Privacy Kit
An aid to handling personal information in compliance with the Privacy Amendment (Private Sector) Act 2000
Prepared for the synod, presbyteries, congregations and agencies of the UnitingChurch in Australia (Victorian and Tasmanian Synods)
The Uniting Church in Australia (Vic)130 Little Collins Street
Melbourne 3000
Ph: 9251 5200
CONTENTS
1PRIVACY KIT......
1.1Purpose......
1.2Use......
1.3Format......
1.4Terms and Definitions......
1.5Privacy Commissioner- acknowledgment......
1.6Cost......
2PRIVACY ACT – AN OVERVIEW......
2.1What is the purpose of the Act?......
2.2Who will be affected by the Privacy Act?......
2.3What are the essential components of the Privacy Act?......
2.4What are the National Privacy Principles (NPP’s)?......
2.5When does the Act come into effect?......
2.6How will my congregation be affected?......
2.7How can I help my congregation with this process......
3What steps must we take to comply with the legislation?......
3.1Purpose of Section 3......
3.2How do we know if we are compliant?......
3.3Steps to compliance......
3.4Who can help me with queries on privacy?......
3.5Can I access further privacy information on the Web?......
4Privacy Act – Compliance Checklist......
4.1How to use this checklist......
4.2Checklist......
NPP 1:COLLECTION......
NPP 2: Use and disclosure......
NPP 3:Data quality......
NPP 4:Data security......
NPP 5:openness......
NPP 6:Access and correction......
NPP 7:identifiers......
NPP 8:Anonimity......
NPP 9:International transactions......
NPP 10:Sensitive information......
5PRIVACY ACT – TERMS AND DEFINITIONS......
5.1Personal Information - definition......
5.2Sensitive Information......
5.2.1Definition......
5.2.2Sensitive information - collection
6Exemptions......
6.1Introduction......
6.2Health Care......
6.3Employee records......
6.4Contractors......
7Sample Privacy Policy Statement......
8Sample Website Privacy Statement......
8.1Information collected......
8.2Access to information collected......
8.3Use of information collected......
8.4Cookies......
8.5Contact this Office......
9Collection pre / post 21 Dec 2001 – which NPP’s apply?......
9.1Introduction......
9.2Brief summary of which NPPs apply when......
9.2.1Applies to information collected after commencement or delayed application period
9.2.2Applies to information regardless of when it was collected.......
10National Privacy Principles (in full)......
1.Collection......
2.Use and disclosure......
3.Data quality......
4.Data security......
5.Openness......
6.Access and correction......
7.Identifiers......
8.Anonymity......
9.Transborder data flows......
10.Sensitive information......
1PRIVACY KIT1.1Purpose
The purpose of this kit is to assist Uniting Church In Australia (UCA) congregations and employees to ensure that their procedures and policies on collecting, storing, using and disclosing personal information complies with the Privacy Amendment (Private Sector) Act 2000 (referred to in this document as “the Privacy Act”).
It is not within the scope of this document to cover every implication of the new privacy legislation. Our aim is to provide guidelines which, in some cases, may need to be augmented by expert advice. Our guidelines cannot replace a full examination of the Privacy Act and information provided by the Privacy Commissioner (see 2.6)
1.2Use
This kit is freely available for use by UnitingChurch congregations and employees but is not for the use of any other organisation or individual.
1.3Format
In line with the purpose of this kit, every effort has been made to present key information in a user-friendly format.
Throughout the document we have included an “alert” symbol ( ALERT! ) to draw your attention to areas which potentially have a high degree of risk.
1.4Terms and Definitions
There are a number of terms and definitions which are used throughout this document and which are important in understanding the Privacy Act. These are provided for your reference on page 10.
1.5Privacy Commissioner- acknowledgment
The Uniting Church in Australia (Synod of Victoria) acknowledges that some of the material presented in this kit has been obtained from the Office of the Federal Privacy Commissioner and that the National Privacy Principles are printed from the Privacy Act 1988.
“All legislative material herein is reproduced by permission but does not purport to be the official or authorised version. It is subject to Commonwealth of Australia copyright. The Copyright Act 1968 permits certain reproduction and publication of Commonwealth legislation. In particular, s.182A of the Act enables a complete copy to be made by or on behalf of a particular person. For reproduction or publication beyond that permitted by the Act, permission should be sought in writing. Requests should be addressed to the Manager, Copyright Services, Info Access, Department of Finance and Administration, GPO Box 1920Canberra City ACT 2601, or e-mailed to .”
