privacy and you

X11 / 50 / 50

Privacy and YouPrivacy and You

X22 / 50 / 50

How to use this programHow to use this program

This training program has been designed to give you the fundamental principles of the laws governing privacy, our obligations and your responsibilities.

To navigate this program use the buttons in the bottom right hand corner of the screen.

X

To move forwardTo move forward

To move backTo move back

To return to the beginningTo return to the beginning

To exitTo exit

X33 / 50 / 50

Why this training is important …Why this training is important …

This program will take approximately 30 minutes to complete.

At the end of this program you will be asked to complete an assessment.

The assessment will consist of 10 questions. You can refer to the content of this program to assist with your answers.

When you have completed this program ask your leader to debrief with you.

X44 / 50 / 50

What you will learnWhat you will learn

This program consists of 6 modules:

1. Background to AUSTRALIAN PRIVACY ACT 1988

2. NATIONAL PRIVACY PRINCIPLES

3. The Office of the PRIVACY COMMISSIONER

4. Completing a CUSTOMER REQUEST

5. Case Studies

6. Summary

X55 / 50 / 50

Module OneModule One

Australian Privacy ActAustralian Privacy ActBackgroundBackground

X66 / 50 / 50

Definition of personal informationDefinition of personal information

Before we look at the Privacy Act and National Privacy Principles we need to understand what the definition of personal information is.

Personal information is information or an opinion whether true or not, and whether recorded in a material form or not, about an individual whose

identity is apparent, or can reasonably be ascertained, from the information or opinion.

X77 / 50 / 50

Background to the PrivacyBackground to the Privacy ActAct 19881988

The Privacy Act was passed by the Australian Federal Parliament at

the end of 1988. The Act gave effect to Australia's agreement to

implement Guidelines adopted in 1980 by the Organisation for

Economic Cooperation and Development (OECD) for the Protection of

Privacy and Transborder Flows of Personal Data.

It also fulfils its obligations under Article 17 of the International

Covenant on Civil and Political Rights.

X88 / 50 / 50


Government sector

The Act had two objectives:

1. The protection of personal information in the possession of federal government departments and agencies

2. To provide safeguards for the collection and use of tax file numbers

X99 / 50 / 50


In May 1989 following public controversy over the credit industry's intention to introduce a system of routine monitoring of consumers' management of their loans, the federal government announced its intention to regulate credit reporting practices by amending the Privacy Act.

These amendments, which received Royal Assent on 24 December 1990, are contained in Part IIIA of the Privacy Act 1988. The amendments included section 18A(1) which required the Privacy Commissioner to issue a Code of Conduct on credit reporting.

X1010 / 50 / 50


Private sector

In December 2000, the Privacy Amendment (Private Sector) Act 2000

(the Amendment Act) was passed by Federal Parliament. It covered

most private sector organisations.

The new scheme came into effect for most organisations covered by

the Privacy Act on 21 December 2001.

X1111 / 50 / 50


The NATIONAL PRIVACY PRINCIPLESNATIONAL PRIVACY PRINCIPLES (NPPs) in the Privacy Act set out how private sector organisations should:

collect use keep secure and disclose

personal informationpersonal information.

The principles give individuals a right to know what information an organisation holds about them and a right to correct that information if it is wrong.

X1212 / 50 / 50

An individual can now:An individual can now:

1. know why their personal information is being collected and how it will be used

2. ask for access to their records, including their health information

3. take up opportunities to stop receiving direct marketing material (opt-out)

4. correct inaccurate information about themselves5. know which organisations will be given their personal

information 6. ensure organisations only use their information for purposes

they have told you about7. find out what information an organisation holds on them and

how they manage it

X1313 / 50 / 50

Module TwoModule Two

National Privacy PrinciplesNational Privacy PrinciplesNPPNPP

X1414 / 50 / 50

National Privacy PrinciplesNational Privacy Principles

There are TEN National Privacy Principles relating to personal information:

1. Collection2. Use & Disclosure3. Data Quality4. Data Security5. Openness6. Access & Correction7. Identifiers8. Anonymity9. Transborder Data Flows10. Sensitive Information

X1515 / 50 / 50

NPP 1 - CollectionNPP 1 - Collection

Collection of personal information must be fair, lawful, and not intrusive.

