Data privacy and the law

April 22, 2020 / by Dr Jill Campbell

10 things that evaluators (and anyone in the not-for-profit sector) needs to know.

As an evaluator (or, frankly, anyone on the frontlines of the not-for-profit sector), our job is to know a thing or two about data privacy. After all, we’re increasingly required to collect impact data for donors and funders about how well our organisations, programs and individuals are performing.

But while there is much to like about data – most notably, it helps to fuel more evidence-based change in our sector – how often do we think about it, really? And are we up-to-date with privacy law, especially when it pertains to data privacy online?

These questions have only been made more acute with our collective move to digital channels and tools in response to the COVID-19 lockdown.

If our ‘bread and butter’ is data – and lots of it – then the last thing we want to see happen is our data-management approach to run afoul of the law.

With that in mind, here are 10 points to be thinking about to help you remain compliant with Australian law concerning data-collection and data-storage.

(Bonus point: At the end of this post, you’ll find details of a Clear Horizon live webinar to be held on Thursday 7 May 2020 that will give you the opportunity to further expand your knowledge in this area, and talk directly to people with years of data privacy experience.)

Australian privacy principles impact our sector

“The Privacy Act in Australia has the potential to impact the not-for-profit sector immensely,” says Clear Horizon Privacy Officer and Principal Consultant, Dr Jill Campbell, who is a member of the Australian Evaluation Society (AES) and Australian Market and Social Research Society (AMSRS).

“There remains a significant gap between the law and how evaluators – and the not-for-profit sector in general – work. For instance, there is a lack of distinct data-privacy guidelines for those of us working in evaluation and impact measurement. Privacy and confidentiality are lost in the ethics space and they really shouldn’t be. Privacy needs to have a place of its own; it’s that important.”

Under the Privacy Act (1988), the maximum penalties for misuse of personal information by entities covered by the Privacy Act range from $2.1 million to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover.

Your cloud option might not be safe

If you’re saving your data on a cloud storage option, check where the sever is located!

For all intents and purposes, cloud storage is not the place to be storing personal data – unless the cloud storage servers you use are based in Australia, says Jill. That means tools used by evaluators such as Zoom and SurveyMonkey may be off-limits as data-storage options (unless you take additional precautions), because their servers can be based overseas.

“If you’re an organisation operating in Australia, you’re liable if you store personal data on overseas servers and the data gets compromised. Keep your data stored in the cloud on Australian servers, instead. Platforms such as Microsoft have Australian servers, so their tools – like Microsoft Forms and Teams – are okay to use.”

Codify your data privacy practices

Chances are, if your work for a not-for-profit with a turnover of over $3million or your meet other criteria in terms of the personal information you collect and use, that the Australian Privacy Principles will apply to your organisation. That means, you need to ensure someone is responsible for developing and updating your organisation’s privacy policy. Further, the Privacy Act in Australia  requires that you make this policy publicly available, as well as implement robust data privacy practices, procedures and systems.

Consider this your clarion call.

Make sure your evaluator toolkit includes a privacy checklist

Every evaluator has a toolkit – and every evaluator’s toolkit has a privacy checklist. True? If you answered in the negative, now’s the time to create a checklist. After all, if you’ve got a privacy checklist as part of your toolkit, says Jill, it’s more likely that data privacy will be factored into your planning.

The questions in your data privacy checklist could include:

  • Are we receiving data from clients?
  • Are we collecting personal or sensitive information from individuals?
  • What will this data be used for?
  • Can we guarantee data confidentiality?
  • What processes will we use to get informed consent?
  • How long will we need to store this data?
  • Are we complying with Australian law around data privacy?
You need a reason to collect data

Whilst data privacy is imperative, that doesn’t mean that once you have your data privacy provisions in place, you can collect any data you want to. You need a legal reason to collect data. The rule is: collect personal and sensitive information only where ‘reasonably necessary’, that is, it is directly related to or necessary for what you or your clients do and how they function.

