An Information Management Plan and information management policies and procedures should clearly reflect how personal information will be collected, managed, use and disclosed by your agency.

Relationship to the Information Management Standard

Personal information must only be collected, used, disclosed, stored and disposed of by your agency, in accordance with privacy principles (Behaviour 5.6 of the Standard).

Your agency’s Information Management Plan, policies and procedures should clearly reflect how personal information will be collected and managed by your agency.

Information privacy protection

Information privacy refers to how an individual’s personal information (for example name, address, date of birth, health information etc.) is handled.

Your agency must ensure that personal information is stored, accessed and used in accordance with established general privacy principles (Behaviour 5.6) such as:

• being transparent - informing individuals why the personal information is being collected, such as if the collection is authorised or required by law and how the personal information will be used and disclosed, for example only for the purpose it was collected for, unless certain conditions are met (for example required for law enforcement purposes or authorised under law)
• data minimisation - only information that is required for the stated purpose will be collected
• security - making sure appropriate security measures are in place so that personal information is securely stored and managed according to the information’s sensitivity
• accessibility - informing individuals how their personal information can be accessed
• correction - informing individuals how their personal information can be corrected if they believe it is incorrect, incomplete, out-of-date or misleading.

While the overarching policy varies for different sectors most jurisdictions apply similar principles.

State government agencies must comply with the Information Privacy Principles Instruction (IPPI) which regulates the way they manage, collect, use, disclose and store personal information.  It also regulates the practices of contracted service providers operating under agreement with a state government agency.

Agencies not bound by the IPPI should have their own privacy policy that describes the way they manage personal information.

All agencies must ensure they dispose of personal information in accordance with a current disposal schedule.

Assessing privacy requirements

Where a project is planned or a decision is made to go ahead with an initiative that involves the collection, use, disclosure or storage of personal information a Privacy Impact Assessment  (PIA) should be undertaken.

A PIA is a systematic assessment that identifies the relevant privacy considerations and risks an initiative or project might have on the privacy of individuals and how those risks will be managed or eliminated.  Importantly, a PIA should be undertaken in the initial stages of development of a project to have the best opportunity to mitigate privacy risks.

The purpose of completing a PIA is to identify and manage possible privacy risks or impacts and to understand how personal information flows in a particular project / initiative.  Use of a PIA may be embedded in your agency’s Policy.

Privacy and Third Party Providers

If your agency contracts a third party provider to handle information assets that contain personal or sensitive information on its behalf, the contract must include obligations on the third party provider to ensure the personal information is managed in line with your agency’s relevant privacy principles.

Model terms and conditions have been developed by the Crown Solicitors Office to assist agencies to meet their privacy obligations.

Legal advice is recommended where information assets will be stored and / or managed outside of Australia to ensure your agency continues to meet its legal and compliance obligations under the State Records Act 1997 and relevant privacy principles.

The Commonwealth Privacy Act 1988 does not apply to a third party provider in respect of any work it performs under contract to a State or Territory Government agency. It only applies to Commonwealth Government agencies and the private sector.

Many organisations have practices in place to comply with privacy and should therefore be able to adapt to adhere to local privacy principles.

Personal information privacy breaches

A privacy breach occurs when personal information that is not already publicly available, is lost or subjected to unauthorised access, use modification, disclosure or misuse.

A breach may have happened because of accidental loss, internal errors, deliberate actions, theft of hardcopy information assets or the theft or misuse of electronic information assets.

Where a personal information privacy breach occurs your agency must:

• take immediate action or actions to contain the breach
• identify any risks associated with the breach and mitigate where possible
• report the breach to the relevant authority (if relevant)
• notify relevant affected parties
• implement remedial action to address the current breach as well as prevent further breaches occurring.

Staff should be advised of the process to be followed in the event of an information breach, including potential investigation and disciplinary actions.

As soon as possible after a breach has occurred State government agencies must notify:

• the Privacy Committee of South Australia and
• if relating to systems or cyber security incidents - the Department of Premier and Cabinet Cyber Security Watch Desk and
• if relating to tax file numbers – the Office of the Australian Information Commissioner.

More information on the Privacy Committee of South Australia.

Privacy requirements and proactive release of information

There are various schemes under which information can be accessed.  In all cases your agency needs to know what privacy requirements apply when releasing information under these schemes.

For example, when releasing information under the Information Sharing Guidelines consent must be sought from the person to whom the information relates unless to do so would result in harm to their or others safety and wellbeing.

Further privacy requirements include ensuring that the personal information (in any format) is stored securely and is shared in a secure way done when required.