Policies & Procedures
Privacy Policy
MY Plan Accountant is bound by the Australian Privacy Principles (APPs) outlined in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act) which regulate how entities may collect, use, disclose and store personal information.
Summary of Australian Privacy Principles
Source: Hall & Wilcox Smarter Law
APP 1: Open and transparent management of personal information
APP 1 requires an APP entity to implement privacy practices, procedures and systems:
To ensure compliance with the remaining APPs and
That enables them to deal with inquiries and complaints.
It also requires them to develop and make readily available a policy about its management of personal information.
APP 2: Anonymity and pseudonymity
APP 2 entitles individuals to the option of anonymity or using a pseudonym, when dealing with an APP entity, except where impracticable or another prescribed exception applies.
APP 3: Collection of solicited personal information
APP 3 in summary:
Permits an APP entity to collect personal information only where reasonably necessary for one or more of its legitimate functions or activities
Requires personal information to be collected directly from the individual to whom it relates, unless impracticable or another prescribed exception applies and
Requires the consent from an individual in order to collect that individual’s sensitive information, or another prescribed exception applies.
APP 4: Dealing with unsolicited personal information
APP 4 requires an APP entity that receives unsolicited personal information to determine whether it would otherwise have had grounds on which to collect it (i.e. under APP 3) and:
Where it does have such grounds, to ensure compliance with the remaining APPs or
Where it does not have such grounds, to destroy or de-identify the personal information (provided it is lawful and reasonable to do so).
APP 5: Notification of the collection of personal information
APP 5 requires an APP entity to notify an individual (or ensure they are aware), at or before the time of collection, of prescribed matters.
Such matters include but are not limited to whether the individual’s personal information is collected from any third parties, the purpose(s) of collection, to whom personal information is disclosed and the processes through which an individual can seek access and/or correction to their personal information, or otherwise complain about the way in which it is handled.
Compliance with APP 5 usually requires ‘collection statements’ to be included on or with forms, or other materials, through which personal information is collected. Such statements should refer and include a link to the APP entity’s privacy policy.
APP 6: Use or disclosure of personal information
APP 6 prohibits an APP entity from using or disclosing personal information for a purpose other than the purpose for which it was collected, unless the individual consents, the individual would reasonably expect their personal information to be used for the secondary purpose, or another prescribed exception applies.
Such prescribed exceptions generally arise where the disclosure is necessary to protect someone’s health or safety or is otherwise in the public interest.
APP 7: Direct marketing
APP 7 generally prohibits personal information to be used for direct marketing purposes unless the individual reasonably expects it, or consents to it, and prescribed ‘opt out’ processes are in place through which the individual can elect not to receive direct marketing communications (and the individual has not elected as such).
APP 8: Cross-border disclosure of personal information
If an APP entity is to disclose personal information to an overseas recipient, APP 8 requires it to take reasonable steps to ensure the recipient does not breach the APPs. This usually requires the APP entity to impose contractual obligations on the recipient. Relevantly, if the overseas recipient does breach the APPs, the Privacy Act imposes liability on the APP entity that made the overseas disclosure.
There are exceptions to this obligation, including but not limited to where:
The APP entity reasonably believes the overseas recipient is bound by a law or scheme that protects personal information in a substantially similar way to that of the APPs or
The individual consents to the disclosure in the knowledge that such consent will negate the APP entity’s obligation to ensure the overseas recipient does not breach the APPs.
APP 9: Adoption, use or disclosure of government related identifiers
APP 9 prohibits an APP entity from adopting, using or disclosing a government-related identifier unless:
Required or authorised by law
Necessary to verify an individual’s identity and/or
Another prescribed exception applies.
Government-related identifiers are identifiers that have been assigned by a government agency including an individual’s licence number, Medicare number, passport number and tax file number.
APP 10: Quality of personal information
APP 10 requires an APP entity to take reasonable steps to ensure personal information it collects, uses, discloses and holds is accurate, up-to-date and complete. Additionally, personal information can only be used or disclosed to the extent to which it is relevant to the purpose of the use or disclosure.
APP 11: Security of personal information
APP 11 requires an APP entity to take reasonable steps to protect information from misuse, interference and loss and from unauthorised access, modification or disclosure. An APP entity must also destroy or de-identify personal information it no longer requires (unless otherwise required to retain it by law).
APP 12: Access to personal information
APP 12 requires an APP entity to provide an individual, upon request, with access to their personal information unless a prescribed exception applies.
APP 13: Correction of personal information
APP 13 requires an APP entity to take reasonable steps to correct personal information it holds upon request from an individual for correction or where it is otherwise satisfied, having regard to the purpose for which it holds the personal information, that the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If an APP entity refuses a request for correction, it needs to provide the individual with the reasons for the refusal and may be required to associate with the personal information a statement evidencing the individual’s view that the information is incorrect.
Where correction does occur, the APP entity may need to notify third parties to which the personal information, in its incorrect form, was disclosed.
Sensitive information
The Privacy Act generally affords a higher level of protection to ‘sensitive information’ given the mishandling of it can generally have a more detrimental impact on the relevant individual.
