member that the information he provides to the Real Estate Agency is accurate, up to date and complete.
Disclosure of Health Information
Under the Health Records and Information Privacy Act 2002 and the Privacy and Personal Information Act 1998, the individual should be made aware when health or personal information is being collected about them and for what purposes this information will be used. The student should give their express consent for the information to be disclosed. If the student declines for their information to be shared with other officers then no further action should be taken unless there are reasonable grounds to believe that disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person, in this situation disclosure should be kept to the minimum number of officers possible.
Disclosure of Studnets Email Adresses
IPP 10 (PPIP Act) relates to use of personal information and require that the University will only use the personal information it holds for the purpose for which it was collected unless:
1) the person concerned consents to its use for another purpose; or
2) the other purpose is directly related to the purpose for which the information was collected; or
3) the use of the information for the other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the person to whom the information relates or to another person.
Therefore, Ahmed needs to consider the following factors before deciding whether students' email addresses should be broadcast in this manner and whether he should take certain precautions before doing so. If students were made aware that as part of their studies for this course or participation in a project they would be sharing information via an online platform, it may be possible that students have given implied consent to the circulation of their email address to classmates. However, this will depend on the level of information provided to students about the use of electronic mail as a means of communicating and sharing information prior to the course or project being undertaken.
Therefore Ahmed should check whether when students enrolled they were informed that their email addresses would be distributed to other students to facilitate interaction. If this has occurred, it may be possible that students have given implied consent. If this has not occurred and in order to prevent any misunderstanding, Ahmed could ask students enrolling in the course to sign their consent to distributing their email addresses for the purpose identified. IPP 3 (PPIP Act) requires the University when collecting personal information to tell the individual:
1) who is collecting the information;
2) that information is being collected;
3) what the information will be used for;
4) who are the intended recipients of the information;
5) whether the collection is required by law or is voluntary;
6) what the main consequences, if any, are for the person if they do not provide the information;
7) how the person can get access to and correct the information.
In Ahmed’s case therefore he could explain that he is collecting email addresses in order to distribute them to fellow students and facilitate interaction during the course. He could inform them what will happen to their information at the end of the course (e.g. will it be stored or destroyed). If applicable he could tell them that it is not a requirement of the course to have their email address distributed and that they have the option of withholding their email address. He could ask the students to contact him during the year if their details change and need to be updated thus ensuring compliance with IPPs 6,7 and 8 (PPIP Act). IPP 6 requires the University to take reasonable steps to enable any person to find out:
1) whether the University holds any personal information about them;
2) the nature of the information;
3) the main purposes for which the information is used and stored;
4) how the person may gain access to the information.
IPP7 states that individuals have a right to seek access to their personal information without unreasonable delay or expense and IPP8 states that individuals have a right to update, correct, or add personal information to ensure that it is accurate, relevant, up-to-date, complete and not misleading.
Ahmed could also tell students that in order to protect their privacy it is requested they not pass on each other’s email addresses to persons not participating in the course unless that student has consented to the disclosure of their personal information.
Inappropriate use of Information gained as an employee of the University
Matt gained knowledge of the incident at Edwards Hall in the course of his employment.
Information Protection Principle (IPP) 10 and IPP 11 state that personal information will not be used or disclosed for any purpose other than that for which it was collected unless:
1) the person concerned consents to its use or disclosure for another purpose; or
2) the other purpose is directly related to the purpose for which the information was collected, or
3) the University believes on reasonable grounds that use or disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the person concerned or another person;
4) where an exemption applies or the person expressly consents to the disclosure
While Matt is both a student and staff member, as an employee of the University, he has a duty to ensure that information gained in the course of his employment is not used or disclosed inappropriately.
Inappropriate use of University records
IPPs 5, 10 and 11 have been breached by Mr Jones. Mr Jones has used personal information that was collected for a particular purpose (University administration) to obtain Ms Smith’s email address and personal details. IPP 5 requires the University to protect all personal information against unauthorised access or disclosure. IPP10 and IPP11 prohibit the University from using or disclosing the personal information it holds for any purpose other than that for which it was collected. If Mr Jones had disclosed sensitive information regarding Ms Smith’s attendance at counselling this would constitute a breach of IPP12 which places special restrictions on disclosure of personal information relating to a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities unless an exemption applies.
Protecting Individuals Privacy
By divulging information such as the reason for the call (i.e. that the student is appealing against an allegation of misconduct) and specific information about the nature of the allegation, Tom has breached IPP11 of the Privacy and Personal Information Act, 1998. Christine may not know that her son is the subject of a misconduct allegation, even though she professes to know all about his appeal. Under IPP 11, personal information can only be disclosed to another person or agency if:
1) the disclosure is directly related to the purpose for which the information was collected and the University has no reason to believe that the person concerned would object to the disclosure;
2) the person concerned is reasonably likely to have been aware, or has been made aware, that the information is usually disclosed to that other person or body;
3) the University believes on reasonable grounds that disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the person concerned or another person;
4) where an exemption applies or the person expressly consents to the disclosure
Where the University intends to disclose personal information to another person or agency, it will notify the person concerned at the time of collection that the information will be disclosed and to whom. A better approach would be for Tom to provide his name and his contact details and ask that the student ring him as soon as possible. Tom shouldn’t provide further personal information to a third party (this includes family members who may state they have a right to know about the matter) unless he has the consent of the individual or the disclosure falls within the exemptions to IPP11. Click for link to exemptions.