1.6Cost
One kit has been provided for each congregation free of charge and there are four options for obtaining further kits as follows:
a)photocopy this kit to share with other UnitingChurch congregations/employees; OR
b)order a kit from the Synod office. Send a cheque for $10.00 in favour of the Uniting Church in Australia Property Trust (Vic) and enclosing return mailing details (note that $10.00 is charged to cover photocopying and postage); OR
c)e-mail and request a copy by return e-mail (no charge); OR
d)visit the UCA (Vic) website on to download the privacy kit.
2PRIVACY ACT – AN OVERVIEW2.1What is the purpose of the Act?
The Privacy Amendment (Private Sector) Act regulates the way the private sector can collect, use, keep secure and disclose personal information.
It gives individuals the right to know what information an organisation holds about them and a right to correct that information if it is wrong.
2.2Who will be affected by the Privacy Act?
There are various criteria governing those affected by the Act and the Church falls within that criteria. Therefore the synod, presbyteries, congregations and agencies are required to comply with the Privacy Act.
2.3What are the essential components of the Privacy Act?
The Privacy Act requires that organisations must
a)have their own privacy code; OR
b)conform with the National Privacy Principles (NPP’s).
The UnitingChurch in Australia has chosen the second option and will be complying with the National Privacy Principles.
2.4What are the National Privacy Principles (NPP’s)?
The NPP’s are legally binding standards which regulate how organisations are to collect, store, use and disclose information.
There are ten NPP’s and they can be found in full on page 15 of this kit.
The principles apply to personal information which
a)is collected in all forms and from a number of sources;
b)is in conventional hard copy, as well as electronic and digital records.
2.5When does the Act come into effect?
The new legislation will come into effect on Friday, 21 December 2001. From that time onwards all personal information must be collected, stored, used, disclosed in accordance with the NPP’s set out in the Act.
ALERT! / In certain circumstances, the Act applies to personal informationcollectedPrior to the 21st December 01.
(See “Collection pre/post 21 Dec 2001 - which NPP’s apply?” on page 14)
2.6How will my congregation be affected?
The Act requires us
- to identify all personal information which we collect – a kind of “personal information stocktake”.
When undertaking this task, ensure that you identify personal information collected by all parts of your congregation including
(a)the minister;
(b)the church council;
(c)elders;
(d)employees;
(e)or any other group.
Note that personal information can be in different forms. For example, it could be in the form of a written document, computer data, or as photographs or videos.
- to review the personal information you identified in part (1) and determine:
(a)why it has been collected;
(b)how it is used;
(c)why it is used;
(d)that the information is kept secure; and
(e)to whom it is disclosed.
- to amend the way we handle personal information ( 2 (a) to (e) above) so that we comply with the Privacy Act.
2.7How can I help my congregation with this process
We suggest that you go to Section 3 on page 4, “What steps must we take to comply with the legislation?” and follow the recommended procedures.
3What steps must we take to comply with the legislation?3.1Purpose of Section 3
The purpose of this section is to help you to comply with the Privacy Act.
If the way you currently collect, use, store and disclose personal information does not comply with the Privacy Act then you are “non-compliant.”
ALERT! / If you are non-compliant it is possible that dissatisfied individuals could take legal action against you so it is important to check your current personal information practices to ensure that you are compliant.3.2How do we know if we are compliant?
We recommend you use the following steps as a basis for becoming compliant.
In particular the checklist in Step 3 (see page 6 ) will help you
(a)check your current practices in handling personal information;
(b)identify practices which do not comply (if you answer NO to a check list question then this indicates that you are not compliant);
(c)compile a list of non compliant processes.
Once you have a list of non compliant processes you
(a)must amend your process so you can answer yes to the checklist question
(b)can obtain further information by reading the complete NPP’s ( see page 15 )
(c)can contact our privacy hotline ( see page 5 )
ALERT! / It is most unlikely that you will already be compliant unless you have recently addressed the privacy issue. For example, one of the requirements for compliance is that you must have a privacy policy.3.3Steps to compliance
Step 1:Appoint a Privacy Coordinator or task group
It is important to have someone responsible for overseeing this process, so appoint a privacy coordinator or task group who can report to the appropriate council.
