Checklist - Agency: preparing a public interest direction or code of practice

Read the document below or download it here Checklist - Agency: preparing a public interest direction or code of practice June 2019

A checklist to assist agencies with the process of preparing a public interest direction or code of practice under the Privacy and Personal Information Protection Act 1998 and/or the Health Records Information Privacy Act 2002. This checklist outlines the preliminary steps an agency should undertake before seeking advice from the IPC.
 

Issues/Actions/Questions
Status
Comments

Have you discussed the project or program with your agency’s privacy contact officer or legal unit?

Yes
No

Your privacy contact officer or legal unit may be able to offer you valuable insight or guidance on the privacy impacts of the project/program.

Do you have a clear understanding of how personal or health information will be collected, used, disclosed and/or accessed, and stored/retained during the project/program?

 

Yes
No

 

 

 

 

 

Questions to consider when designing your project/program  include:

  • Will your agency collect personal or health information as part of this project/program?
  • What is the purpose of the information collection?
  • How will this information be collected – directly from an individual or from another person or agency”?
  • Will your agency be using information it or another agency has already collected?
  • How does your agency intend to use the information? Is this purpose different from the purpose for which the information was originally collected?
  • Will your agency be delivering the program or will it be delivered by a non-government organisation under contract?
  • Does your agency intend to share this information with another NSW government agency, government agency in another jurisdiction or a non-government organisation? If so, in what form will the information be shared?

In considering these questions you may find it helpful to create a flow chart of how information will be used during the program.

You may also find it useful to develop a work flow of how information will flow and to whom.

Have you considered whether a mechanism already exists to undertake the program or project?

Yes
No

This could include:

  • An existing legislative authority for the proposed collection, use, disclosure or access to personal or health information
  • An existing exemption under the privacy legislation
  • An exemption or modification under an existing privacy or health privacy code of practiceprepario

Have you undertaken a Privacy Impact Assessment?

Yes
No

A Privacy Impact Assessment (PIA) is an important part of the project design process that assists compliance with privacy obligations. A robust PIA process will assist your agency to develop a strong business case for the proposed Code of Practice or Public Interest Direction. You can find more information on undertaking a PIA here.

Has your agency developed a response to the recommendations of the PIA?

 

Yes
No

 

A PIA will identify potential privacy risks and make recommendations on how your agency can address these risks. The IPC recommends that agencies carefully consider the recommendations from the PIA and prepare a response outlining how the agency will mitigate the risks identified.

 

Drafting your Code of Practice or Public Interest Direction

The following is a suggested guide to the format and content of a Code or Direction.

Section
Content

Overview

Details the provision under which the Code or Direction is made.

Public Interest

Details the public interest that will be served/achieved by the making of a code or direction

Interpretation/Definitions

Define any words or phrases used in the Code or Direction that may not carry the ordinary dictionary meaning or that are intended to have a particular meaning. You should include any particular definitions that are specific or particular to your Direction or Code.

Scope/Information covered

Define the scope of the Code or Direction including:

  • the agencies are covered by the Code or Direction,
  • the types of personal information – e.g. are there particular data sets or categories of personal information that will be covered by the Code or Direction?

Objectives/Purpose

Outline the objectives or purposes that are being achieved by the making of the Code or Direction.

Exemptions or Modification

Detail the changes being made to the Information Protection Principles (IPPs) or Health privacy principles (HPPs). These may include:

  • exempting an agency from compliance with one or more IPPs or HPPs in specific circumstances or for particular purposes
  • modifying the application of one or more IPPs or HPPs
  • specifying the manner in which any one or more of the IPPs or HPPs are to be applied to, or followed by, an agency.

Reporting and Auditing

The Code or Direction should indicate the processes that will be followed in the event of a breach of privacy, including specifying the process and timeframes for notifying the Privacy Commissioner.

Include any proposed mechanism for an annual report to be provided to the Privacy Commissioner in relation to:

  • disclosures of personal information made under the Code or Direction
  • any complaints reviewed from the public
  • whether there have been any data breaches involving personal information
  • the results of any relevant audits undertaken.

In some circumstances it may be appropriate to include a clause requiring an agency to undertake an audit of compliance with the Code or Direction.

Review or Expiry

Although a Code does not have an expiry date, it should contain a clause requiring it to be reviewed after a specified period and at regular intervals thereafter.

A Direction must include an expiry date. A Direction is a short term instrument and generally operates for a period of between 12 months to three years.

 

For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall:           1800 472 679
Email:             ipcinfo@ipc.nsw.gov.au
Website:           www.ipc.nsw.gov.au