You must always get consent

As well as having a reason to collect data, you must get consent from the person providing it (unless they are incapable of doing so and then you must get consent from a guardian). To ensure you’re getting the consent you need, you should communicate to those providing you with personal data the following information:

  • Your name and that of your organisation
  • A notification that you are collecting data (if third-party) or personal information (if first-hand)
  • Information on why you are collecting that data, e.g. who commissioned you to do the work
  • Information on how that information will be used. Try to think ahead and anticipate what those uses could be – for instance, clients can sometimes ask to see the raw data you’ve collected. If there is a possibility that could happen, you need to tell those you’re collecting the data from that this might happen, even if it’s de-identified when the client receives it.
  • Information on how your organisation will treat their personal information – will it be treated as confidential, who can access it, how it will be stored and for how long?
  • How that person can access their data and what they are committing to in agreeing to provide their information.

The best way to ensure the above information is communicated, says Jill, is through a data collection statement.

Only use data for the purposes you’ve indicated

It is always good practice at the start of a project to check-in with your client about how the data you collect will be used, says Jill. But sometimes those requirements can change over time.

“If your client later decides they want to use those wonderful quotes or stories you’ve acquired for purposes not agreed-to up-front – say, to include in a pamphlet for marketing purposes – you must go back to the person who provided the data and get their additional consent that they are willing for it to be used in this new way as well.”

You are personally responsible for storing data securely

This one cannot be over-emphasised: Assign someone in your organisation (or yourself) to be the data privacy officer – even if it’s not a formal role. That way, your organisation will be better able to fulfil its responsibilities for storing data securely.

“Make sure someone owns this function,” insists Jill, “because if something isn’t owned, it won’t get done.

It can also be helpful, she says, if your privacy officer has practical experience in meeting privacy requirements; that is, knowing what’s generally needed in a broad range of situations, and providing advice across your organisation.

“While some aspects of privacy can be covered by such things as collection statements or checklists that people can adapt, it is helpful to have the privacy officer review work and offer advice about how to meet privacy requirements in a practical, client-focused way.”

You need to destroy or de-identify personal information you no longer need

If you have promised to provide confidentiality, it’s important to establish protocols to de-identify data – for instance, using numbers instead of names against interview recordings or transcriptions – right from the outset of a project.

“Don’t wait to establish these protocols – do them up-front,” says Jill. “Furthermore, if you’ve been handed contact details from your client (who, themselves, should confirm they have been acquired legally), these details should only be kept for as long as the project – including any review process – is in place.

“When you close a project, it’s very important to ensure that all contact and identifying information is deleted.”

You are responsible for any third-party who accesses the data

If any third-party accesses or uses the data you collect in any way, you are legally liable for that use. For instance, says Jill, “if a subcontractor is using the personal data in some way, you need to ensure they adhere to your privacy policy, including the way the data is stored.”

All of these 10 points are designed to clarify the requirements of data privacy under Australian law. But if we were to sum all of them up into one key point, it would be to say this:

The data you collect doesn’t belong to you – it belongs to those who gave you the permission to use it. It’s up to you to protect it.

Join Clear Horizon Academy’s forthcoming webinar!

Want to keep the conversation going on data privacy? Clear Horizon Academy will be running a live webinar titled Data Privacy and Australian Law on Tuesday 7 May 2020, featuring Dr Jill Campbell, Clear Horizon Chief Innovation Officer Jen Riley, and Clear Horizon Learning Experience Coordinator Cameron Elliott. This webinar gives you the opportunity to further expand your knowledge in this area, as well as talk directly to people with 50+ years of Australia’s data privacy experience between them.

Caution: This article provides an overview of our understanding of the Commonwealth and state and territory laws on privacy, and is not intended to replace legal advice. Privacy Laws can be complex, so you have any doubts, consult a privacy lawyer for advice.

Article developed by Dr Jill Campbell, Clear Horizon Privacy Officer and Principal Consultant, member of the Australian Evaluation Society (AES) and Australian Market and Social Research Society (AMSRS). Edited by Rohan Kay.