Collection and use of personal information: This section details:
- What personal information is (i.e. information which renders a person reasonably identifiable)
- What personal information your business collects (i.e. name, email, employment history, social media). Businesses should be aware of and detail the information collected through websites and apps such as IP addresses, date and time of website access, location information and cookies.
- How that information is collected (i.e. directly from the individual, third party, publicly available, cookies)
- Why that information is collected (i.e. for the provision of products/services, marketing, personalisation etc.).
Collection and use of sensitive information: Define sensitive information (information about the individual’s racial or ethnic origin, political opinion/association, religious beliefs, sexual orientation, membership of a trade/ professional association, criminal record, health information).State that sensitive information will only be collected with the individual’s consent and used for the original purpose of collection.
Disclosure of personal and sensitive information: Describes the when, why and to whom personal information may be disclosed (i.e. contractors, marketers, data analysis such as Google Analytics, to authorities/courts as required by law). You should mention whether information may be disclosed overseas and the impact of that on the data protection. Focus on disclosures which are most likely to be of concern.
Storage/Security of personal information: State how personal information is stored and protected (i.e. encryption) and for how long the information is kept. This includes whether personal information of individuals is combined in a file or stored separately. Details if and when the information is made anonymous.
Access to and correction of personal information: This part should detail individuals rights to access personal information held by the business and request for that information to be corrected or updated.
Enquiries and complaints: An enquiry and complaint process should be detailed, as well as additional steps where parties are unsatisfied with the outcome of an enquiry or complaint (e.g. first to an external dispute resolution scheme, then the Office of the Australian Information Commissioner). A generic phone number and email should be given so that it does not change based on the staff member in charge.
- Start by having a detailed understanding of the personal information collected, held and used by your business
- Keep the language clear and simple – don’t write with legal jargon, it should be easily understandable
- Tailor the policy to your business and its audience
- Consider creative ways of communicating your policy that will appeal to your customers/clients
- You may have a summary of the policy on your website which links to the detailed policy
- Zoom in on aspects which will likely be of concern to your customers/clients