A person must be told:

the organisation’s name that is collecting or will hold the information

the purpose of the information collection that they can get access to their information what happens if they do not provide the information.

X1616 / 50 / 50

NPP 2 - Use & DisclosureNPP 2 - Use & Disclosure

An organisation should only use or disclose the information for the purpose it was collected, unless:

the person has consented to another use, or the secondary purpose is related to the primary purpose and a

person would reasonably expect such use or disclosure, or the use is for direct marketing in specified circumstances, or in circumstances related to public interest such as law

enforcement and public or individual health and safety

X1717 / 50 / 50

NPP 3 - Data QualityNPP 3 - Data Quality

An organisation must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date.

Updating Change Of Address details provided by cardmembers’ in a timely manner

When you are entering file notes be sure you only state factual information. It is not appropriate to add notes of a subjective or malicious nature. (eg: “the customer was stupid”)

X1818 / 50 / 50

NPP 4 - Data SecurityNPP 4 - Data Security

An organisation must take reasonable steps to protect the personal information it holds from misuse or loss and from unauthorised modification or disclosure.

We have various system security controls to protect our customers’ data (eg: secure logins to various systems)

We must ensure that any printouts with cardmember information are either filed or destroyed after use.

X1919 / 50 / 50

NPP 5 - OpennessNPP 5 - Openness

An organisation must have a policy document outlining its information handling practices and make this available to anyone who requests it.

The Boston Group has a Privacy Policy statement which can be obtained from management at any time.

X2020 / 50 / 50

NPP 5 - OpennessNPP 5 - Openness

Our policy covers:

Our commitment to card members privacy Types of personal information we collect Why we collect personal information How we collect personal information How we store personal information When we may disclose card members personal information Accessing personal information

X2121 / 50 / 50

NPP 6 - Access & CorrectionNPP 6 - Access & Correction

Generally speaking, an organisation must give an individual access to personal information it holds about that individual, on request.

There are exceptions:

it would be unlawful to provide the information it would pose a serious and imminent threat to the life or health of any

individual it would have an unreasonable impact upon the privacy of other

individuals or the request is frivolous or vexatious.

X2222 / 50 / 50

NPP 7 - IdentifiersNPP 7 - Identifiers

Generally speaking an organisation must not use or disclose an identifier that has been assigned by an Australian government ‘agency’.

An identifier is any piece of information that we hold on a cardmember that could possible lead to their being identified. (i.e. Tax file number, Medicare Number)

X2323 / 50 / 50

NPP 8 - AnonymityNPP 8 - Anonymity

Organisations must give individuals the option to interact anonymously whenever it is lawful and practicable to do.

In complying with the National Privacy Principles American Express will allow its cardmembers and clients to interact anonymously wherever it is lawful and practical to do so.

You must always follow the established ID procedures when speaking with card members.

X2424 / 50 / 50

NPP 9 - Transborder Data FlowsNPP 9 - Transborder Data Flows

An organisation in Australia must take steps to protect an individual's privacy if personal information is sent outside Australia. Information may only be transferred if:

the organisation reasonably believes a law, binding scheme or contract applies at the destination which effectively delivers privacy standards substantially similar to the NPPs

the individual consents to the transfer the transfer is for the benefit of the individual and it's impracticable to

obtain consent, but it's likely consent would have been given the organisation has taken reasonable steps to ensure the information

won't be held, used or disclosed by its recipient inconsistently with the NPPs

X2525 / 50 / 50

NPP 10 - Sensitive InformationNPP 10 - Sensitive Information

Generally, an organisation is not allowed to collect sensitive information from an individual unless:

the individual has consented collection is required or authorised by law the information is required to establish or defend a legal or equitable

claim the individual is incapable of consenting and the information is

needed because of a serious and imminent threat to the life or health of the individual

Examples of sensitive information include: religious beliefs, ethnic origin,Political and trade union affiliation.

X2626 / 50 / 50

Module ThreeModule Three

The Office of the PRIVACY The Office of the PRIVACY COMMISSIONERCOMMISSIONER

X2727 / 50 / 50

Office of the Privacy CommissionerOffice of the Privacy Commissioner

Individuals can complain if there has been an ‘interference’ with their privacy.

