Grace Information Management Blog

How does the Privacy Act connect with Information Management?

Shirley Cowcher – Director Information Enterprises Australia

Introduction

In the July 2014 edition of Information Overload I wrote about Directors’ responsibilities to meet legislative obligations and gave a quick example of how information management can support those

responsibilities. In giving this example, I used the implementation or amendment of the Privacy Act compliance requirements.
The example listed six steps for the implementation and used them to indicate how information management would support those steps. This edition will take that a little further and outline what each step entails and how information management is there every step of the way.
The six steps previously identified as needing to be taken by an organisation to implement the processes need to comply with the Privacy Act are:

  1. Know what personal information your organisation collects.
  2. Review, amend and document processes identified in Step 1
  3. Develop and Document the Privacy Policy
  4. Communicate and train personnel in the new Privacy processes
  5. Communicate the new Privacy Policy to customers
  6. Monitor and improve privacy processes and procedures

Here steps four and five have been merged in to one step called: Putting it in to Action.

Step 1 – Know what personal information your organisation collects.

An information audit will identify what information your organisation collects about people, how it is collected, why it is collected, where it is stored, how it is used, who has access to it and when is it destroyed. The currency of the information must be considered, particularly with regard to consent for collection, use and disclosure.

An additional level of complexity comes into the information audit when we ask the question what is personal information? There is a chicken and egg issue here because it may depend upon what your

organisation is doing with the information it collects as to whether a piece of information is considered personal. Let me explain:

The Act basically says the personal information is

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not (s 6(1)).

So the common ones we all think of include name, date of birth, address, signature, employment details, bank details. Some may not think that a telephone number, an IP address or a Cookie ID (collected by your website system) would be deemed to be personal however, if your organisation uses data linking methods then this type of information brought together could reasonably identify a person.

To quote Leif Gamertsfelder from his publication Corporate Information and the Law[1]

The ‘accretion issue’ is one that is extremely important in the context of the information economy and the increasing use of ‘big data’. Corporations need to ensure that they do not inadvertently breach the Act due to a mistaken belief that individual data sets do not constitute ‘personal information’ when, in aggregate, they actually do have such status. (para 9.15)

This then requires that consideration must be given to what technology is being used by your organisation and is that technology collecting information that could be personal, e.g websites, smartphone Apps. In addition, consideration needs to be given to

the processes within the organisation that may be collecting personnel information as an adjunct to other processes, e.g. a vocational reference is likely to contain personal information about the author(name, position, opinion) of the reference as well as the subject of the reference.

Remember this phase is not just about finding out what personal information is collected but it is also necessary to workflow the processes associated with the information. This identifies exactly how the information enters the organisation (collection), how it is used and who has access to it (use or disclosure) and how it is maintained and disposed of (Integrity, access and control)

This step should be established as a project with a project team made up of people with expertise in:

  • Records/information management
  • Information technology (system & website administration)
  • Risk/compliance/governance/legal
  • Subject expert – Marketing/membership/shareholder register

People with expertise in information management will be vital to this step as they will be able to apply their skills in conducting information inventories and workflow analysis.

The completion of Step 1 is essential, without the information obtained from this step it will not be possible to write an compliant Privacy Policy.

Step 2 – Review, amend and document processes identified in Step 1

On completing the information audit every process associated with personal information must be reviewed to ensure the protection of the information and that there are no current actions that are in breach of the APPs (for example direct-marketing to individuals who may have opted-out or had not been given the opportunity to opt-out because of previous practices). As the information being collected is reviewed the following questions should be asked:

  • Did the individual consent to the collection of this information?
  • Is this information necessary for one or more of the organisation’s functions or activities?

Remember, if you can’t answer yes to both those questions you may not be able to legally collect or hold that information.

