We are seeing a significant (and welcome) increase in the number of (i) diversity and inclusivity programs and (ii) programs addressing domestic and family abuse being implemented across all sectors, both customer and internally (i.e. staff) facing, seeking to “do good” (or, at least, much better) in these areas. However, many of these well-intentioned programs may actually end up doing significant harm, from a privacy point of view, to both the individuals involved and the organisation concerned. The same goes for mandatory vaccination programs.
In the rush to implement these commendable programs many organisations often give little, if any, consideration to privacy law requirements. While clearly not the intention, the failure to embed privacy requirements/considerations from conception (ie ‘privacy by design’) may both land your organisation on the 'front page' for breaches of privacy and exacerbate an already fraught situation for an individual, when all you were trying to do was good.
These programs usually involve collecting some of the most sensitive and confidential information about an individual and extreme care must therefore be taken in developing these programs, whether customer or internal facing, to ensure that privacy by design (and default) happens from the conception of these programs. There is also a tendency, by those who wish to use a data-driven approach to designing and implementing these programs to collect additional statistical data in the vein of “know your enemy”. That is, well-meaning HR professionals will seek to collect as much information as possible to better understand the domestic and family abuse problem they are seeking to address.
Where any “sensitive information” is to be collected, used and/or disclosed by the organisation (as is likely) you must ensure that:
You must also consider the minimisation principle and always ask if there is a less intrusive way of achieving (ie collecting less sensitive/personal information to achieve) the goals of the program. Even though it might be easier for the program to collect and use sensitive information and the individual has consented to this, this does not mean that Australian privacy law permits such collection. The collection of that sensitive information must be reasonably necessary for that purpose (ie the program) and there must be no other (ie less intrusive) reasonable way to achieve the same purpose. There is an onus on the organisation to not simply take the first ‘collection heavy’ option they come up with but to consider alternative and innovative ways to meet the program’s objectives with a more limited (or no) collection, use and/or disclosure of sensitive information being required.
Even if you get over these hurdles and have a privacy by design and by default program, there will still be some very sensitive information (both as defined under the Privacy Act and as considered by the individual) being collected, used, stored and disclosed by the organisation as a result of these programs. As a legal requirement of APP 11.2 and, generally, to satisfy the individual’s concerns and fears significant security measures must be taken to protect this information, likely additional to the existing measures the organisation currently applies to general business or employee information. That is, to meet legal requirements and minimise the chance that these programs may do privacy harm, the organisation must:
(i) limit access to the sensitive information to only those in the organisation who absolutely need the information to perform their functions;
(ii) ensure those persons are very well trained to understand their obligations as regards such information;
(iii) ensure best practice information/cyber security measures are implemented in order to minimise the likelihood of unauthorised access, to misuse or loss of this data or, in the worst-case scenario, a perpetrator obtaining the new address details of their victim; and
(iv) as regards this information, implement a bespoke data breach response plan and processes to deal with any data breaches that may occur despite (iii) above.
Also, being a “consent” based collection, use and disclosure of that information, the individual may at any time withdraw their consent to the organisation using or disclosing (and any further collection of) their sensitive information. That is, they may require you to stop using/disclosing (and likely delete) their sensitive information that you hold. You must act on such withdrawal of consent immediately and fully implement that withdrawal of consent (ie stop using and delete the information) as soon as practicable, but likely no later than 5 business days after the withdrawal notification or the ceasing of employment with the organisation. In order to meet this legal requirement the organisation must therefore have appropriate procedures and mechanisms in place to receive and implement the withdrawal of consent and such procedures and mechanisms must be straightforward and easy to use.
While there is a lot more at play here than simply privacy, consideration of privacy requirements and making these programs are privacy centric from the beginning (or by design) will significantly assist these programs to achieve their worthy goals without incidentally or accidentally “doing harm” to the privacy of the individuals they are aimed at helping.
At Clyde & Co we have assisted numerous clients (HR, D&I and compliance teams) with these and similar programs to ensure that privacy (and workplace) law requirements are built into these programs from conception to minimise both (i) the potential privacy harm to the individuals and (ii) having to “retrofit” privacy solutions into the programs in the future, after say a complaint to the Privacy Commissioner, which is a very costly exercise.
Please do not hesitate to reach out if you would like to discuss an evaluation of your current collection practices, of retention periods or access controls, in order to build privacy into your programs or if we can assist with any other privacy issues you are facing.