Explanation: GovCMS webforms and privacy

The platform provided by GovCMS makes it easy to create webforms that collect information from an agency stakeholder or a website user and to do something with that information.

Example: Asking for a person’s contact details and communication interests (https://www.esafety.gov.au/about-us/subscribe).

While the technical procedures may be easy, the implications of and legal requirements for collecting this type of information are not. Government organisations that do not meet the requirements may be non-compliant with privacy regulations.

This document explains what you must consider and do before creating a webform on a GovCMS hosted website. It contains the following sections:

Overview of the law and collecting user information using GovCMS
What is OFFICIAL: Sensitive?
What are personal information and sensitive information?
Collecting, storing and transmitting personal or sensitive information
What are my options?
The GovCMS specific Privacy Impact Assessment (PIA)
Legislation, codes of conduct, frameworks, policies and other regulatory items

Overview of the law and collecting user information using GovCMS

The GovCMS platform is accredited to collect, store and transmit information to the OFFICIAL: Sensitive level, including personal information and sensitive information. However, you need to understand the implications, even if users voluntarily provide information to you using a webform. Before you can collect personal or sensitive information, your agency must meet numerous obligations related to:

privacy
security
risk
your agency’s legal authorisation to collect data

Example: Your agency cannot collect a person’s Tax File Number unless it has the legal authority to do so.
due diligence.

These obligations are defined in:

Commonwealth, and some state and territory privacy legislation
Australian Government codes of conduct
agency-specific legislation
the Protective Security Policy Framework (PSPF)
the Australian Government Information Security Manual (ISM)
other regulations.

See: Legislation, codes of conduct and other regulatory items, below.

Your organisation’s Memorandum of Understanding (MOU) with GovCMS also contains strict privacy-related clauses about your organisation’s obligations, including dealing with a data breach. These clauses apply even when the MOU expires or is terminated.

Example: Due diligence clauses require your agency to complete a PIA and a Risk Assessment.

What is OFFICIAL: Sensitive?

The term OFFICIAL: Sensitive is an information classification that is defined in the Protective Security Policy Framework. Information is OFFICIAL: Sensitive if:

a security classification does not apply
compromising the information’s confidentiality may result in limited damage to an individual, organisation or government generally.

What are personal information and sensitive information?

Personal information is information that can be used to identify an individual or which could reasonably be expected to identify an individual. Collecting, storing and transmitting this type of information is subject to strict legislative and regulatory requirements and Australian Government codes of conduct.

See:

What is personal information: https://www.oaic.gov.au/privacy/guidance-and-advice/what-is-personal-information/
Checklist for determining if information is personal: https://www.oaic.gov.au/privacy/guidance-and-advice/what-is-personal-information/#checklist-for-determining-whether-information-is-personal-information
Protecting and securing personal information: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information/
Legislation, codes of conduct and other regulatory items, below.

Sensitive information is a subset of personal information which by its nature is sensitive.

Examples: Information or an opinion about a person’s political opinions or criminal record.

Generally, sensitive information has a higher level of privacy protection than other personal information.

See:

What is sensitive information: https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-personal-information/#SensitiveInfo
Australian Privacy Principles Guidelines > Chapter B: Key concepts > Sensitive information: https://www.oaic.gov.au/privacy/australian-privacy-principles-guideline…

Collecting, storing and transmitting personal or sensitive information

The Australian Government Agencies Privacy Code (the Code) applies to all Australian Government agencies subject to the Privacy Act 1988 (except Ministers). It is a binding legislative instrument under the Act.

See:

Australian Government Agencies Privacy Code:

https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/australian-government-agencies-privacy-code/about-the-australian-government-agencies-privacy-code

The Code requires your organisation to meet privacy requirements, including:

creating and publishing a privacy management plan
appointing a privacy officer and privacy champion
creating a PIA for all high privacy risk projects
keeping a register of all PIAs
publishing the PIA register or a version of it.

See: Privacy for government agencies: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/australian-government-agencies-privacy-code/about-the-australian-government-agencies-privacy-code

If you intend to collect, store and transmit personal or sensitive information, before you create and publish the webform you may need to:

complete a PIA
include a privacy statement on your website that explains what information the website collects and why, and whether it will be distributed to other organisations.

Whether you need to do above is partly determined by whether your website already collects personal or sensitive information.

See:

What are my options?, below
Collecting solicited personal information:

https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-3-app-3-collection-of-solicited-personal-information/

What are my options?