‘Sensitive information’ is defined under the Privacy Act and includes information about an individual’s racial or ethnic origin, political opinions, professional or political or religious affiliations or memberships, sexual orientation or practices, criminal record, health, genetics and/or biometrics.
As an example, APP 3, which deals with the collection of solicited personal information, prohibits (with some exceptions) the collection of sensitive information unless the individual to whom it relates consents to the collection and the information is reasonably necessary for the collecting entity’s functions or activities.
The collection of non-sensitive information is otherwise generally permitted where it is reasonably necessary for the collecting entity’s legitimate functions or activities.
3.7 Privacy Act 1988 Road Map
Section 6 Interpretation
Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable:
a) whether the information is true or not
b) whether the information is recorded in a material form or not,
Sensitive information means:
a) information or an opinion about an individual’s:
i) racial or ethnic origin; or
ii) political opinions; or
iii) membership of a political association; or
iv) religious beliefs or affiliations; or
v) philosophical beliefs; or
vi) membership of a professional or trade association; or
vii) membership of a trade union; or
viii) sexual orientation or practices; or
ix) criminal record; that is also personal information; or
b) health information about an individual; or
c) genetic information about an individual that is not otherwise health information; or
d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
e) biometric templates.
Section 14
The Australian Privacy Principles (“APP”) are set out in Schedule 1
Section 15
APP entities must comply with the above Australian Privacy Principles
Data Breach Response Plan
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia. Commencing from 22 February 2019, the NDB scheme requires organisations covered by the Australian Privacy Act 1988 (the Act) to notify any individuals likely to be at risk of serious harm by a data breach. The notice must include recommendations about the steps individuals should take in response to the data breach, including notifying the Australian Information Commissioner.
What is a Data Breach?
A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse. Personal information is information or an opinion about an identified or reasonably identifiable individual. Data breaches may include (but are not limited to) unauthorised access by a third party, information accidentally being uploaded to a public website or a laptop or USB drive containing personal information being lost or stolen and can be caused by or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies or organisations.
Which Data Breaches are Notifiable?
Not all data breaches require notification. The Notifiable Data Breaches (NDB) scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates. The purpose of this plan is to enable that assessment to be undertaken and for MY Plan Accountant to meet its reporting obligations. Where a data breach is assessed as having occurred then the manager responsible for Data Breach Responses will take action immediately.
Data Breach Response Plan
This data breach response plan outlines definitions, sets out procedures and clear lines of authority for MY Plan Accountant staff in the event that MY Plan Accountant experiences a data breach, or suspects that a data breach has occurred.
This response plan is intended to enable MY Plan Accountant to contain, assess and respond to data breaches in a timely fashion and to help mitigate potential harm to affected individuals. It sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist MY Plan Accountant to respond to a data breach.
Data Breach Responsible Manager
Name: Kimani Nganga; Expertise: Responsible Manager; Role: As a sole operator, perform all the functions required by this Data Breach Response Plan
Assessing Suspected Data Breaches
If any MY Plan Accountant staff member suspects or becomes aware of a data breach, this plan is activated and must be followed. The plan requires a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm. The following chart outlines the staff roles involved in assessing a data breach.
If any MY Plan Accountant staff member suspects or becomes aware of a data breach, this plan is activated and must be followed. The plan requires a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm. The following chart outlines the staff roles involved in assessing a data breach.
What Should the MY Plan Accountant Staff Member Do?
Immediately notify the Responsible Manager of the suspected data breach.
Record and advise the Responsible Manager of the time and date the suspected data breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.
What Should the Responsible Manager Do?
Determine whether a data breach has or may have occurred.
Determine whether the data breach is serious enough to escalate to the next steps of the response plan.
If so, immediately escalate to the next steps of the response plan.
When Should The Responsible Manager Escalate a Data Breach to The Next Steps in The Data Breach Response Plan?
The Responsible Manager to use discretion in deciding whether to escalate to the next steps in the Response Plan.
Some data breaches may be comparatively minor, and able to be dealt with routinely with no need for escalation.
In determining whether to escalate a data breach response the Responsible Manager should consider the following questions:
Are multiple individuals affected by the breach or suspected breach?
Is there (or may there be) a real risk of serious harm to the affected individual(s).
Does the breach or suspected breach indicate a systemic problem in MY Plan Accountant processes or procedures?
Could there be media or stakeholder attention as a result of the breach or suspected breach?
If the answer to any of these questions is ‘yes’, then it may be appropriate for the Responsible Manager to escalate to the next steps in the Response Plan.
If the Responsible Manager decides not to escalate a breach response to a minor data breach or suspected data breach the Responsible Manager should still create an Incident Report Form record, noting the following information:
Description of the breach or suspected breach
Action taken by the Responsible to address the breach or suspected breach
The outcome of that action, and
The Responsible Manager’s view that no further action is required
An example where the Responsible Manager uses their discretion in deciding not to escalate a response to a breach: An officer may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be recalled, or if the officer can contact the recipient and the recipient agrees to delete the email, it may be that there is no need to escalate the response as there is no risk of serious harm to the individual whose personal information has been inadvertently disclosed.
