Information Privacy Princples & Legislation
1. Information Privacy Principles
3. European Union General Data Protection Regulation (GDPR)
1. Information Privacy Principles
Research Infrastructure providers are required to collect and handle personal information in accordance 10 Information Privacy Principles (IPPs):
Collection - Information must only be collected by lawful and fair means and not in an unreasonably intrusive way. Individuals must be provided with a notice at the time of the collection that includes information such as the purpose of collection and how you can access the information. This is usually done through provision of a Privacy Collection Statement
Use and Disclosure - Disclosure of personal information can only occur for the primary purpose for which it was collected, for a secondary purpose that an individual would reasonably expect, with the person’s consent, or in other limited circumstances. The law allows some use and disclosure without consent for purposes such as for law enforcement or to protect safety.
Data Quality - Reasonable steps are to be taken to keep personal information accurate, complete and up to date.
Data Security - Reasonable steps are to be taken to protect personal information from misuse, loss, unauthorised access, modification or disclosure. Reasonable steps are to be taken to destroy or permanently de-identify personal information when it is no longer needed.
Openness - The Reserch Platform provider must have clearly expressed policies on the management of personal information.
Access - Individuals have a right to seek access and correct any personal information held about them. Exemptions exist, for example where disclosure might threaten someone’s safety.
Unique identifiers - Research Platform providers may only assign a unique identifier to individuals if this step is reasonably necessary for the research to function efficiently
Anonymity - Where lawful and practical, the Research Platform providers are to provide individuals the opportunity to maintain their anonymity
Transborder Data Flows - When personal information travels outside of the local state or terriroty, the research platform provider must take steps to ensure the privacy protection travels with the information.
Sensitive Information - This includes racial or ethnic origin, political opinions and membership of political associations, religious or philosophical beliefs, membership of professional or trade associations or trade unions, sexual preferences or practices, and criminal record. The law puts special restrictions on its collection, use and disclosure of sensitive information.
2. Australian Privacy Act
The Privacy Act regulates the way individuals’ personal information is handled. It includes 13 Australian Privacy Principles (APPs) which outline how APP entities must handle, use and manage personal information. Research Platform providers will often have to conform to local state health records and privacy legislation as well as the Commonwealth legislation. For further information, please see the Australian Privacy Principles Guidelines – published by the Office of the Australian Information Commissioner (OAIC)
3. European Union GDPR
The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that apply from 25 May 2018. Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. Australian businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR before commencement.