Organisational Privacy Basics: Privacy Awareness Week 2023
Privacy Awareness Week 2023 runs from May 1 to May 7. To build on this year’s theme (Back to Basics), we’ve decided to cover organisational privacy basics in this week’s post.
The Basics of Organisational Privacy
What is Personal Information?
“The Privacy Act defines ‘personal information’ as:
’Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
whether the information or opinion is true or not; and
whether the information or opinion is recorded in a material form or not.’
The definition is technologically neutral to ensure sufficient flexibility to encompass changes in information-handling practices over time. It is also consistent with international standards and precedents.”
Common Examples of Personal Information
- A person’s name, signature, address, email address, telephone number, date of birth, medical records, and bank account details.
- A person’s employment details, such as work address and contact details, salary, job title, and work practices.
- Certain information collected in the hiring process may be personal information, such as a referee’s comments about a job applicant’s career, performance, attitudes and aptitude is ‘personal information’ as it is information about that person.
- An opinion about an individual’s attributes is personal information about the individual even if it is not correct.
- Information or opinion inferred about an individual from their activities, such as their tastes and preferences from online purchases they have made using a credit card, or from their web browsing history.
What is Not Personal Information?
Some common examples of information that is not personal information include:
- Blurry photographs, or photographs that don’t have sufficient detail to identify the subjects.
- Business information (unless the business information is also about an individual, which may be the case for sole traders).
- Information about deceased individuals.
- De-identified information (read about de-identification and differential privacy in our earlier posts).
MYTH: It’s Obvious When Information is Personal Information.
This is untrue. The definition of personal information relies on whether you can identify a person based on the information, not what ‘type’ of information you have.
Generally speaking, if you’re uncertain if something is personal information, it’s best to assume it is until you’ve sought legal advice.
MYTH: Privacy Champions Are Solely Responsible for Organisational Privacy
Everyone in your organisation is responsible for the compliant collection, storage, use, transfer, and disposal of personal information. Your team is your organisation’s biggest privacy risk, so training them (and busting this myth within your company) is essential.
MYTH: No Name Means It’s Not Personal Information
Just because you don’t collect an individual’s name or full name doesn’t mean that you haven’t collected their personal information.
Whether you collect personal information depends on the context. For instance, if you record a person’s hair colour and the suburb they live in, their identity might be apparent or reasonably ascertainable if it’s an uncommon hue (like blue, for example). In that case, the information may be personal information.
MYTH: Privacy Principles Do Not Apply to Publicly Available Information
If personal information is publicly available, like (for example) if it’s contained on your public social media or published court decision, then the Australian Privacy Principles will cover it.
MYTH: Mainstream Websites are Always Safe
Many individuals get lax with security and privacy on mainstream websites. We’re seeing this play out currently with Chat GPT, which has been fed immense amounts of personal information as well as confidential corporate information.
Sharing personal information with Chat GPT is as simple as forgetting to redact the address if you ask it to proofread a letter you’re about to send out.
“Can you delete specific prompts?
No, we are not able to delete specific prompts from your history. Please don’t share any sensitive information in your conversations.” – Open AI’s FAQs about Chat GPT
Evidently, it’s important to do your own due diligence about the privacy practices of websites and platforms your team use. Don’t rely on the fact that ‘everyone else is using it’ to inform your own decision making.
MYTH: Security and Privacy are the Same Thing.
Data security and data privacy are essential elements of risk management for organisations – but they are not the same thing.
A common example that illustrates the difference is the Google product Gmail. The Gmail product has not been breached (individual accounts are sometimes accessed without authorisation, but that’s not considered a Gmail product breach – that’s an account breach). This means the data security in Gmail has (so far) been protected.
However, that’s not to say the data is private. Google processes personal information collected via the Gmail product and uses it to market to its users.
Get Back to Basics with Privacy 108
If you’re unsure whether your organisation has implemented the privacy basics, it’s time to get back on track. Use our Privacy Compliance Tool or reach out for a free consultation.