Versions Compared

Version Old Version 18 New Version Current
Changes made by

Sasanka Gayan

Nuwan Kanakarathna (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

APP 1 - Open and transparent management of personal information

Comments

Status

General compliance with the APP 1

APP 1.1

Does organization entity manage personal information in an open and transparent way?

Yes, PP available on the website

FC

Implementing practices, procedures and systems to ensure APP compliance

APP 1.2

Does organization entity take reasonable steps to implement practices, procedures and systems relating to the entity’s functions or activities that will:

  • ensure the entity complies with the APPs and any binding registered APP code

  • enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the APPs or such a code

Yes, PP available on the website

FC

Developing an APP Privacy Policy

APP 1.3

Does organization entity have a clearly expressed and up-to-date APP Privacy Policy about how it manages personal information and At a minimum, a clearly expressed policy should be easy to understand, easy to navigate, and only include information that is relevant to the management of personal information by the entity?

Yes, Available on the website

FC

And the policy will usually be available on the entity’s website?

Yes

FC

Is it written in a style and length that makes it suitable for web publication

Yes

FC

Does organization entity regularly review and update its APP Privacy Policy to ensure that it reflects the entity’s information handling practices?

  • This review could, at a minimum, be undertaken as part of an entity’s annual planning processes

  • Does entity include a notation on the policy indicating when it was last updated?

  • Does entity comment on the policy to evaluate its effectiveness, and explain how any comments will be dealt with?

Yes

FC

APP 1.4

Does APP organization entity include following non-exhaustive list of information on the APP Privacy Policy?

  • the kinds of personal information collected and held by the entity (APP 1.4(a)

  • how personal information is collected and held (APP 1.4(b))

  • the purposes for which personal information is collected, held, used and disclosed (APP 1.4(c))

  • how an individual may access their personal information and seek its correction (APP 1.4(d))

  • how an individual may complain if the entity breaches the APPs or any registered binding APP code, and how the complaint will be handled (APP 1.4(e))

  • whether the entity is likely to disclose personal information to overseas recipients (APP 1.4(f)), and if so, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy (APP 1.4(g))

Yes non-exhaustive list of information is available on Privacy Policy.

FC

Making an APP Privacy Policy publicly available

APP 1.5

Does APP organization entity take reasonable steps to make its APP Privacy Policy available free of charge, and in an appropriate form with the objective of APP 1 of ensuring that personal information is managed in an open and transparent way?

Available on the website

FC

Does APP organization entity, upon request, to take reasonable steps to provide a person or body with a copy of its APP Privacy Policy in the form requested?

Available on the website

FC

If a request for access in a particular form is declined for a valid reason, Does APP organization entity explain this decision to the person or body making the request and APP organization entity prepared to undertake reasonable consultation with the requester about the request?

Available on the website

FC

APP 2 - Anonymity and pseudonymity

Comments

Status

2.1

Does APP organization entity providing the option of dealing anonymously or by pseudonym for the individuals?

No. Octopus BI don’t collect data to provide the service. Octopus BI clients provide the data required to carry out data analytics required by the client.

NA

Does APP organization entity ensure that, if applicable, individuals are made aware of their opportunity to deal anonymously or by pseudonym with the entity? (If anonymity or pseudonymity is the default setting, this does not apply)Does APP organization

No. Octopus BI don’t collect data to provide the service. Octopus BI clients provide the data required to carry out data analytics required by the client.

NA

Does APP organization entity required to collect personal data in order to deliver a service to a individual?Does APP organization entity enable individuals to exercise greater control over their personal

No. Octopus BI don’t collect data to provide the service. Octopus BI clients provide the data required to carry out data analytics required by the client.

FC

Does APP organization entity enable individuals to exercise greater control over their personal information and decide how much personal information will be shared or revealed to others?

Yes, on the website

FC

2.2

Does APP organization entity ensure that no more personal information collected than is required to facilitate the dealing with an individual?

Yes, on the website

FC

APP 3 - Collection of solicited personal information

Comments

Status

3.1, 3.2

Does APP entity only collect personal information which is reasonably necessary for one or more of the entity’s functions or activities?

Collecting sensitive information

3.3

Does Yes. Octopus BI mainly collects PI from it’s clients for analytical purposes and the client has the authority to provide the PI information to Octopus BI. Octopus BI cannot directly contact the client.

FC

Collecting sensitive information

3.3

Does APP entity collects sensitive information? If yes, then APP entity express consent of the individual before you collect sensitive data?Does APP entity only collect sensitive information which

Yes. Octopus BI mainly collects sensitive PI from it’s clients for analytical purposes and the client has the authority to provide the PI information to Octopus BI. Octopus BI cannot directly contact the client.

FC

Does APP entity only collect sensitive information which is reasonably necessary for one or more of the entity’s functions or activities?

Collecting information from third parties

3.6

Does APP entity collects data from third partiesOctopus BI mainly collects sensitive PI from it’s clients for analytical purposes and the client has the authority to provide the PI information to Octopus BI. Octopus BI cannot directly contact the client.