Securing and Disclosing of Personal Information
In this instance, IPP 5 relating to security (Privacy and Personal Information Act, 1998 and the Health Records and Information Act, 2002) and IPPs 11 and 12 relating to disclosure (Privacy and Personal Information Act, 1998) have been breached.
IPP 5 relates to the retention and security of personal and health information and requires that information is kept for no longer than required, is stored and disposed of securely and is protected against loss, unauthorised access, use, modification or disclosure. In leaving sensitive documents unattended on the copier Kelly has breached IPP5 through enabling others to view the documents without authority. Care should be taken to secure all personal information held including information held in files, computer data, usb drives, etc.
This can be done through:
1) locking filing cabinets and unattended rooms;
2) restricting access to certain areas;
3) positioning computer terminals so they cannot be seen by unauthorised personnel;
4) questioning unaccompanied or unrecognised visitors;
5) effectively disposing of paper records;
6) securing information if it must be taken out of the office
IPP 11 and 12 relate to the disclosure of personal information. IPP 11 requires that the University will not disclose personal information unless the disclosure is directly related to the purpose for which the information was collected. IPP 12 places special restrictions on disclosure of personal information relating to a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of the person concerned or another person. When Kelly’s colleague reads the student’s documents which contain the student’s personal health information, both IPPs 11 and 12 have been breached. There is a further risk of breach if Kelly’s colleague discloses this information outside the University. Personal information can only be disclosed to another person or agency where an exemption applies or where the individual expressly consents to disclosure of their personal information. In this scenario it is likely that the student would be very concerned to find their personal information was at risk of disclosure outside the University.
The Interview Process
Yes, Information Protection Principle (IPP) 1 of the Privacy and Personal Information Protection Act 1998 states that information should be collected directly from the person themselves where practicable and IPP 4 states that reasonable steps should be taken to ensure collection of information is not excessive and does not intrude to an unreasonable extent on the personal affairs of the person to whom the information relates. In this scenario, the manager should contact the applicant to clarify their written application if required. If it was necessary to gather information from other sources, the applicant should be allowed to nominate a suitable person for the manager to contact. Issues regarding IPP11 (Limits on Disclosure of personal information) are also raised in this scenario. Through contacting a colleague the manager is disclosing to that colleague that the applicant has applied for the vacant position. Such a disclosure would generally be contrary to IPP11.
University Contacts
Yes, Jo should ensure that when student’s personal information is collected, the students are informed that their information may be released to an external agency. The students could be referred to the external agency’s privacy policies. The following clause could be included on the collection form:
In some circumstances the University may provide the information to (insert) who will use this information for (name purpose). Please indicate your consent to this usage of your personal information (tick box). (Insert Name) privacy policy can be viewed at: (Insert web address). It is recommended that you read their privacy statement before agreeing to release of your personal information to agencies external to the University of Newcastle. The University does not accept responsibility for inappropriate use, collection, storage or disclosure of your personal information once released to agencies external to the University.
Use of Photographs
Photographs of people will be considered personal information under privacy legislation if the person’s identity is apparent or can reasonably be ascertained from the photograph. The Faculty need to ensure that appropriate procedures are in place when taking the photographs (i.e. collecting information) and publishing or sharing the photographs (use and disclosure of personal information).
If conference speakers and attendees are fully aware of the purpose of the photographs at the point that the photographs are taken, and show no objection, it is likely they will be found to have given implied consent to their photograph being taken. The faculty could then publish or use the photographs as long as their publication is related to the primary purpose of collecting the information and the conference speakers and attendees would reasonably expect their photographs to be used or disclosed in that manner. Best practice however would provide an opportunity for speakers and conference attendees to provide written “opt in” consent to their photographs being taken. This will ensure that speakers and conference attendees are clearly informed that photographs are to be taken, how the photographs will be used and stored, and whom speakers and attendees should contact if they do not wish for their photograph to be taken or used for the purposes outlined. An opt-in clause could be included as part of the registration process and in documentation sent to conference speakers.
Use of Video and Online Contributions for Teaching & Training purposes
Privacy legislation places limits on how the University can use and disclose personal and health information collected. The PPIP Act defines personal information as information or opinion, whether or not recorded in a material form about a person whose identity is apparent or can reasonably be ascertained from the information or opinion. In the above scenario the video images and online discussion collected by the Academic would constitute personal information of the students if students can be identified either directly or constructively from the information provided. IPP10 and IPP 11 (PPIP Act) state that personal information will not be used or disclosed for any purpose other than that for which it was collected unless:
1) the person concerned consents to its use or disclosure for another purpose; or
2) the other purpose is directly related to the purpose for which the information was collected, or
3) the University believes on reasonable grounds that use or disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the person concerned or another person;
4) where an exemption applies or the person expressly consents to the disclosure
Mary should therefore consider whether the use and disclosure of the students’ personal information is directly related to the purpose for which the information was originally collected or if the students concerned would reasonably expect their information to be used in that manner. If this is not the case, Mary should ask the students to sign their consent for their images or contributions to be included as part of the presentation, inform them who will view this information and of any future uses of the information. The students should also be informed as to how they can have their images or information removed at a later date.
Alternatively Mary could present the information in a manner that ensures the identity of individual students can not be ascertained, taking care regarding individual’s clothes, uniforms, unusual haircuts or contextual information that may enable individuals to be constructively identified.