Quality Management

How to take an ethical approach to collecting personal information from team members

Collecting personal information can be an awkward task and many businesses receive complaints from employees. Here’s how to collect information ethically.

Rowan St Clair
Rowan brings a wealth of knowledge in applying business insights to the technical elements of accredited certification.

When a new team member comes on board, you need to collect some of their personal information so you can contact them and process their salary. However, collecting personal information can be an awkward task.

Businesses often face complaints about the unlawful collection and use of employee information.

For this reason, it’s important to understand how Australian privacy laws impact your business and how much information you can ask for. It’s also crucial to implement an information security management system to ensure your employees feel safe providing sensitive information.

In this article, we’ll share the basics of Australia’s privacy laws and how you can take an ethical approach to collecting personal information in-house. Read on.

What is the Australian Privacy Act? 

privacy sign

Image: Unsplash

The Australian Privacy Act regulates the collection, use and disclosure of personal information in Australia.

Under the Act, personal information is defined as information or an opinion about an individual, whether or not the information or opinion is true. It also doesn’t matter if the information or opinion is in a material form or not.

According to the Act, personal information includes:

  • Name
  • Address
  • Phone number
  • Date of birth
  • Age
  • Bank or credit card details
  • Tax file number
  • Medical records

Generally speaking, information related to a business is not considered personal information. This could be the business’s name, address, and Australian Business Number (ABN).

What’s the difference between personal and sensitive information? 

woman on her phone

Image: Unsplash

While “sensitive information” comes under the banner of “personal information” in the Australian Privacy Act, the two are actually very different. Personal information includes:

  • Name
  • Email
  • Telephone number
  • Address

This is basic information that we all share from day to day, whether we’re starting a bank account or ordering food online. Sensitive information differs from “personal information” because it can be used to discriminate against someone. Sensitive information includes:

  • Religion
  • Ethnicity
  • Sexual orientation
  • Biometric data e.g. fingerprints

With this in mind, the Australian Privacy Act excludes information that is not directly related to the individual’s employment. For example, if you are collecting sensitive information that is not directly related to the individual’s employment e.g. their ethnicity, the Privacy Act will apply.

On the other hand, if you need to collect an employee’s bank details so you can process their salary, you do not need to comply with the Australian Privacy Act because this information relates to their employment.

Before collecting personal information, it’s important to consider how your employee’s personal information relates to their employment. Do you need their sensitive information? Is it important?

Does it impact their employability or your ability to run the business?

How an information security management system can make the process simpler 

locked smartphone

Image: Unsplash

An information security management system (ISMS) can help instil trust between management and team members. It’s a thorough risk management system that involves a systematic approach to managing sensitive business information – including your team member’s personal information.

A well-maintained ISMS will ensure your team members feel confident about providing their personal information. They can rest assured knowing their information will not be breached, stolen, or mishandled.

To ensure the ISMS is as effective as possible, we recommend completing regular reviews to eliminate vulnerabilities in the system. By looking at the ISMS from the perspective of threats and their potential impact, you can improve your ISMS and achieve a higher level of security.

How QMS can help 

men looking at smart phone

Image: Unsplash

Along with the benefits of an effective ISMS, ISO 27001 third party certification can give your business a competitive advantage in your industry. Your ISO 27001 certified status will give stakeholders a sense of confidence and trust in both the longevity and legitimacy of your business.

With this in mind, we’ll take a deep dive into your ISMS and ensure it meets ISO compliance requirements and, most importantly, your team and stakeholder’s expectations.

To get certified, contact the team at QMS today.