Privacy Awareness Week 2021 – Access to your Personal Information
With Privacy Awareness Week (PAW) upon us once more (3-9 May 2021), we are reminded of the importance of protecting personal information online. If we don’t practise due diligence to protect our personal information, we may be sharing more than we intend to. Whether through work, study or social activities, our contact details, financial data, and sensitive information can be shared in unexpected ways, leaving us vulnerable to data breaches and fraud.
As a small business, it’s vital to be aware of the Australian Privacy Principles (APP) and to understand how to navigate the privacy landscape. While the Australian Privacy Principles are available to everyone, without a dedicated Privacy Officer on hand, they can be complicated to fully understand. To help simplify things, InfoTrust will be taking a look at APP 12 – Access to Personal Information and the key things you need to know.
What is APP 12?
APP 12 is a guideline that sets out the details for access to personal information, including how to do so and on what grounds access can be refused.
While not all small businesses come under the Privacy Act, many do. The APP applies to organisations that generate an annual turnover of $3 million or more.
In relation to government agencies, APP 12 works alongside the right of access as specified in the Freedom of Information (FOI) Act 1982. The FOI Act gives you the right to request access to government-held information. This includes information they hold about you or about government policies and decisions.
What are the requirements of APP 12?
APP 12 requires that any entity holding personal information about an individual to give that individual access to the information on request. The guideline sets out the requirements in the following areas:
- Verification of the individual requesting the information
- Giving access
- Refusing access
- The time period for responding to requests
- How access is to be given
- Access charges
- The need for written notice when access is refused.
The grounds for access differ in relation to agencies and organisations.
How to Verify an Individual’s Identity
Before providing information to someone under APP 12, it’s vital to ensure that they are indeed who they claim to be and that they are authorised to access the information in question.
The steps for verifying an individual’s identity will vary depending on the circumstances in question. In the event that the individual is already known or readily identifiable to the entity, a minimal amount of information will need to be sought. If an entity needs to collect information to verify an individual’s identity, they should then take reasonable steps to destroy it once no longer required for the purpose of identification.
Giving Access to Personal Information
Personal information is valuable and worth protecting. If your business holds personal information about an individual and that individual requests access, you are generally required to provide it. However, it is vital that you verify the individual’s identity and are aware of reasons where access should be refused. The procedure for requesting access or request form can be published to facilitate access.
Refusing Access to Personal Information
APP 12 sets out several grounds by which an organisation can refuse to give access to personal information. Organisations should always endeavour to provide access, but should ensure access doesn’t:
- Pose a serious threat to the life, health, or safety of an individual or the public
- Have an unreasonable impact on the privacy of other individuals
- Relate to legal proceedings
- Become unlawful
- Conflict with a denial of access which has been authorised by Australian law
- Impact the ability to take action against unlawful activities or misconduct
- Affect related activities conducted by an enforcement body
For agencies, there are several grounds under the FOI Act that access to information can be refused:
- A document is exempt due to legal proceedings or secrecy provisions
- A document is conditionally exempt as it would involve the disclosure of personal information about another person and would be contrary to public interest
- The document is available for purchase
- Providing access would substantially divert agency resources
- Processing the request would force the agency to disclose the existence of a document that includes exempt information
Requirements for Accessing Personal Information
When it comes to accessing personal information, you will first need to contact the organisation or agency in question. You may well be asked to put the request in writing and to provide information that identifies you. This is also when you can specify how you would like to access the information, for example, via email, by post or over the phone. The timeframe to respond to a request, either giving or refusing access, must be within a reasonable period which is usually within 30 days. Requesting your personal information is free, although there may be a charge for access where there is a significant cost in relation to searching for the information, reproducing it, or delivering it. Organisations should be upfront about any associated costs and should work with you to minimise them. However, when it comes to agencies, they aren’t permitted to charge you for providing access. When a decision is made to refuse access to the information, a written notice is required to include the reasons for refusal and the necessary complaint procedures.
If you’d like to read our blog on APP 11 – Security of Personal Information, click here.
Cybersecurity should be front of mind for every organisation, especially in the wake of the current global pandemic. Our ways of working have changed immensely, with a surge in the volume of remote workers using different networks, devices, and platforms. Meanwhile, our businesses are using cloud computing and IoT technologies to facilitate new ways of working, reduce costs, and improve performance. The result is that the attack surface has increased, and with that comes an increase in the volume of cyber threats.
There are images of extensive, verbose documents, complex definitions, and eye-watering Excel sheets when the term GRC is mentioned. For the past two decades, GRC has been central to core business processes across many organisations at both ends of the enterprise spectrum, as well as in the small-to-medium business space in recent times.
But the world has moved on; organisations are forced to embrace digital disruption and agility if they haven’t done so whole-heartedly. And this very disruption is positioning GRC to become less-than-ideal to solve the challenges that said disruption brings with it.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Secure Access Service Edge, better known as SASE (pronounced sassy – yes that is right) was one of the new security terms on the block in 2019. But it’s actually been around for some time, just without its official moniker. It is expected that by 2024, at least 40% of enterprises will have strategies in place to adopt SASE, according to Gartner.
In this post, Cloud Security Engineer, Will Michail takes a look at why its popularity is increasing now, what the term means and how vendors and organisations are utilising it to enable digital transformation.
We're Here To Help