Privacy Law
Australian Privacy Principle 1 - Open and Transparent Management of Personal Information
1.1 Organisations are to manage personal information in an open and transparent way. This requires accountability with the public in information handling practices. Even if an organisation is accustomed to maintaining secrecy over commercial-in-confidence information, its processes for handling personal information are not secret.
Compliance with the Australian Privacy Principles etc.
1.2 An organisation must adopt procedures to permit compliance with all privacy principles or any relevant code, and the due handling of all inquiries and complaints regarding compliance. The steps taken need only be what is reasonable considering the nature of the information, the nature of the organisation and the risk of a breach of privacy and cost or practicality of measures.
APP Privacy policy
1.3 Organisations must have a clearly expressed and up-to-date privacy policy which delineates how they manage personal information. Avoid jargon and make it concise....
1.4 The privacy policy must include:
-
How an organisation manage personal information
-
How an organisation collect and hold personal information
-
The purposes for which information is collected, held, used and disclosed
-
How an individual may access personal information about themselves and seek correction of such
-
How an individual may complain about a breach of the Australian Privacy Principles, or a relevant code and how such complaints will be dealt with
-
Whether an organisation are likely to disclose personal information to overseas recipients;
-
If yes to f) -- the countries in which such recipients are likely to be located
Availability of APP privacy policy etc.
1.5 All reasonable steps must be taken to make the privacy policy available free of charge in an appropriate form. Eg: on an organisation website, in a retail premises, by post.
1.6 It must be provided upon request in the requested form. The organisation needs to take whatever steps as are reasonable. The OAIC views this law as excusing organisations from declining to provide their privacy policies in a form that is unreasonable to expect it in.