FC

Collecting information from third parties

3.6

Does APP entity collects data from third parties? If Yes, Does entity considered whether it is unreasonable or impracticable to obtain the personal data directly from the individual?

APP 4 — Dealing with

Yes. Octopus BI mainly collects PI from it’s clients for analytical purposes and the client has the authority to provide the PI information to Octopus BI. Octopus BI cannot directly contact the client.

FC

APP 4 — Dealing with unsolicited personal information

Comments

Status

4.1

Does APP entity received any personal data that entity have not specifically requested from an individual?

4.3

If APP entity have received any personal data from an individual that entity Octopus BI will get personal data from a client. The client will have authority to provide that PI to Octopus BI. Octopus BI will not collect or distribute any personal data unless it’s provided or requested by our client.

FC

4.3

If APP entity have received any personal data from an individual that entity did not request, does entity have procedures in place to either destroy or deidentify the data?

APP 5 —

Yes. If requested by the client in writing.

FC

Does APP entity informed the individual that APP entity will be disclosing their personal data to an overseas party? If so has the individual then consented to the disclosure of their personal data to an overseas party?

APP 9 — Adoption, use or disclosure of government related identifiers

Comments

Status

9.2

Does APP entity collect any government related identifiers from individuals?

APP 10 — Quality of personal information

Comments

Status

10.1

An APP entity must also

APP 5 — Notification of the collection of personal information

Comments

Status

5.1

When APP entity collects personal information about an individual does take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters

5.2

Does APP entity’s notification statement include following contents?

  • APP entity’s identity and contact details

  • The fact and circumstances of collection

  • Whether the collection is required or authorised by law

  • The purposes of collection

  • The consequences if personal information is not collected

  • The entity’s usual disclosures of personal information of the kind collected by the entity

  • Whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located

APP 6 — Use or disclosure of personal information

Comments

Status

6.1

Does APP entity ensure that entity use or disclose personal data for the primary purpose for which it was collected?

6.2

Does entity disclose personal data for any secondary purpose?

If so, does entity check to see if entity hold the individual’s consent for the use and disclosure their personal data for the secondary purpose?

or

If else, does entity considered if the individual would reasonably expect entity to disclose the data for a secondary purpose? and, is that secondary purpose related to the primary purpose?

Chapter 7: APP 7 — Direct marketing

Comments

Status

7.2

Option 1

Does APP entity collected personal data from the individual following requirements?

  • Would the individual not reasonably expect APP entity to use or disclose their personal data for marketing purposes?

AND

  • Have APP entity provided the individual with a simple and easy means by which they can opt-out from receiving marketing communications?

AND

  • Have APP entity checked to ensure that the individual has not opted out of receiving marketing communications?

7.3

Option 2

Does APP entity collected personal data from the individual following requirements?

  • Would the individual not reasonably expect APP entity to use or disclose their personal data for marketing purposes?

AND

  • Has the individual consented to the use or disclosure of their personal data for marketing purposes? OR

    • Is it impracticable to obtain the individual’s consent?

AND

  • Have APP entity provided the individual with a simple and easy means by which they can opt-out from receiving marketing communications?

  • Have APP entity ensured that the opt-out is included within each marketing communication to the individual OR

    • Have you included a statement within the marketing communication that makes the individual aware that they can make an opt out request?

  • Have APP entity checked to ensure that the individual has not opted out of receiving marketing communications?

7.3

Option 3

Does APP entity collected personal data from the individual following requirements?

  • Has the individual consented to the use or disclosure of their personal data for marketing purposes? OR

    • Is it impracticable to obtain the individual’s consent?

AND

  • Does APP entity provided the individual with a simple and easy means by which they can opt-out from receiving marketing communications?

  • Does APP entity ensured that the opt-out is included within each marketing communication to the individual? OR

    • Does APP entity included a statement within the marketing communication that makes the individual aware that they can make an opt out request?

  • Does APP entity checked to ensure that the individual has not opted out of receiving marketing communications?

7.4

Does APP entity use an individual’s sensitive data for marketing purposes? If so does APP entity obtained the consent of the individual before using their sensitive data for marketing purposes?

7.6

Does APP entity use or disclose personal data to facilitate direct marketing by third parties?

If so, does APP entity ensure the individual may:

  • Request not to receive any marketing communications from you

AND

  • Requests that APP entity not use or disclose their personal data to third parties

AND

  • Request that APP entity provide the source of that information

7.7

  • When an individual requests not to receive direct marketing communications from ;

    • Does APP entity ensure that APP entity do not apply a fee?

    • Does APP entity comply with the individual’s request within a reasonable period?

  • When an individual requests that APP entity to not use or disclose their personal data to other organisations for marketing purposes;

    • Does APP entity ensure that you do not apply a fee?

    • Does APP entity comply with the individual’s request within a reasonable period?

Where an individual requests that APP entity provide the source from which APP entity obtained their personal information, does APP entity notify them within a reasonable period of time?

APP 8 — Cross-border disclosure of personal information

Comments

Status

8.1

Does APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information?