Step 2:Identify personal information
Identify what personal information you collect, use, store and disclose. This includes all databases, large and small. ( Even if you keep a few names and addresses for doing a regular mail merge then this is a database of personal information).
ALERT! / “Collecting” information includes receiving unsolicited information.For example, if you receive an unsolicited job-seeking letter which contains personal information, then you are deemed to have collected that information and must comply with the NPP’s.
Step 3:Identify non-compliance
Identify any non-compliant practices by comparing your current processes and procedures for each database of personal information with the “Privacy Act -
Compliance Checklist” on page 6.
Step 4:Amend to comply
Amend any non-compliant processes and procedures to comply with the NPP’s.
Step 5:Document procedures
Once your procedures are compliant make sure you document them clearly and ensure that they are available to everyone who collects, uses, stores or discloses personal information. This process will help in developing a privacy policy (see Step 7 below).
Step 6:Privacy Policy
Develop, document and display your own Privacy Policy Statement - see “Sample Privacy Policy Statement” on page 12.
Step 7:Educate
Educate members of your congregation / colleagues who have ANY responsibilities for access to or handling of personal information on compliant practices.
ALERT! / Display your Privacy Policy Statement clearly and ensure that your congregation / agency faithfully complies with it.You may breach the Act if you have a policy but ignore it!
Step 8:Website
Do you have a website?
If so you will need to include a Privacy Statement on your website - see “Sample Website Policy Statement” on page 13
3.4Who can help me with queries on privacy?
the Privacy Commissioner’s website has extensive information (see 3.5 below); or
e-mail the Synod privacy hotline at ; or
phone the Synod Legal Officer or Human Resource Manager on 9251 5200
3.5Can I access further privacy information on the Web?
Yes. Go to the privacy Commissioner’s website on
4Privacy Act – Compliance Checklist4.1How to use this checklist
This document has been compiled to help UCA organisations analyse their policies and procedures in the collection, use, storage and disposal of personal information which they collect and/or record.
Each section commences with a summary of one of the 10 National Privacy Principles (NPP’s). This is followed by questions which are designed to test whether you are complying with the Privacy Act. (Please note that the “National Privacy Principles in full” as set out in the Privacy Act are included later in this document, commencing on page 15).
If you answer NO to any of the questions in the checklist then your policies and procedures are probably not compliant with the Privacy Act and should be amended to comply. In this case you should carefully review the appropriate NPP (in full) to identify action needed for compliance.
It is important to apply these questions to ALL personal information which you collect and / or record.
4.2Checklist
(Note that the page reference to the right of each heading indicates the page on which you will find the full NPP)
NPP 1:COLLECTION / Ref P 15Collection of personal information must be fair, lawful and not intrusive. A person providing personal information must give their consent and must be advised
the organisation’s name;
the purpose of collection of personal information;
that they can access the information; and
the implications for the person if he/she does not provide the information.
Is collecting this personal information necessary for one of our organisation’s functions or activities? / YES / NO
Are we collecting the information lawfully and fairly and not in an unreasonably intrusive way? / YES / NO
Are we collecting the information directly from the individual, where reasonable and practicable? / YES / NO
Have we ensured the individual is aware of the identity of our organisation and how to contact it? / YES / NO
Have we ensured that the individual is aware of the fact s/he can gain access to the information? / YES / NO
Have we ensured that the individual is aware of the purposes for which the information is collected? / YES / NO
Have we ensured that the individual knows about any law that might apply that requires the information to be collected? / YES / NO
Have we ensured that the individual is aware of the consequences (if any) of not providing the information? / YES / NO
NPP 2:Use and disclosure / Ref P 15
Information should only be used and disclosed for the purpose for which it was collected unless the person has consented.
Are we using personal information for the primarypurpose for which it was collected? / YES / NO
If the answer to question 9 is no, then we must be able to answer "yes" to at least one of questions 10 (a) to (f)
(a)Is the purpose related to the primary purpose and would the individual expect the organisation to use the information in that way? (If the information is sensitive information, the purpose must be directly related to the primary purpose of collection). / YES / NO
(b)Has the individual consented to use of this personal information? / YES / NO
(c)If the information is health information, is use necessary to lessen orprevent either an imminent, serious threat to an individual's life, health or safety or a serious threat to public health or safety? / YES / NO
(d)Is the use a necessary part of an investigation into suspected unlawful activity? / YES / NO
(e)Is the use required or authorised by law or necessary for law enforcement? / YES / NO
(f)Was the information collected before 21 December 2001?(see table page 14) / YES / NO
NPP 3:Data quality / Ref P 17
Reasonable steps must be taken to ensure personal information collected, used or disclosed is accurate, complete and up to date.
Do we have procedures to ensure the information we collect, use and disclose is accurate, complete and up to date? / YES / NO
Do we have a review process to ensure that personal information continues to be up to date? / YES / NO
NPP 4:Data security / Ref P 18
Reasonable steps must be taken to protect information from misuse, loss, unauthorised access or disclosure.
Have we taken reasonable steps to protect the information from misuse, loss and unauthorised access, modification or disclosure? / YES / NO
Do we have a procedure to destroy or permanently de-identify personal information if it is no longer needed? / YES / NO
NPP 5:openness / Ref P 18
An organisation must have a policy document available outlining information handling practices.
Do we have a privacy policy? (see page 12 ) / YES / NO
Are we complying with our privacy policy on management of personal information? / YES / NO
NPP 6:Access and correction / Ref P 18
Individuals must be given access to personal information on request
(note that employee records are exempt – See definition of “Employee Records” on page 11 ).
If requested, are we providing the individual with access to their personal information within the time specified in our privacy policy? / YES / NO
If the individual establishes the information is not accurate, complete and up to date, have we taken reasonable steps to correct the information? / YES / NO
If we are refusing to provide access (Question 17) or to correct the information (Question 18), have we provided reasons to the individual? / YES / NO
If the answer to question 19 is no, we must be able to answer “yes” to at least one of Questions 20 (a) to 20 ((j).
(a)Would providing access pose a serious and imminent threat to the life or health of any individual? / YES / NO
(b)Would providing access have an unreasonable impact on the privacy of other individuals? / YES / NO
(c)Is the request for access frivolous or vexatious? / YES / NO
(d)Does the information relate to existing or anticipated legal proceedings with the individual which would not otherwise be disclosed as part of those proceedings? / YES / NO
(e)Would providing access reveal our intentions and prejudice negotiations with the individual? / YES / NO
(f)Would providing access be unlawful? / YES / NO
(g)Is denying access required or authorised by law? / YES / NO
(h)Is providing access likely to prejudice an investigation of possible unlawful activity or the activities of a law enforcement agency? / YES / NO
(i)If the information was collected before 21 December 2001, would providing access place an unreasonable expense or administrative burden on the organisation? / YES / NO
(j)Would providing access reveal evaluative information that relates to acommercially sensitive decision and if so, have we given the individual an explanation for the commercially sensitive decision? / YES / NO
Are we charging for providing access to the information? / YES / NO
If we answered yes to question 21, have we checked that those charges are not excessive and do not apply to lodging requests for access? / YES / NO
NPP 7:identifiers / Ref P 19
An identifier assigned by a Commonwealth government agency must not be adopted, used or disclosed (e.g Medicare or Tax File Numbers).
Have we ensured that no government assigned identifiers are used? / YES / NO
NPP 8:Anonimity / Ref P 20
People must be given the option to interact anonymously.
Where reasonable and practicable, have we provided the individual with the option of not identifying themselves when entering into transactions with the organisation? / YES / NO
Have we ensured that the individual is aware of the consequences (if any) of not providing the information? / YES / NO
NPP 9:International transactions / Ref P 20
Personal information can only be transferred internationally if there is appropriate privacy protection in the recipient country.
Have we complied with the limitations on transferring information about an individual to someone in a foreign country? / YES / NO
NPP 10:Sensitive information / Ref P 20
Sensitive information must not be collected unless the individual has consented, it is required by law, or in special circumstances such as health services provision.
If the information is “sensitive”, can we answer “yes" to any one of the following questions:
(a)Has the individual consented? / YES / NO
(b)Is the collection required by law? / YES / NO
(c)Is the individual incapable of giving consent and the collection necessary to prevent a serious health and safety threat? / YES / NO
(d)As a non profit organisation does this information relate to our members or those with whom we are in regular contact? / YES / NO
(e)Is collection necessary for the defence of a legal claim? / YES / NO
ALERT! / If you cannot answer yes to any of Question 27 (a) to (e), then you probably should not be collecting / storing/ using the information.
It is strongly recommended that you refer to National Privacy Principle 10 on page 20 ).
Final step