Privacy & Confidentiality Policy

Copyright Acclario IT Pty Ltd. No unauthorised copying or reproduction without express written consent. 

Effective Date: 1st July 2015

Policy Brief & Purpose:

Acclario IT services necessitate the collection, creation and use of personal information about employees, contractors and clients. Acclario IT is strongly committed to protecting personal privacy by complying with information privacy principles which govern how and when personal information may be collected, stored, used and disclosed. Acclario IT recognises that employees, contractors and clients with links to Acclario IT, have a legitimate expectation that Acclario IT will protect and appropriately manage the personal information it collects and holds about them.

Scope:

This policy applies to “personal information”. This is defined as any information or opinion, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Personal information can be in any format and, for the purposes of this definition, includes photographs and images, usernames and passwords.

Unique identifiers such as employee/payroll numbers, tax file numbers, credit card numbers and bank account details are also personal information. Personal information may be recorded in a variety of formats including, but not limited to, hard copy records, databases, administrative systems and employee identity cards. Where data is recorded in a way which cannot be linked to a known individual, then the privacy principles do not apply.

Roles and responsibilities for privacy

All Employees: It is the responsibility of all staff to respect personal privacy in so far as they collect, access or use personal information about others in the course of their duties, and to comply with the specific requirements of this policy.

Data custodians: The nominated data custodian of major datasets used to support Acclario IT functions must comply with specific responsibilities described in this policy and in Acclario’s policy on provision and use of information resources and services and in the information security policy all of which support privacy obligations.

Directors and Project Managers: As the functions of many activities within Acclario IT require the collection or management of personal information, responsibility for assessing privacy risk and for implementing business processes which are consistent with privacy principles rests with the Directors and Project Managers of the organization.

Specific, ongoing responsibilities include:

• Implementation and regular review of appropriate data collection practices
• Ensuring personal information is used and managed appropriately by employees
• Implementing adequate security requirements for access to and storage of personal information in all formats within the organisational units
• Ensuring that privacy training and awareness is embedded in practices and procedures of the organisational unit as appropriate

Privacy Contact Officer

The Directors are generally responsibility for privacy management, specific responsibilities for privacy may be delegated to the Privacy Contact Officer or MD and include:

• Maintenance of Acclario’s privacy plan
• Training and advisory services, including the development of a strategy for regular training of staff on their responsibilities in areas of high privacy risk
• Provision of assistance for the development of privacy notices and
• Receipt of privacy complaints

Collection of Personal & Client Information

Personal information and Client information must be collected only where necessary and relevant to Acclario IT’s functions and activities and in accordance with other privacy collection principles. Project Managers and Directors will:

• Regularly review data collection activities to exclude collection of personal information which is irrelevant to the business process or where there is no specific and immediate use for the information collected
• Develop appropriate privacy notices when collecting information directly from the person concerned, irrespective of the means by which personal information is collected
• Ensure that collection methods adopted meet requirements for fairness, and are non-intrusive (in particular, in the context of logging network or IT activities)
• Determine whether recording names or other identifying details is necessary to perform the function or activity

Special considerations apply to data collection practices in the context of human research. In particular, the principle of informed and voluntary consent should form the basis of data collection practices in human research, and when properly applied, is consistent with privacy principles.

Access and security for personal and client information records

The implementation of adequate security safeguards is a significant means of protecting personal privacy. Reasonable measures must be put in place to prevent unauthorised access, loss, disclosure or misuse of personal information. Detailed arrangements for management of information security generally are found in the information security policy.

For personal data in information systems, the data custodian has formal responsibility for implementing adequate security measures to protect privacy. Additionally, the data custodian determines user access levels for the dataset or system, though the decision to grant access to individual staff may be delegated.

Access rights should be formally documented and reviewed periodically. The data custodian is also responsible for implementing appropriate mechanisms to revoke access to personal information data or records when access is no longer necessary or appropriate, for instance, in the case of a change in position or formal responsibilities, or termination of employment. In regard to local files and records, security procedures and management of access are the responsibility of the individual Project Manager.

The Project Managers are also responsible for ensuring that personal information records held in physical or hard copy files and records is also secured. Physical security strategies may include restricting building and work area access, ensuring facilities (offices, filing cabinets or other storage facilities) are locked when not in use, and implementing “clean desk” procedures.

In addition, good records management practices for physical files, for instance recording file movements, undertaking file audits, placing appropriate security classifications on files, and managing records retention, are designed to safeguard against loss or unauthorised access. Care must be taken to ensure secure and confidential destruction of records containing personal information (which may only be undertaken in accordance with authorised disposal schedules).