An approach to be applied at this phase and for the future, as new systems and processes are adopted, is that of privacy impact assessments (PIA).[2] Step 1 contains a component of the PIA in that the flow of the personal information[3]is being documented as part of the information audit. The PIA provides a structured process to not only consider the flow of the personal information but also:

  • analyse the possible impacts on individuals’ privacy
  • identify and recommend options for avoiding, minimising or mitigating negative privacy impacts
  • build privacy considerations into the design of a project
  • achieve the project’s goals while minimising the negative and enhancing the positive privacy impacts. [4]

This step will provide clarity for the development of the Privacy Policy and the documentation of processes and procedures associated with the collection and use of personal information as well as the complaints handling procedures.

At this stage you should also be thinking about documenting the method of communication to, and training of personnel who are responsible for the processes and procedures. (Again a governance issue that involves informationJ)

Step 3 – Develop and Document the Privacy Policy

It is important to remember that the Privacy Policy must be “clearly expressed and up to date”. As a minimum the Privacy Policy must contain:

  1. the kinds of personal information that the entity collects and holds;
  2. how the entity collects and holds personal information;
  3. the purposes for which the entity collects, holds, uses and discloses personal information;
  4. how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
  5. how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
  6. whether the entity is likely to disclose personal information to overseas recipients;
  7. if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

The Office of the Australian Information Commissioner has developed a Guide to developing a privacy policy and it suggests that the policy should:

  • be as specific as possible;
  • summarise where possible; and
  • provide information in layers.

The guide goes on to provide some headings that should be considered for the policy

  • Scope
  • Collection of personal information
  • Disclosure (sharing)
  • Rights and choices
  • How to make a complaint
  • Contact details

In developing the policy the processes and procedures are also being developed. These all need to be documented and managed as they are the record of compliance (a governance issue being supported by IM practices).

Step 4 – Putting it in to action

Once approved the Privacy Policy and supporting framework of rules, procedures etc. must be communicated to the organisation’s personnel and customers. Personnel must be trained in the processes and procedures. A record of actions associated with the training of personnel is necessary to prove compliance. (The organisation’s IM system will support this).

Customers need to be informed of the Privacy Policy. This is not necessarily a passive activity in terms of posting it on the website may not be sufficient. It may be necessary for customers to be contacted directly and asked to provide informed consent for the collection and disclosure of their personnel information. The need for this action would have been identified in Step 2. In making contact with customers a record of the contact would need to be made and kept to prove compliance. (The organisation’s IM system will support this).

The Privacy Policy must be easily accessible and available. It must be provided whenever personal information is being collected. This means that it may have to be published on the company website, included in marketing and other publications. Referred to during telephone, personal and email communications and provided in different formats upon request. Each rendition of the policy must be captured and retained as evidence of compliance. (Again, the IM system will support this)

Step 5 – Monitor and Improve.

It is all very well to implement processes to comply with legislative requirements but part of the compliance requirement is to ensure that the organisation continually adheres to the processes. APP1.2 requires that an organisation must “… take reasonable steps to implement practices, procedures and systems relating to [its] functions or activities that will:

  • ensure [it] complies with the APPs and any binding registered APP code, and
  • enable [it] to deal with inquiries or complaints from individuals about [its] compliance with the APPs or such a code.[7]

The concept of continuous review and adherence is emphasised in the practice of Privacy Impact Assessments (PIAs)[8] suggested by the Office of the Australian Information Commissioner and referred to earlier in this paper as part of step 2.

Using the PIA approach during any stage of development or improvement of systems will demonstrate that the organisation has built privacy into its systems and culture and that privacy forms part of the design procedure.

Documented evidence of monitoring activities is also an important part of proving compliance and as such an audit process and schedule will need to be developed and implemented. This demonstrates a commitment by the organisation to ongoing adherence. The audit process and the outcomes need to be captured into the organisations information management system, as does the actions taken to correct any non-compliances found during the audit process.

As a final pointer in this brief guide the organisation also needs identify when there are changes to the legislation itself and amend the existing processes to adhere to the changes in the Privacy Act, the changes could be significant and require considerable work to ensure compliance, just as the recent changes.

