• Introduction
• Overview
• NPPs & codes
• Complying
• Legislation & links
• Industries
  • Credit providers
  • Government work
    • Contractors
    • Federal regulation
    • Checklist
  • Health
  • Insurance
  • Media
  • Superannuation
  • Telecommunications
  • Telemarketing
• News
• Contacts
• Glossary

Checklist

Contact service providers are subject to the new privacy regime unless a specific exemption applies. You need to:

• decide whether to subscribe to an approved privacy code, for your information handling services and if so, which one is most appropriate;
• if relevant, establish a means for distinguishing information collected for each separate Commonwealth contract;
• identify each Commonwealth contract to which you are a party and determine whether you will create a specific information handling policy for personal information collected under each contract;
• decide whether the information collected is subject to provisions in the Commonwealth contract or the NPPs or a combination or the two;
• establish a means of distinguishing the personal information you have collected before and after 22 December 2001. 

You also need to review how you collect information - for example you should:

• determine what information collection is necessary for the legitimate functions of your business generally, and for each Commonwealth contract;
• ensure each government agency is given appropriate information about your information handling practices, and its consent to use and disclosure information obtained, where necessary;
• ensure the individuals whose information you handle - whether a Commonwealth contract or not - are given appropriate information. This will include notice of your information handling services and their consent to use and disclose information obtained, where necessary. You may have to amend the following: 

• forms and contracts collecting personal information
• signs and notices at collection points 
• telephone procedures used by employees or subcontractors 

• review your arrangements with subcontractors, agents and intermediaries such as call centres to ensure that they each comply with the new privacy regime or the relevant Commonwealth contract;
• structure into first contact with customers or clients under a Commonwealth contract: 

• an acknowledgement that their personal information will only be used for the purpose collected; 

• or in all other cases; 

• an express consent to any use or disclosure for a secondary purpose where consent cannot be implied; and 
• an express opportunity for them to convey a wish not to receive any direct marketing communications.

You need a publicly available privacy policy and information handling practices. For example you should:

• standardise, as far as possible, information handling procedures which combine the general IPP/Commonwealth contract requirements and the NPPs ;
• adopt a contract recording procedure to enable you to promptly respond requests for information on the privacy content of each Commonwealth contract and a statement of inconsistencies with the NPPs or approved privacy code;
• review subcontracts and standardise information handling obligations in accordance with your privacy obligations as far as possible;
• develop systems to isolate and then destroy or de-identify personal information that's no longer needed;
• assign responsibility and create procedures for for access and correction requests;
• identify transactions requiring international data flows and ensure documentary safeguards are in place which conform with the legislation;
•  develop and revise training and compliance reporting programs. 

What can I do now?

If you already comply with the IPPs or relevant Commonwealth contracts, you shouldn't face enormous difficulties - otherwise, you face a much larger task. A good starting point would be these three steps:

• appoint a privacy officer to take overall responsibility for personal information handled by your business;
• audit your current systems - create a list of all the personal information collected by your organisation. The list should set out how the information is collected and for what purpose it is used;
• create a list of any sensitive information collected, deliberately or incidentally, by your organisation; and
• create a list of Commonwealth contracts and associated subcontracts, noting specific information handling processes required by each contract. 

For more on what all organisations need to do, see our general checklist in the compliance section.