Explanation: GovCMS webforms and privacy

Explanation: GovCMS webforms and privacy

The platform provided by GovCMS makes it easy to create webforms that collect information from an agency stakeholder or a website user and to do something with that information.

Example: Asking for a person’s contact details and communication interests ( https://www.esafety.gov.au/about-us/subscribe).

While the technical procedures may be easy, the implications of and legal requirements for collecting this type of information are not. Government organisations that do not meet the requirements may be non-compliant with privacy regulations.

This document explains what you must consider and do before creating a webform on a GovCMS-hosted website. It contains the following sections:

  • Overview of the law and collecting user information using GovCMS
  • What is OFFICIAL: Sensitive?
  • What are personal information and sensitive information?
  • Collecting, storing and transmitting personal or sensitive information
  • What are my options?
  • The GovCMS-specific Privacy Impact Assessment (PIA)
  • Legislation, codes of conduct, frameworks, policies and other regulatory items

Overview of the law and collecting user information using GovCMS

The GovCMS platform is accredited to collect, store and transmit information to the OFFICIAL: Sensitive level, including personal information and sensitive information. However, you need to understand the implications, even if users voluntarily provide information to you using a webform. Before you can collect personal or sensitive information, your agency must meet numerous obligations related to:

  • privacy
  • security
  • risk
  • your agency’s legal authorisation to collect data
    Example: Your agency cannot collect a person’s Tax File Number unless it has the legal authority to do so.
  • due diligence.

These obligations are defined in:

  • Commonwealth, and some state and territory privacy legislation
  • Australian Government codes of conduct
  • agency-specific legislation
  • the Protective Security Policy Framework (PSPF)
  • the Australian Government Information Security Manual (ISM)
  • other regulations.

See: Legislation, codes of conduct and other regulatory items, below.

Your organisation’s Memorandum of Understanding (MOU) with GovCMS also contains strict privacy-related clauses about your organisation’s obligations, including dealing with a data breach. These clauses apply even when the MOU expires or is terminated.

Example: Due diligence clauses require your agency to complete a PIA and a Risk Assessment.

What is OFFICIAL: Sensitive?

The term OFFICAL: Sensitive is an information classification that is defined in theProtective Security Policy Framework. Information is OFFICIAL: Sensitive if:

  • a security classification does not apply
  • compromising the information’s confidentiality may result in limited damage to an individual, organisation or government generally.

See:

What are personal information and sensitive information?

Personal information is information that can be used to identify an individual or which could reasonably be expected to identify an individual. Collecting, storing and transmitting this type of information is subject to strict legislative and regulatory requirements and Australian Government codes of conduct.

See:

Sensitive information is a subset of personal information which by its nature is sensitive.

Examples: Information or an opinion about a person’s political opinions or criminal record.

Generally, sensitive information has a higher level of privacy protection than other personal information.

See:

Collecting, storing and transmitting personal or sensitive information

The Australian Government Agencies Privacy Code (the Code) applies to all Australian Government agencies subject to the Privacy Act 1988 (except Ministers). It is a binding legislative instrument under the Act.

See:

Australian Government Agencies Privacy Code:
https://www.oaic.gov.au/privacy/privacy-for-government-agencies/australian-government-agencies-privacy-code/

The Code requires your organisation to meet privacy requirements, including:

  • creating and publishing a privacy management plan
  • appointing a privacy officer and privacy champion
  • creating a PIA for all high privacy risk projects
  • keeping a register of all PIAs
  • publishing the PIA register or a version of it.

See: Privacy for government agencies: https://www.oaic.gov.au/privacy/privacy-for-government-agencies/

If you intend to collect, store and transmit personal or sensitive information, before you create and publish the webform you may need to:

  • complete a PIA
  • include a privacy statement on your website that explains what information the website collects and why, and whether it will be distributed to other organisations.

Whether you need to do above is partly determined by whether your website already collects personal or sensitive information.

See:

What are my options?

Firstly, consider why you want to collect personal or sensitive information and whether it is necessary. Also consider the amount of information that you are considering collecting, which questions are mandatory and whether this combination will discourage some agency stakeholders or website users from filling in the form.

