Below is a checklist which is intended to assist organisations (APP entities) to take appropriate steps to comply with the privacy obligations imposed upon them by the Australian Privacy Principles (APPs).
Practices, procedures and systems – Has the APP entity implemented practices, procedures and systems to ensure that it complies with the APPs and is able to deal with inquiries and complaints about its compliance with the APPs as required by APP 1?
Privacy policy – Does the APP entity’s privacy policy about its management of personal information include the details required by APP 1?
Anonymity and pseudonymity – Does the APP entity give persons the option of using a pseudonym in addition to the option of remaining anonymous when dealing with it where practicable as required by APP 2?
Sensitive information – Does the APP entity only collect sensitive information (including biometric information) in the circumstances permitted under APP 3?
Unsolicited personal information – Does the APP entity destroy or de-identify unsolicited personal information as soon as reasonably practicable if it determines that it could not have collected the information under APP 3?
Collection notification – Does the APP entity take reasonable steps at or before (of, if not practicable) as soon as practicable after) collecting personal information to notify the person concerned of the required details specified in APP 5?
Use and disclosure – Does the APP entity only use and disclose personal information where permitted by APP 6 unless an exception applies?
Direct marketing – If the APP entity is a private sector organisation, does it only use and disclose personal information for direct marketing where permitted by APP 7 and comply with requests to provide the source of a person's personal information and not to use, or facilitate the use of, a person's personal information for direct marketing?
Cross-border disclosure – Does the APP entity take reasonable steps in accordance with APP 8 to ensure that an overseas recipient of personal information will not breach the APPs before disclosing the information to the overseas recipient unless an exception applies?
Government related identifiers – Does the APP entity only adopt, use and disclose a government related identifier (excluding a person’s ABN) as its own identifier for a person where permitted by APP 9 unless an exception applies?
Information quality – Does the APP entity take reasonable steps to ensure that the personal information which it uses or discloses is relevant in addition to being accurate, up-to-date and complete as required by APP 10?
Information security – Does the APP entity take reasonable steps to protect the personal information which it holds from interference in addition to protecting it from misuse and loss, and unauthorised access, modification or disclosure as required by APP 11?
Information access – Does the APP entity give a person access to his or her personal information in accordance with the requirements of APP 12?
Information correction – Does the APP entity take reasonable steps to correct personal information which it holds and notify each other APP entity to which it has disclosed incorrect personal information in accordance with the requirements of APP 13?
If you require any further information in relation to this checklist, or any assistance to comply with the Australian Privacy Principles, please do not hesitate to contact us.
Please note that the information contained in this checklist is provided for information purposes only and is not intended to be relied upon as legal advice for any particular purpose. You should seek your own independent legal advice for your specific circumstances.