Data Breach Response Process
There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
There are four key steps to consider when responding to a breach or suspected data breach.
STEP 1: Contain the breach and do a preliminary assessment
STEP 2: Evaluate the risks associated with the breach
STEP 3: Notification
STEP 4: Prevent future breaches
The Responsible Manager should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession. Refer to the detailed checklist at the end of this plan.
Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach. The checklist at the end of this plan is intended to guide the Responsible Manager in the event of a data breach and alert him/her to a range of considerations when responding to a data breach.
In reconsidering organisation’s processes and procedures to reduce risk of future breaches, ensure that the organisation’s internal policies that relate to data breaches (Information and Communications Technology Policy, Privacy and Confidentiality Policy, etc.) are up to date. The policies would outline the security processes in place that as a result of a data breach should be reviewed and actions considered that may be appropriate to help prevent future breaches following an investigation.
Evaluating a Serious Risk of Harm to an Individual
In evaluating whether there is a serious risk of harm to an individual whose information is the subject of a data breach, the Responsible Manager must consider:
What type of personal information is involved (and in particular, whether it is sensitive information);
Whether there are any protections that would prevent the party who receives (or may have received) the personal information from using it (for example, if it is encrypted);
The nature of the harm that could arise from the breach, for example whether an individual was reasonably likely to suffer:
identity theft;
financial loss;
a threat to their physical safety;
a threat to their emotional wellbeing;
loss of business or employment opportunities;
humiliation, damage to reputation or relationships; or
workplace or social bullying or marginalisation
What steps have been taken to remedy the breach (and how certain MY Plan Accountant is that they are effective).
Notifying The Office of The Australian Information Commisioner (OAIC)
In the event that the Responsible Manager decides there has been a data breach and there is a real risk of serious harm to affected individuals the Responsible Manager must prepare a statement that includes:
MY Plan Accountant’s contact details;
A description of the data breach;
The kind of information concerned; and
Recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.
The statement must be submitted to OAIC via email to enquiries@oaic.gov.au as soon as reasonably practical.
Notifying The Individuals Affected
As soon as reasonably practical after MY Plan Accountant has submitted the statement to the OAIC, MY Plan Accountant must:
If practical, take reasonable steps to notify the contents of the statement to each of the individuals to whom the information relates; or
If practical, take reasonable steps to notify contents of the statement to each of the individuals who are at risk from the eligible data breach.
If it is not practical to undertake either of the above, the Responsible Manager must ensure a copy of the statement is published on MY Plan Accountant’s website and reasonable steps are taken to publicise the contents of the statement (for example, by notifying its members).
Records Management
Documents created by the Responsible Manager should be saved in the following folder: Incidents Report Register / Risk Register
STEP ONE: Contain the breach and make a preliminary assessment
Responsible Manager to address him/herself to the matter.
Immediately contain breach:
IT to implement the ICT Incident response plan if necessary
Building security to be alerted if necessary
Inform relevant members of staff and provide ongoing updates on key developments.
Ensure evidence is preserved that may be valuable in determining the cause of the breach, or allowing MY Plan Accountant to take appropriate corrective action.
Consider developing a communications or media strategy to manage public expectations or media interest.
STEP TWO: Evaluate the risks for individuals associated with the breach
Conduct initial investigation, and collect information about the breach promptly, including:
the date, time, duration and location of the breach
the type of personal information involved in the breach
how the breach was discovered and by whom
the cause and extent of the breach
a list of the affected individuals, or possible affected individuals
the risk of serious harm to the affected individuals
the risk of other harms
Determine whether the content of the information is important.
Establish the cause and extent of the breach.
Assess priorities and risk based on what is known.
Keep appropriate records of the suspected breach and actions of the Responsible Manager, including the steps taken to rectify the situation and the decisions made.
STEP THREE: Consider breach notification
Determine who needs to be made aware of the breach (internally and potentially externally) at this preliminary stage.
Determine whether to notify affected individuals – is there a real risk of serious harm to the affected individuals?
Consider whether others need to be notified, including police, Australian Privacy Commissioner, or other agencies or organisations affected by the breach, or where MY Plan Accountant is contractually required, or required under the terms of an MOU to notify specific parties.
STEP FOUR: Review the incident and take action to prevent future breaches
Fully investigate the cause of the breach.
Report to relevant members of MY Plan Accountant staff on outcomes and recommendations:
update security and response plan if necessary
make appropriate changes to policies and procedures if necessary
revise staff training practices if necessary
consider the option of an audit to ensure necessary outcomes are affected
MY Plan Accountant Head Office | 1287 North East Road Tea Tree Gully SA 5091 | 0424 019 585 | admin@myplanaccountant.com.au
We recognise the objectives of the Convention on the Rights of Persons with Disabilities.
We acknowledge the traditional owners of country throughout Australia, and their continuing connection to land, sea and community. We pay our respects to them and their cultures, and to elders past and present.
Copyright 2022 MY Plan Accountant | ABN 91 026 678 523 | admin@myplanaccountant.com.au | NDIS Registration Number 4050082492