180 likes | 213 Views
Disclaimer. This is a sample document only provided to assist licensees with the process of informing staff of their privacy obligations under the Privacy Act 1998 ( Cwlth ).
E N D
Disclaimer This is a sample document only provided to assist licensees with the process of informing staff of their privacy obligations under the Privacy Act 1998 (Cwlth). Note that it is the licensees obligation under the Liquor Act 1992 to comply with their privacy obligations under the Privacy Act. Note that it may be subject to change at any time. This document and the related notes (‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)) should be read in conjunction with the Privacy Act.
Networked ID scanning is an effective mechanism to support the enforcement of patron bans, helping to keep Queenslanders safe by minimising the risk of alcohol-related harm. Non-exempt licensees in safe night precincts who trade past midnight on a permanent basis are obliged to install an approved ID scanner at each entry to the licensed premises. These licensees are referred to as ‘regulated premises’ under the ID scanner scheme. This presentation explains your privacy obligations as an employee of a regulated premises. Refer to note 1, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Under the Liquor Act 1992, licensees of regulated premises must comply with the privacy requirements of the Privacy Act 1988 (Cth). The privacy laws include 13 Australian Privacy Principles to safeguard and protect the handling of personal information. As an employee of a regulated premises, you have privacy obligations when operating and accessing information collected by ID scanners. Refer to note 1, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Why are privacy laws important? ID scanners collect personal information from patrons. It is important that you understand your role in protecting this personal information from misuse, loss and unauthorised access. Why is privacy training important? You need to answer questions from patrons about personal information collected about them. You need to understand your obligations about protecting personal information. Refer to note 2, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Australian Privacy Principles There are 13 Australian Privacy Principles (APPs) that your venue must adhere to when collecting personal information: • Principle 1: Open and transparent management of personal information • Principle 3: Collection of solicited personal information • Principle 5: Notification of the collection of personal information • Principle 6: Use or disclosure of personal information • Principle 7: Direct marketing • Principle 10: Quality of personal information • Principle 11: Security of personal information • Principle 12: Access to personal information • Principle 13: Correction of personal information APPs 10, 12 and 13 are particularly important and will be explained in more detail in the following slides. Refer to note 3, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Privacy Principle 1: Open and transparent management of personal information The venue is required to manage personal information in an open and transparent way. (Venue/licensee to explain your Privacy Policy to staff including where they can find it.) (Venue/licensee to explain your Privacy Management Plan to staff including where they can find it.) Refer to note 4, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Privacy Principle 3: Collection of personal and sensitive information The personal information collected by the ID scanner is limited to: • Name • DOB • Photograph The venue is permitted to collect personal information because it relates directly to the purpose of the ID scanner scheme. Refer to note 5, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Privacy Principle 5: Notification of collection Regulated premises are required to notify patrons that approved ID scanning systems operating at the premises will collect personal information. This is to be done by displaying a Collection Notice at each public entrance to the premises. (Provide a copy of the venue collection notice including an explanation to staff that the notice will be displayed at every entrance to the premises.) Refer to note 6, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Privacy Principle 6: Use or disclosure There are some situations where personal information may be disclosed for a secondary purpose. (Licensee should use examples which may relate to their premises.) (Explain what your procedure is when someone (patron, police, etc.) request personal information.) Refer to note 7, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Privacy Principle 7: Direct Marketing (only include if this applies to your venue) If your venue decides to use personal information for other purposes, such as direct marketing, patrons need to know: • that it is being collected for this purpose; and • be able to correct the information and/or opt out. Refer to note 8, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Privacy Principle 10: Quality • Licensed venues/licensees must take reasonable steps to ensure personal information it collects, uses or discloses is accurate, up-to-date, complete and relevant. • The personal information collected must be relevant for the purpose of the use or disclosure. Refer to note 9, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Privacy Principle 11: Security • Access to scanned data at a regulated premises is restricted. • You are required to provide access to patron scan data if requested by an enforcement body • The approved ID scanning system will automatically delete scanned personal information after 30 days. Refer to note 10, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Privacy Principle 12: Access to personal information A person has the right to access personal information held about them by a licensee. Some exceptions apply (Venue should outline the procedure staff should follow if a patrons asks to view the personal information the venue holds about them.) Refer to note 11, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Privacy Principle 13: Correction of personal information • A person can request the personal information held about them be corrected. • Satisfactory proof or explanation as to why the information needs to be corrected is required. (Venue to outline procedure for staff to follow when a patron asks them to correct personal information the venue holds about them) Refer to note 12, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Dealing with privacy complaints • Staff have an obligation to inform patrons about how they can make a privacy complaint. • Information on how to make a complaint must be advertised on the collection notice and the venue’s privacy policy. Steps for dealing with a privacy complaint: • Advise patrons they can lodge a written complaint • Notify the OLGR of that complaint within 14 days of receiving • Respond within 30 days • Escalate to OAIC. Refer to note 13, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Measures taken by (venues/licensee name) to protect personal information Examples • We have a ('privacy management plan') about how we handle privacy issues(attach copy of the venue’s privacy management plan). • We make our 'privacy policy' publicly available (free-of-charge) detailing how we manage personal information obtained from ID scanning(attach copy of the venue’s privacy policy). • We display a 'collection notice' at or near the entrance to the venue, (attach copy of the venue’s collection notice). • We only operate approved ID scanners and systems. • We only collect information for the purpose of checking that a person isn’t banned from the premises. • We review all privacy complaints received and respond within 30 days and notify OLGR within 14 days. • Our staff receive privacy training so they can answer questions from the public and understand their obligations regarding protecting personal information. Refer to note 14, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)
Useful resources for licensees • Further resources on how venues can comply with their privacy obligations are available on the website of the Office of the Australian Information Commissioner (www.oaic.gov.au/privacy-law/rights-and-responsibilities) • OAIC’s Privacy Management Framework (www.oaic.gov.au/agencies-and-organisations/guides/privacy-management-framework) Refer to note 15, ‘ID Scanning - Privacy responsibilities for licensed venue staff: Information notes’ (PDF)