Conclusion

The significant changes to the Privacy Act which came into effect in March 2014 required every organisation to review the legislation and determine firstly if it impacted on the organisation and secondly, if it did, what was required to meet compliance.

An essential part of compliance is being able to prove compliance. Implementing effective policy and procedures, as suggested here; using the existing information management systems to determine current practices; and capturing all documentation of activities, policy and procedures into the information management system will provide significant protection for the organisation.

Collaborate and be relevant

Shirley Cowcher

Records management is just not valued

I don’t often take time to contemplate my own, or my profession’s, relevance, but I have to admit that recently I have found myself doing just that in relation to my more than 25 years as a records management professional. Sadly, it hasn’t been a positive experience. Why? Well, it appears that business just doesn’t value its information and therefore it doesn’t value those that are employed to ensure that information is captured, controlled, accessible and eventually disposed of. “Yes”, you say. “I know exactly what you mean. We know how valuable the records are. We know how important our role is to ensure that the organisation is compliant, and yet because information and records are tacit to the organisation they just won’t invest in what we know is required. The ICT people seem to be able to get the resources they need, they don’t want to support us in our efforts and it is just an uphill battle to get any acknowledgement from middle to senior management”

Where does the fault lay?

Well, all of what you say may be true but I believe that it is the profession that must take responsibility for us being seen by the organisation as a blocker of progress, a problem creator, rather than a solution provider and at best are referred to at the end of an IM/ICT project rather than at the beginning. I know I may appear rather harsh in this belief but I am convinced of this, and every story I hear just reinforces my perception. Let me explain my position with two examples.
Recently, I was discussing the issue of a new ICT project that had been developed to manage some detailed building plans that had been digitised so that they could be accessed on mobile devices by workers in the field. The project had gone through the phases of user requirements, conceptual modelling, and was in the final phases of physical design when someone in ICT asked a question about how long the digitised records would have to be kept and how would they manage variations to the building plans over time. It was at that stage that the expertise of the records manager was sought. The records manager’s response was not very supportive. They were frustrated at being consulted so late in the project and made reference to any number of standards and policies that indicated that the records couldn’t possibly be captured, stored and managed in anything other than the organisation’s existing EDRMS. The ICT project group hastily retreated and went ahead to complete the project knowing that they were missing a piece of the project but were sure they were meeting the user requirements.
A similar story is that of an organisation that had, over time, implemented business ICT systems to support certain business activities that imbedded the records into the system. Over the years the records managers had vaguely acknowledged that these systems existed but had never entered into any discussions with the ICT group or the users of the systems as to how the records were being captured, managed and controlled. The moment came when the CIO identified that there were potential issues in terms of governance and compliance and wanted to have discussions about in-place records management. The result was a discussion that was one-sided

and aggressive. The records manager’s position was that compliance could only be achieved if the records were placed in the organisation’s EDRMS and that the business systems did not meet recordkeeping requirements. This resulted in the CIO and the IT group asking why and what needed to be done to make them meet the requirements. The records manager responded by handing them a whole load of policies and standards and saying “This is what is required”. The IT group took the information provided and commenced a discussion with various IT vendors to see if they could meet their compliance and governance requirements by throwing some additional technology at the problem and the records manager continued to manage their domain of records, complaining that “IT just don’t understand!”