Firstly, consider why you want to collect personal or sensitive information and whether it is necessary. Also consider the amount of information that you are considering collecting, which questions are mandatory and whether this combination will discourage some agency stakeholders or website users from filling in the form.

Example: Is it necessary to collect a user’s full name, desk phone number, mobile number, work email address and office address?

As an Australian Government agency your organisation should have a privacy officer and at least one existing PIA.

Note: The PIA may not specifically cover your website.

We strongly recommend that you contact your organisation’s privacy officer before designing the webform; they will be able to provide advice, specifically for your organisation. In particular, tell them about the type of information you want to collect and:

ask them whether your agency has the legal authority to collect the information
discuss whether this will prevent or discourage some agency stakeholders or website users from completing the form.

If your organisation does not have a privacy officer, consult your legal team and follow the advice and procedures available from the Office of the Australian Information Commissioner. The website has checklists, toolkits and interactive plans to help you meet privacy requirements.

See: Privacy for government agencies: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/australian-government-agencies-privacy-code/about-the-australian-government-agencies-privacy-code

You may also need to contact your organisation’s security and ICT teams if the data is transmitted to an external or internal IT system. This is because collecting, storing and transmitting information that is classified OFFICIAL: Sensitive is subject to the requirements of the:

ISM
PSPF

These documents are updated regularly.

See:

ISM: https://www.cyber.gov.au/ism
PSPF: https://www.protectivesecurity.gov.au/

The GovCMS-specific PIA

The GovCMS team are creating a PIA template, specifically for GovCMS customers. While each GovCMS customer is responsible for their own PIA, the template will reduce the effort and cost of completing a PIA from scratch.

The template will be partially completed, meaning you will only need to add content that is specific to your website. You will still be responsible for complying with the requirements discussed in this document.

See: https://www.govcms.gov.au/news-events/news/privacy-impact-assessment

For updates, check the News and Events page on our website.

See: https://www.govcms.gov.au/news-events

Legislation, codes of conduct, frameworks, policies and other regulatory items

Table 1 lists, explains and contains links to relevant privacy-related legislation, codes of conduct, frameworks, policies and other regulatory items.

Table 1

Legislation or code	Explanation and link
Privacy Act 1988	A federal law that: applies to federal government agencies with an annual turnover of than $3 million, the Norfolk Island administration and some other organisations does not apply to local, state or territory government agencies, except the Norfolk Island administration. Link: https://www.legislation.gov.au/Series/C2004A03712
Privacy (Australian Government Agencies – Governance) APP Code 2017, also known as the Australian Government Agencies Privacy Code	The Code applies to all Australian Government agencies subject to the Privacy Act 1988 (except for Ministers). It is a binding legislative instrument under the Act. Link: https://www.oaic.gov.au/privacy/privacy-registers/privacy-codes-register/australian-government-agencies-privacy-code/
Australian Privacy Principles (APPs) guidelines	The APPs apply to any organisation or agency covered by the Privacy Act 1988. Link: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/
ISM	The ISM is produced by the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). It, and its supporting materials, are constantly being reviewed and updated.
PSPF	The PSPF assists Australian Government entities to protect their people, information, and assets, at home and overseas. The information security requirements apply to all information assets owned by the Australian Government, or those entrusted to the Australian Government by third parties, within Australia. Link: https://www.protectivesecurity.gov.au/
Privacy-specific local, state and territory legislation and codes	All Australian states and territories have privacy-related legislation that applies to their public sector organisations. Examples: ACT: Information Privacy Act 2014 (ACT) NSW: Privacy and Personal Information Protection Act 1998 (NSW) and Health Records and Information Privacy Act 2002 (NSW) Northern Territory: Information Act 2002 (NT) Queensland: Information Privacy Act 2009 (Qld) South Australia: Information Privacy Principles Tasmania: Personal Information and Protection Act 2004 (Tas) Victoria: Privacy and Data Protection Act 2014 (Vic) Western Australia: Freedom of Information Act 1992 (WA) . Link: https://www.oaic.gov.au/privacy/privacy-in-your-state/
Other legislation that contains privacy-related requirements	Examples: Legislation and regulations that authorise your agency to collect data. Privacy Regulation 2013 Link: https://www.legislation.gov.au/Series/F2013L02126 Directive on the Security of Government Business – reissued Link: https://www.protectivesecurity.gov.au/about/Pages/directive-security-government-business.aspx

This page was last updated on Tuesday 23 June 2020