** ATIA COMMUNITY **

Back to discussions
Expand all | Collapse all

Handling of client's passport information

  • 1.  Handling of client's passport information

    Posted 03-04-2024 17:00
    Edited by Nina Hedges 03-04-2024 17:02

    Have you ever wondered exactly what the rules were regarding the handling your client's passport information?

     I feel like this question has been asked in our industry ever since I was a consultant many moons ago!  I recently reached out to the OAIC (Office of the Australian Information Commissioner) with this query and below is what I was advised.  For further information please visit the OAIC  website

    I hope that you find this helpful.

    The Office of the Australian Information Commissioner (the OAIC) regulates the Privacy Act 1988 (Cth) (the Act) which sets out the manner in which Australian government agencies, and many private sector organisations, handle personal information.

    It is important to note that the Act does not prohibit the storage of certain types of personal information. Rather, an organisation or agency should only collect information that is necessary or relevant to its functions or activities.

    Further, an organisation is not obligated to obtain the consent of an individual, the organisation is only required to advise the individuals concerned why their personal information is being collected and how it may be used or disclosed.

    Organisations are also obligated to ensure that the information that they hold is protected from unauthorised access, misuse, loss and disclosure.

    The following information explains, in greater detail, how the Act applies as well as tips for compliance.

    The Australian Privacy Principles

    The Australian Privacy Principles (the APPs) contained in the Act set out the way Commonwealth government agencies and many private sector organisations are to handle personal information. The APPs apply to all private sector organisations with an annual turnover greater than $3 million and all health service providers irrespective of turnover.

    The following APPs are relevant

    Collection of personal information

    APP 3 regulates the collection of personal information, and states that organisations and agencies must:

    ·               only collect personal information that is reasonably necessary for, or directly related to, one or more of their functions or activities

    ·               only collect personal information by lawful and fair means, and

    ·               only collect personal information directly from the individual, when it is reasonable and practicable to do so.

    APP 3.3 states that an organisation must not collect an individual's sensitive information unless the individual has consented, unless one of the exceptions in APP 3.4 applies.

    The definition of sensitive information includes, but is not limited to, health, genetic and biometric information about an individual.

    Further information on APP 3 can be found in our published APP Guidelines Chapter 3 – Collection of solicited personal information

    Notification of collection of personal information

    APP 5 states that at the time an organisation or agency collects personal information about an individual, the organisation or agency must take reasonable steps to notify the individual, or otherwise ensure the individual is aware, of certain matters. These matters include:

    ·               the organisation's or agency's identity and contact details

    ·               the fact and circumstances of collection

    ·               whether the collection is required or authorised by law

    ·               the purposes of collection

    ·               the consequences if personal information is not collected

    ·               the organisation's or agency's usual disclosures of personal information of the kind collected by the entity

    ·               information about the organisation's APP Privacy Policy

    ·               whether the organisation or agency is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

    An organisation or agency must provide notification before, or at the time, it collects personal information. If this is not practicable, notification should be provided as soon as practicable.

    Further information on APP 5 can be found in our published APP Guidelines Chapter 5 – Notification of the collection of personal information.

    Security

    APP 11.1 requires agencies and organisations to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.

    Further information on APP 11 can be found in our published APP guidelines Chapter 11 – Security of personal information.



    ------------------------------
    Nina Hedges
    Compliance Manager - ATIA
    nina.hedges@atia.travel
    ------------------------------



Related Content