Example: Is it necessary to collect a user’s full name, desk phone number, mobile number, work email address and office address?

As an Australian Government agency your organisation should have a privacy officer and at least one existing PIA.

Note: The PIA may not specifically cover your website.

We strongly recommend that you contact your organisation’s privacy officer before designing the webform; they will be able to provide advice, specifically for your organisation. In particular, tell them about the type of information you want to collect and:

  • ask them whether your agency has the legal authority to collect the information
  • discuss whether this will prevent or discourage some agency stakeholders or website users from completing the form.

If your organisation does not have a privacy officer, consult your legal team and follow the advice and procedures available from the Office of the Australian Information Commissioner. The website has checklists, toolkits and interactive plans to help you meet privacy requirements.

See: Privacy for government agencies: https://www.oaic.gov.au/privacy/privacy-for-government-agencies/

You may also need to contact your organisation’s security and ICT teams if the data is transmitted to an external or internal IT system. This is because collecting, storing and transmitting information that is classified OFFICIAL: Sensitive is subject to the requirements of the:

  • ISM
  • PSPF

These documents are updated regularly.

See:

The GovCMS-specific PIA

The GovCMS team are creating a PIA template, specifically for GovCMS customers. While each GovCMS customer is responsible for their own PIA, the template will reduce the effort and cost of completing a PIA from scratch.

The template will be partially completed, meaning you will only need to add content that is specific to your website. You will still be responsible for complying with the requirements discussed in this document.

See: https://www.govcms.gov.au/news-events/news/privacy-impact-assessment

For updates, check the News and Events page on our website.

See: https://www.govcms.gov.au/news-events

Legislation, codes of conduct, frameworks, policies and other regulatory items

Table 1 lists, explains and contains links to relevant privacy-related legislation, codes of conduct, frameworks, policies and other regulatory items.

Table 1

Legislation or code

Explanation and link

Privacy Act 1988

A federal law that:

  • applies to federal government agencies with an annual turnover of than $3 million, the Norfolk Island administration and some other organisations
  • does not apply to local, state or territory government agencies, except the Norfolk Island administration.

Link: https://www.legislation.gov.au/Series/C2004A03712

Privacy (Australian Government Agencies – Governance) APP Code 2017, also known as the Australian Government Agencies Privacy Code

The Code applies to all Australian Government agencies subject to the Privacy Act 1988 (except for Ministers). It is a binding legislative instrument under the Act.

Link: https://www.oaic.gov.au/privacy/privacy-registers/privacy-codes-register/australian-government-agencies-privacy-code/

Australian Privacy Principles (APPs) guidelines

The APPs apply to any organisation or agency covered by the Privacy Act 1988.

Link: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/

ISM

The ISM is produced by the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). It, and its supporting materials, are constantly being reviewed and updated.

Link: https://www.cyber.gov.au/ism/using-the-australian-government-information-security-manual

PSPF

The PSPF assists Australian Government entities to protect their people, information, and assets, at home and overseas.

The information security requirements apply to all information assets owned by the Australian Government, or those entrusted to the Australian Government by third parties, within Australia.

Link: https://www.protectivesecurity.gov.au/

Privacy-specific local, state and territory legislation and codes

All Australian states and territories have privacy-related legislation that applies to their public sector organisations.

Examples:

  • ACT: Information Privacy Act 2014 (ACT)
  • NSW: Privacy and Personal Information Protection Act 1998 (NSW) and Health Records and Information Privacy Act 2002 (NSW)
  • Northern Territory: Information Act 2002 (NT)
  • Queensland: Information Privacy Act 2009 (Qld)
  • South Australia: Information Privacy Principles
  • Tasmania: Personal Information and Protection Act 2004 (Tas)
  • Victoria: Privacy and Data Protection Act 2014 (Vic)
  • Western Australia: Freedom of Information Act 1992 (WA) .

Link: https://www.oaic.gov.au/privacy/privacy-in-your-state/

Other legislation that contains privacy-related requirements

Examples: