How to Create a Data Privacy Handling for Professional Services
A procedure for the collection, storage, use, and disposal of personal and sensitive information in compliance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).
Purpose
To ensure personal and sensitive information is handled lawfully and securely, protecting individual privacy rights and maintaining organisational compliance with the Privacy Act.
Scope
Applies to all personal information collected from customers, employees, contractors, and third parties across digital and physical records. Covers the full information lifecycle from collection to destruction.
Prerequisites
- Current privacy policy aligned with the Australian Privacy Principles
- Data asset register identifying all personal information holdings
- Staff training on privacy obligations and data handling procedures
- Secure storage systems — both digital and physical — with appropriate access controls
Designed to meet professional indemnity requirements, client confidentiality obligations, and industry body reporting standards.
Step-by-Step Procedure
Identify the Purpose of Collection
Before collecting personal information, clearly define the purpose and ensure it is reasonably necessary for business functions or activities.
- 1.1Document the specific purpose for which the information is being collected
- 1.2Assess whether collecting the information is reasonably necessary
- 1.3Determine the minimum data required — avoid collecting unnecessary information
- Apply the data minimisation principle — only collect what is genuinely needed
Provide Notice and Obtain Consent
Inform individuals about the collection, use, and disclosure of their personal information. Obtain consent where required, particularly for sensitive information.
- 2.1Provide a privacy collection notice at or before the time of collection
- 2.2Ensure the notice explains what is being collected, why, and how it will be used
- 2.3Obtain express consent for sensitive information such as health or biometric data
- 2.4Record consent and make it accessible for future reference
Collect Information Through Lawful Means
Collect personal information only by lawful and fair means, directly from the individual where practicable.
- 3.1Collect information directly from the individual wherever possible
- 3.2If collecting from a third party, ensure lawful authority and notify the individual
- 3.3Use secure collection methods — encrypted forms, secure portals
- 3.4Verify the information is accurate and complete at the point of collection
Store Information Securely
Apply appropriate security measures to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.
- 4.1Store digital records in encrypted, access-controlled systems
- 4.2Secure physical records in locked cabinets with restricted access
- 4.3Implement role-based access controls — only authorised personnel can access data
- 4.4Regularly review and update security measures
Use and Disclose Information Appropriately
Use and disclose personal information only for the primary purpose of collection, or a directly related secondary purpose the individual would reasonably expect.
- 5.1Verify the proposed use or disclosure aligns with the stated purpose
- 5.2If the use is for a secondary purpose, assess whether it is directly related and reasonably expected
- 5.3Obtain additional consent if the use falls outside the original purpose
- 5.4Log all disclosures to third parties
- Maintain a disclosure log to track what information has been shared, with whom, and when
Respond to Access and Correction Requests
Process requests from individuals to access or correct their personal information within the timeframes required by the APPs.
- 6.1Acknowledge the request and verify the identity of the requester
- 6.2Locate all relevant records across systems and files
- 6.3Provide access or make corrections within 30 days
- 6.4If access is refused, provide written reasons and advise of escalation rights
Manage Data Breaches
If a data breach occurs, follow the Notifiable Data Breaches (NDB) scheme. Contain the breach, assess its impact, and notify affected individuals and the OAIC if required.
- 7.1Contain the breach and take immediate steps to limit the damage
- 7.2Assess whether the breach is likely to result in serious harm
- 7.3If the breach is eligible, notify the Office of the Australian Information Commissioner (OAIC) and affected individuals
- 7.4Document the breach, response actions, and outcomes in the breach register
- Time is critical — assess and respond to breaches as quickly as possible
Dispose of Information Securely
When personal information is no longer needed for any purpose and is not required to be retained by law, destroy or de-identify it securely.
- 8.1Identify records that have exceeded their retention period and are no longer required
- 8.2Destroy physical records using secure shredding or incineration
- 8.3Permanently delete or de-identify digital records using approved methods
- 8.4Record the destruction in the data disposal register
Quality Checkpoints
Common Mistakes to Avoid
Expected Outcomes
Percentage of data handling activities assessed as compliant with the APPs during internal reviews
Average time to contain and assess a data breach, targeting assessment within 30 days of the OAIC notification threshold
Frequently Asked Questions
What counts as sensitive information under the Privacy Act?
Sensitive information includes health information, genetic or biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, trade union membership, and criminal records. Additional consent requirements apply to collecting sensitive information.
Does the Privacy Act apply to all Australian businesses?
The Privacy Act 1988 applies to Australian Government agencies and private sector organisations with an annual turnover of more than $3 million. Some smaller organisations are also covered, including health service providers, those trading in personal information, and those related to a larger organisation.
What is the Notifiable Data Breaches scheme?
The NDB scheme requires organisations covered by the Privacy Act to notify affected individuals and the OAIC when a data breach is likely to result in serious harm. Notification must include a description of the breach, the type of information involved, and recommended steps for affected individuals.
How long should we retain personal information?
Personal information should only be retained for as long as it is needed for the purpose of collection, or as required by law. Specific retention periods vary — for example, employment records may need to be kept for seven years, while tax records require five years. Establish a retention schedule aligned with legal requirements.
Want this customised for YOUR business?
We'll tailor every step to your exact operations, tools, and team structure.