It is no secret that the Australian Privacy Principles (APP), found in Schedule 1 of the Privacy Act 1988 (Cth), impose restrictions on organisations and individuals, like strata managers, in relation to the collection, use and disclosure of personal information. In compliance with APP 1, most strata managers now have updated privacy policies easily accessible on their websites. The APP also govern the security and storage of personal information, as emphasised by the recent case of Pound Road Medical Centre: Own motion investigation report [2014] AICmrCN 4 (PRMC). Here are three lessons for strata managers in maintaining compliance with the APP.
Lesson One: Keep it Secret, Keep it Safe
APP 11 deals with the security of personal information, with APP 11.1 requiring information to be kept safe from misuse, interference and loss, and also from unauthorised access, modification or disclosure. In PRMC, the Commissioner found that keeping medical records locked in a garden shed did not constitute compliance with the terms of APP 11.1 (then National Privacy Principle (NPP) 4.1).
Strata managers should ensure all records, both physical and electronic, are properly secured and protected from unauthorised access and interference.
Lesson Two: Knowing When (and How) to Let Go
APP 11.2 stipulates that any personal information that is no longer needed and is not required to be retained by law must be destroyed or appropriately de-identified. In PRMC, the Commissioner found that storage of records that were 10 years old was in breach of the requirement to destroy or de-identify the personal information contained in those records.
Strata managers should ensure that any personal information retained is current and relevant. Any personal information that is no longer required (such as the names and contact details of ex-owners) should be destroyed.
Lesson Three: Comply with Your Own Procedures
Whilst the Commissioner was satisfied that PRMC had established procedures governing the storage, review and destruction of documents containing personal information, it found that PRMC had ignored its own procedures, and that this constituted a failure to take “reasonable steps” (as required in the equivalent of APP 11.2) to destroy the information or ensure it was de-identified.
Strata managers should ensure that relevant policies are in place to guarantee the regular review of documentation containing personal information and that procedures are established – and followed – in relation to the destruction or de-identification of personal information.
To discuss APP compliance in the strata context, please contact Allison Benson.