As you may be aware new privacy legislation comes into effect from 12 March 2014, requiring that all agencies and organisations (which is broadly defined and includes individuals, though there are some exceptions) comply with the new Australian Privacy Principles (APP). The APP requirements are far reaching, including how and when you may collect personal information and what you may do with it once you possess it. Certainly the changes go well beyond what can be covered in this article, so we will focus on one of the more immediate requirements.
1. What type of personal information your organisation might collect and keep;
2. How such information will be collected and kept (including, for example, if it is stored in the “cloud” on overseas servers and basic security information);
3. Why the information is being collected, held, used and disclosed;
4. How someone may access information about themselves and seek to correct such (we generally recommend creating a position of Privacy Officer, listing your main phone number and creating a generic email address e.g. firstname.lastname@example.org, to avoid having to update the policy due to staff changes);
5. How a person may complain about a breach of an APP or registered APP code (if any) by your organisation, and how you will deal with complaints;
6. Whether you are likely to disclose any information you hold to a foreign entity; and
7. If you are likely to disclose information to a foreign entity, what countries the foreign entities will be located in (if possible).
It should be noted that the above list is not supposed to be exhaustive. Other requirements may include how a person can deal with your organisation in an anonymous manner or by use of a pseudonym (the right of a person to communicate by these methods is granted under the APPs, where it is not impracticable to do so). You may also need to disclose if you intend to use personal information for marketing purposes (note in these cases other legislation still applies, e.g. the Spam Act 2003 (Cth)).