The compliance big stick won’t work

I don’t say I have the answers but I have some thoughts that I am willing to share and have debated or challenged. I believe that the only way records management can become relevant to business is for records managers to adopt an attitude of collaboration with the associated professions and, to be honest, the whole of business. Records managers need to be inclusive in their approach to business and not sit in ivory towers wielding the great stick of compliance. This stick has been used for far too long, with people believing it will produce the result we want. It doesn’t!
Records management has to be seen as relevant to the whole of the organisation. It cannot be relevant only to those that work in the areas of legal counsel, compliance and quality. They all rely on records that are created and used by others within the organisation and those “others” won’t cooperate unless it makes their job easy and they see the need and benefit to themselves and the organisation. We’ve all heard it before, but we have to appeal to the “what’s in it for me?” mentality of every person within the organisation. In appealing to that mentality we have to know them and know what they do and what they need. We have to step away from our

recordkeeping systems and get to know the users as well as the business of the organisation that employs us.
I recently spent a week attending and supporting sessions on metadata and system design for information governance. Most attendees came from a records management background but there were a few business analysts and ICT people. The one thing that struck me from each of the sessions was that the majority of the participants admitted that they needed to go out and talk to the users of the business systems (and not just the EDRMS systems) to determine the source of authority for much of the metadata that was required. Many also realised that the user requirements and conceptual models that they develop and deliver to systems developers or ICT vendors were poorly developed and contained insufficient information for a satisfactory outcome to be achieved. This has resulted in the vendors and developers delivering what they understood to be best for the user, based on the incomplete information they are given, not what is really needed.

A multi-disciplinary skill set is required

The world has changed. Records management is no longer about paper records and we cannot hope to apply the paper recordkeeping model to the digitised, social media, mobile app world that we live in today. If we do not realise this and multi-skill so we can initiate and participate in inclusive and collaborative conversations, then we have no hope of ever being seen as relevant.
For some of us, we could not possibly have envisaged where we would be in terms of business dependency on technology and the digitisation of records (and I’m not just talking about scanning paper records) when we commenced our careers. Well, welcome to the new world. Get up to speed or leave now. For those that have only recently started on their career path you may feel disappointed that the course you completed to gain formal qualifications didn’t adequately prepare you for this new world. Well, get up to speed and,

in addition, make it known to the institutions providing the qualifications where they are lacking.
From my view point, it is essential that those working in the area of records management must have some practical exposure to strategic planning, financial management, business analysis, database/systems design and metadata modelling, governance and compliance, business writing and project management. Exceptional communication skills (that’s not talking and telling but LISTENING) are also mandatory. I’m not sure how this is to be achieved but without these skills we are fighting a losing battle.
Having had a quick glance at the various educational offerings many seem to offer multi-disciplinary courses. Yet I often hear from new graduates that they felt they had not had the opportunity to develop the skills they later realised that they needed to address the issues most organisations are facing. So what’s happening here? Is it that there is too much to cover in the curriculum so let’s stick to what we know? Is it that the units offered outside of the core units are presented by people in the records management profession? Database design presented by a records manager or archivist doesn’t provide adequate exposure to the terminology, thinking or processes that are second nature to those working in the IT discipline. Cross discipline units within the course will encourage participants to have conversations with people in other disciplines and develop an understanding of the issues faced by those working in other disciplines. Education in isolation results in an insular view of the world. Perhaps it has more to do with the limitations of the courses in terms of teaching what is here and now instead of what is on the immediate horizon? For example, it is essential that new graduates understand the issues surrounding in-place records management in relation to business systems. I haven’t met many that know that there is an international standard relating to this issue (it is dated but it exists) and even fewer that see this as acceptable option.

Border Protection

Perhaps it has nothing to do with the educational offerings but fear. A scared animal when backed into a corner comes out fighting. Is this what is happening to our profession? When faced with issues we don’t fully understand, and that don’t meet our paper view of the world, we protect ourselves by taking the stance that we know best, this our domain and no one else can enter it unless they can speak our language and follow our rules to the letter. We push people away with our aggression and unwillingness to consider another’s viewpoint. When we communicate we do it purely to win the argument and get our position accepted without listening or being willing to compromise. I don’t know the answer but my feeling is that it is the attitudes and behaviours, individually and collectively, that has resulted in records management being seen as irrelevant to the organisation. As I said at the beginning I don’t often contemplate such issues. I wonder if the reason for that is that I don’t like the result.