|
|
 |
Checklist
The privacy law poses a compliance challenge. To start with you need to:
- Decide whether there is any approved privacy code
you could subscribe to as an alternative to the
NPPs. If there isn't,
consider whether you should work with your industry body to develop
one.
-
Assess whether your systems can flag data collected
before and after 22 December 2001. If you can't, you'll be forced to treat
all information as governed by the new regime.
-
Develop systems to isolate and then destroy or make
anonymous personal information that is no longer needed. Given the cost
involved you will need to determine what are reasonable steps in this
regard.
-
Determine which third parties (if any) you collect
information from and what you will need to do about that information.
-
Review your current arrangements for sharing
information with related companies.
-
Ensure customers are given appropriate information, and their consent to use and disclose information is obtained, where necessary. This means amending:
- forms and contracts collecting personal
information;
-
signage, brochures and notification at
collection points (for example, your website); and
-
telephone procedures used by employees and agents.
- Review your arrangements with agents and
intermediaries - such as call centres - to ensure that they comply with the
new regime.
-
Structure into your first contact with customers:
- an express consent to any use or disclosure for
a secondary purpose where consent cannot be implied; and
-
an express opportunity for them to convey a wish not to receive direct marketing communications.
- Consider the position of staff as well as customers
and ensure appropriate procedures are implemented.
- Ensure your policies preventing unauthorised
access, modification or disclosure are adequate.
-
Consider your current procedures for access and
correction requests and modify them to the extent necessary.
-
Consider what is an appropriate fee to cover the
reasonable costs of providing a customer with copies of the information held
about them or extracts from that information.
-
Determine what are reasonable steps to ensure that
personal information is accurate at each of the stages of collection, use
and disclosure to someone else.
-
Identify transactions requiring international data
flows and ensure safeguards are in place which conform with the
legislation.
-
Develop and revise training and compliance
reporting programmes.
-
Review your complaints handling procedure.
- Don't forget the corporate or institutional parts of your organisation. You need to ensure that you comply in full with the new legislation in respect of personal information held about individuals, such as directors and shareholders of corporate customers.
|
 |