Privacy Laws

Question 1

What is the purpose of privacy laws?

Answer 1

To safeguard personal or sensitive information stored by organisations about people.

Question 2

List some items that would be classified as personal information.

Answer 2

Name, address, age, sex, shopping habits, personal opinions, living arrangements, partners, children etc.

Question 3

What is not classified as personal information in business?

Answer 3

Records held by an employer about an employee, including health information.

Question 4

List some items that would be classified as sensitive information.

Answer 4

racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a trade union, sexual preferences or practices, criminal record.

Question 5

List some items that would be classified as medical information.

Answer 5

medical history, current medical condition and treatments, dental records, genetic information, notes and opinions of health service provider (e.g. doctor, psychiatrist).

Question 6

What is the year in which the Federal Privacy Act was legislated?

Answer 6

1988

Question 7

Who is subject to the Federal Privacy Act of 1988?

Answer 7

Any federal government department
Any private organisation which:
• Turns over $3 million or more annually, or
• Profits from trading in personal information, or
• Holds health information about people (not including employees)

Question 8

What forms the basis of the rules of the Privacy Act?

Answer 8

The Information Privacy Principles (IPPs)

Question 9

List the ten IPPs.

Answer 9

1) Collection
2) Use and disclosure
3) Data quality
4) Data security
5) Openness
6) Access and correction
7) Identifiers
8) Anonymity
9) Transborder data flow
10) Sensitive information

Question 10

Describe the IPP of Collection.

Answer 10

Organisations should only collect personal information that is necessary for one or more of its functions and activities.

Question 11

Describe the IPP of Use and Disclosure.

Answer 11

An organisation must not use or disclose information about an individual for any other purpose (a secondary purpose) other than the purpose for which the information was collected, except in a number of exceptions specified in the Act.

Question 12

Describe the IPP of Data Quality.

Answer 12

An organisation must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date.

Question 13

Describe the IPP of Data Security.

Answer 13

An organisation must take reasonable steps to ensure that the personal information that it collects is protected from misuse such as unauthorised access, modification or disclosure, or loss.

Question 14

Describe the IPP of Openness.

Answer 14

An organisation must set out in a document a clearly expressed policy on its management of personal information and make this document available to anyone who asks for it.

Question 15

Describe the IPP of Access and Correction.

Answer 15

If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual.

Question 16

Describe the IPP of Identifiers.

Answer 16

An organisation cannot use the same identifier that another organisation uses to identify an individual (e.g. Tax File Number, Medicare number.) They must create their own idenifier (e.g. account number, user ID)

Question 17

Describe the IPP of Anonymity.

Answer 17

Where it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

Question 18

Describe the IPP of Transborder data flow.

Answer 18

An organisation in Australia or an external Territory may not transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country without the consent of the individual.

Question 19

Describe the IPP of Sensitive Information.

Answer 19

An organisation must not collect sensitive information about an individual unless the individual has consented, or law requires the collection.

Question 20

What is the year in which the Information Privacy Act (Vic) was legislated?

Answer 20

2000

Question 21

What is the purpose of the Information Privacy Act 2000 (Vic)?

Answer 21

To establish a regime for the responsible collection and handling of personal information in the Victorian public service sector (i.e. government departments).

Question 22

What does the Information Privacy Act 2000 (Vic) cover and to whom does it apply?

Answer 22

The Act covers all personal information that identifies or could be used to identify an individual other than health information. It applies to the Victorian public service sector and also to organisations providing services funded by government departments.

Question 23

What is the year in which the Health Records Act (Vic) was legislated?

Answer 23

2001

Question 24

What is the purpose of the Health Records Act 2001 (Vic)?

Answer 24

It establishes privacy standards for the handling of all health information and the operation of all health services: health, mental health, disability, aged care or palliative care services.
It gives individuals a conditional right of access to their own health information held in the private sector.

Question 25

To whom does the Health Records Act 2001 (Vic) apply?

Answer 25

It applies to all Victorian businesses (profit and non-profit, public and private sector) and everyone handling health information. However, de-identified health information can be used for planning and research.

Question 26

What is de-identified information?

Answer 26

Information that cannot be linked to a particular individual.