Allens Arthur Robinson

• Introduction
• Overview
• NPPs & codes
• Complying
• Legislation & links
• Industries
  • Credit providers
    • General law
    • Code of Banking Practice
    • Credit Union & Building Society Codes of Conduct
    • EFT Code of Conduct
    • Part IIIA of the Privacy Act
    • Checklist
  • Government work
  • Health
  • Insurance
  • Media
  • Superannuation
  • Telecommunications
  • Telemarketing
• News
• Contacts
• Glossary
• Publications

Checklist

The privacy law poses a compliance challenge. To start with you need to:

• Decide whether there is any approved privacy code you could subscribe to as an alternative to the NPPs. If there isn't, consider whether you should work with your industry body to develop one. 
• Assess whether your systems can flag data collected before and after 22 December 2001. If you can't, you'll be forced to treat all information as governed by the new regime. 
• Develop systems to isolate and then destroy or make anonymous personal information that is no longer needed. Given the cost involved you will need to determine what are reasonable steps in this regard. 
• Determine which third parties (if any) you collect information from and what you will need to do about that information. 
• Review your current arrangements for sharing information with related companies. 
• Ensure customers are given appropriate information, and their consent to use and disclose information is obtained, where necessary. This means amending: 

• forms and contracts collecting personal information; 
• signage, brochures and notification at collection points (for example, your website); and 
• telephone procedures used by employees and agents. 

• Review your arrangements with agents and intermediaries - such as call centres - to ensure that they comply with the new regime. 
• Structure into your first contact with customers: 

• an express consent to any use or disclosure for a secondary purpose where consent cannot be implied; and 
• an express opportunity for them to convey a wish not to receive direct marketing communications. 

• Consider the position of staff as well as customers and ensure appropriate procedures are implemented. 
• Ensure your policies preventing unauthorised access, modification or disclosure are adequate. 
• Consider your current procedures for access and correction requests and modify them to the extent necessary. 
• Consider what is an appropriate fee to cover the reasonable costs of providing a customer with copies of the information held about them or extracts from that information. 
• Determine what are reasonable steps to ensure that personal information is accurate at each of the stages of collection, use and disclosure to someone else. 
• Identify transactions requiring international data flows and ensure safeguards are in place which conform with the legislation. 
• Develop and revise training and compliance reporting programmes. 
• Review your complaints handling procedure. 
• Don't forget the corporate or institutional parts of your organisation. You need to ensure that you comply in full with the new legislation in respect of personal information held about individuals, such as directors and shareholders of corporate customers.