An Organisation must have been given a chance by the individual to resolve the complaint. If still unresolved, the Office of Privacy Commissioner will work with both parties conciliate the complaint.

If still unresolved, the Commissioner will make a formal determination.

X2828 / 50 / 50

Tax File NumbersTax File Numbers

Tax file numbers (TFNs) are unique numbers issued by the

Australian Taxation Office (ATO) to identify individuals,

companies and others who lodge income tax returns with

the ATO.

Individuals who do not quote their TFN to employers and

financial institutions have tax deducted from their income

or interest payments at the highest marginal rate.

Quotation of TFNs is also a condition of receipt of most

Commonwealth government assistance payments.

X2929 / 50 / 50

Tax File NumbersTax File Numbers

The Tax File Number Guidelines issued under s.17 of the Privacy Act 1988 protect the privacy of natural persons by regulating the collection, storage, use and security of tax file number information. The Guidelines do not protect tax file number information relating to entities such as corporations, partnerships, superannuation funds and trusts.

The Guidelines are legally binding. A breach amounts to an interference with the privacy of an individual, who may complain to the Federal Privacy Commissioner and where appropriate, seek compensation.

X3030 / 50 / 50

Module FourModule Four

Debtor RequestsDebtor Requests

X3131 / 50 / 50

What should I do if I receive a request?What should I do if I receive a request?

Under the provision of NPP 6 – Access & Correction to Personal Information a customer may make a request for their personal information held by Boston.

You should determine from the debtor if they want access to any specific information or all the information we hold.

EG: 12 months of payment history, information about a dispute etc

X3232 / 50 / 50

Details of the Request Details of the Request

The following details should be collected from the debtor:

Name Address Reference/Account/Card Number Contact Details Request details (ie: what information does the customer want to

see)

Once you have collected the information pass it onto your team leader for action.

X3333 / 50 / 50

Compliance ContactsCompliance Contacts

If you need to speak to a someone about this contact:

Louise Taylor Group General Manager, Boston Corporate Holdings Pty Ltd

OR

Brad Gower Solicitor, Insight Litigation & Legal Services Pty Ltd

X3434 / 50 / 50

Module FiveModule Five

SummarySummary

X3535 / 50 / 50

Privacy Responsibilities Privacy Responsibilities

Why protect personal information?

Information is a valuable asset, especially given developments in eCommerce and the drive towards a global economy.

There are real concerns about how information is used and shared. These concerns are even stronger where the information is sensitive or very personal.

We must balance this against our need to handle and use personal information in the course of our business.

X3636 / 50 / 50

Privacy Privacy AdvantagesAdvantages

Complying with the new privacy regime comes with benefits for our business. Such as:

generating good customer or consumer relations

helping the free flow of data between organisations inside and outside Australia

providing an opportunity to review and potentially improve efficiencies in information handling procedures

effective complaints handling procedures should mean that customers who would otherwise have walked away dissatisfied are more likely to stay

X3737 / 50 / 50

SummarySummary

This program has covered:

1. Background to AUSTRALIAN PRIVACY ACT 1988

2. NATIONAL PRIVACY PRINCIPLES

3. The Office of the PRIVACY COMMISSIONER

4. Completing a CUSTOMER REQUEST

5. Case Studies

6. Summary

X3838 / 50 / 50

CongratulationsCongratulations …. …. … you have completed the Privacy program.

You will now need to complete an assessment made up of 10 questions – remember you can refer to this program to help with the answers (use ALT TAB to toggle between the Quiz and this program) You must obtain 100% to pass the assessment.

Click on the QQ button below to take you to the assessment – you will be

redirected to the QUIA assessment website. Enter your name and click the START NOW button After you have answered all the questions click the

SUBMIT ANSWERS button – your results will be displayed If you do not obtain 100% please redo the assessment Exit the QUIA website and return to this program Click on the XX button to exit.

QQ

X3939 / 50 / 50

EXIT …. EXIT ….

… you have chosen to EXIT the program!!

Are you sure you want to EXIT. If so press the ESCAPE button on your keyboard.

The ESCAPE button is located on the top left hand side of

your keyboard.

privacy and you

Documents