Individual employees are entitled to access personal information records (irrespective of format) only where there is a legitimate need to do so, and only to the extent required to perform the employee’s duties (the “least privilege” principle). Additionally, individual users of Acclario’s personal information datasets and systems must take reasonable precautions to safeguard their access to these systems, such as the protection of passwords.

Use of Personal Information Records

Privacy obligations impose the following requirements in relation to the use Acclario of personal information held in Acclario records and datasets:

• The requirement to take reasonable steps to ensure that information is accurate, up-to-date and complete before it is used, since it is important that decisions or actions by Acclario are based on accurate and complete facts. This responsibility rests with the relevant data custodian.
• The requirement to use information only in circumstances where it is relevant, and provided that it is used only for the purpose for which it has been collected or a directly related purpose. This is the responsibility of all employees
• There are several recognised but limited exceptions to the restrictions on use of personal information and further guidance on use of personal information for other purposes is available from the Privacy Contact Officer

Prohibition on disclosure of personal information

Employees must not disclose personal information to individuals or organisations outside Acclario IT. Disclosure refers to release of personal information out of the effective control of Acclario IT.

Exceptions relating to disclosure of personal information

In extremely limited circumstances, disclosure of personal information in the following circumstances may not be a breach of privacy.

(a) Consent

Personal information may be disclosed where the individual concerned has consented to that disclosure.

Consent must be expressly given, and it is expected that the consent will be in writing. In limited circumstances, verbal consent may be acceptable if it is verifiable and the disclosure is clearly in the best interests of the individual. Employees proposing to release information where the consent is not in writing must discuss the circumstances with the Privacy Officer before disclosure occurs.

Implied consent must not generally be relied upon as a basis for disclosure. Where a person seeks personal information as a representative or agent of another, then documentation confirming the scope of the agent’s authority should be obtained before release of any personal information held by Acclario.

(b) Previous provision of a privacy notice

Personal information may be disclosed where individuals have been informed of the usual practices for disclosure.

(c) Other situations

In rare circumstances, disclosure of personal information may also be permitted where:

• Disclosure is necessary to prevent or lessen an imminent and serious threat to a person’s life or health
• Disclosure is required by law or if there are statutory requirements to provide information to a government department such as the Australian Taxation Office, Centrelink, or Federal Police.
• Disclosure is necessary for enforcement of criminal or other laws imposing penalties such as fines

Any request or proposal to disclose personal information in these situations must only be undertaken in compliance with protocols issued by Acclario IT or following discussions with the Privacy Contact Officer confirming that disclosure is necessary and acceptable under privacy principles.

Access to and amendment of an individual’s own record

Privacy principles entitle an individual to have access to the personal information which Acclario holds about them, and to amend it where it is inaccurate, incomplete, out-of-date or misleading. In Queensland, these rights are dealt with in the Freedom of Information Act 1992 (FOI Act). Acclario is however committed to providing, as far as practicable, an open environment which enables members of Acclario to obtain access to their personal information without recourse to formal procedures contained Freedom of Information policy.

Privacy complaints

If an individual believes that Acclario IT has not dealt with their personal information in accordance with this policy, they may make a complaint to Acclario. A complaint must be made in writing within six months from the date when the breach of privacy was suspected to have occurred. Complaints should be sent to the Privacy Contact Officer or referred to that officer if received by another area of Acclario.

The Privacy Contact Officer will refer the matter to the most appropriate senior officer to resolve the complaint. In the case of complaints regarding an employee’s conduct or actions, this will be the head of the organisational unit in which the staff member is employed. In other cases, the complaint may be referred to the head of the organisational unit having responsibility for the personal information to which the complaint relates.

Primary responsibility for investigating and responding to the complaint will rest with the senior officer, with advice from the Privacy Contact Officer as required. Acclario’s main objective in responding to privacy complaints is to conciliate an outcome which is acceptable to the complainant and which addresses any broader or systemic privacy issues which may arise.

If a complainant does not agree with Acclario’s response, an internal review process is available.

Contracts Involving Personal Information

Contractual arrangements entered into by Acclario IT may involve access to or use of personal information owned or held by Acclario IT, typically these arrangements may outsource routine support functions, though some contractual arrangements.

Any contract which is entered into by Acclario IT must place appropriate safeguards on protection of personal privacy, since contractual arrangements do not alter or eliminate Acclario’s obligations for protection of personal information. It is the responsibility of the senior officer who has delegated authority to enter contracts and commercial arrangements, to ensure that privacy risks are adequately addressed and that Acclario IT’s privacy obligations are appropriately incorporated into the formal terms of the contract where necessary. Queries concerning appropriate contractual provisions covering Acclario IT’s privacy obligations may be directed to the Privacy Contact Officer.