8.2

APP entity does not need to take reasonable steps to ensure the overseas entity does not breach the APPs if you can satisfy either of the following:

  • APP entity reasonably believe the overseas recipient is subject to similar laws as the APPs in order to protect the individuals personal data;

AND

  • There are mechanisms that an individual can use to enforce the protection of the overseas laws.

Education institute data: Octopus BI will always be guided by the direction given by the client with their PI. Octopus BI will not disclose any client data unless the client requests this in writing.

CRM marketing data: Octopus BI will not disclose any data to 3rd party companies ( Local or overseas). Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

3rd party application:

AWS/ Google GCP or any other 3rd party applications used by Octopus BI is covered by a similar laws as the APP.

FC

5.2

Does APP entity’s notification statement include following contents?

  • APP entity’s identity and contact details

  • The fact and circumstances of collection

  • Whether the collection is required or authorised by law

  • The purposes of collection

  • The consequences if personal information is not collected

  • The entity’s usual disclosures of personal information of the kind collected by the entity

  • Whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located

Currently Octopus BI working on this notification statement.

IP

APP 6 — Use or disclosure of personal information

Comments

Status

6.1

Does APP entity ensure that entity use or disclose personal data for the primary purpose for which it was collected?

Education institute data: Octopus BI will always be guided by the direction given by the client. Octopus BI will not disclose any client data unless the client requests this in writing.

CRM marketing data: Octopus BI will not disclose any data to 3rd party companies ( Local or overseas). Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

3rd party application:

AWS/ Google GCP or any other 3rd party applications used by Octopus BI is covered by a similar laws as the APP.

FC

6.2

Does entity disclose personal data for any secondary purpose?

If so, does entity check to see if entity hold the individual’s consent for the use and disclosure their personal data for the secondary purpose?

or

If else, does entity considered if the individual would reasonably expect entity to disclose the data for a secondary purpose? and, is that secondary purpose related to the primary purpose?

Education institute data: Octopus BI will always be guided by the direction given by the client. Octopus BI will not disclose any client data unless the client requests this in writing.

CRM marketing data: Octopus BI will not disclose any data to 3rd party companies ( Local or overseas). Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

3rd party application:

AWS/ Google GCP or any other 3rd party applications used by Octopus BI is covered by a similar laws as the APP.

FC

Chapter 7: APP 7 — Direct marketing

Comments

Status

7.2

Option 1

Does APP entity collected personal data from the individual following requirements?

  • Would the individual not reasonably expect APP entity to use or disclose their personal data for marketing purposes?

AND

  • Have APP entity provided the individual with a simple and easy means by which they can opt-out from receiving marketing communications?

AND

  • Have APP entity checked to ensure that the individual has not opted out of receiving marketing communications?

CRM marketing data: Octopus BI will not disclose any data to 3rd party companies ( Local or overseas). Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

NA

7.3

Option 2

Does APP entity collected personal data from the individual following requirements?

  • Would the individual not reasonably expect APP entity to use or disclose their personal data for marketing purposes?

AND

  • Has the individual consented to the use or disclosure of their personal data for marketing purposes? OR

    • Is it impracticable to obtain the individual’s consent?

AND

  • Have APP entity provided the individual with a simple and easy means by which they can opt-out from receiving marketing communications?

  • Have APP entity ensured that the opt-out is included within each marketing communication to the individual OR

    • Have you included a statement within the marketing communication that makes the individual aware that they can make an opt out request?

  • Have APP entity checked to ensure that the individual has not opted out of receiving marketing communications?

CRM marketing data: Octopus BI will not disclose any data to 3rd party companies ( Local or overseas). Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

NA

7.3

Option 3

Does APP entity collected personal data from the individual following requirements?

  • Has the individual consented to the use or disclosure of their personal data for marketing purposes? OR

    • Is it impracticable to obtain the individual’s consent?

AND

  • Does APP entity provided the individual with a simple and easy means by which they can opt-out from receiving marketing communications?

  • Does APP entity ensured that the opt-out is included within each marketing communication to the individual? OR

    • Does APP entity included a statement within the marketing communication that makes the individual aware that they can make an opt out request?

  • Does APP entity checked to ensure that the individual has not opted out of receiving marketing communications?

CRM marketing data: Octopus BI will not disclose any data to 3rd party companies ( Local or overseas). Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

FC

7.4

Does APP entity use an individual’s sensitive data for marketing purposes? If so does APP entity obtained the consent of the individual before using their sensitive data for marketing purposes?

CRM marketing data: Octopus BI will not disclose any data to 3rd party companies ( Local or overseas). Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

FC

7.6

Does APP entity use or disclose personal data to facilitate direct marketing by third parties?

If so, does APP entity ensure the individual may:

  • Request not to receive any marketing communications from you

AND

  • Requests that APP entity not use or disclose their personal data to third parties

AND

  • Request that APP entity provide the source of that information

CRM marketing data: Octopus BI will not disclose any data to 3rd party companies ( Local or overseas). Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

FC

7.7

  • When an individual requests not to receive direct marketing communications from ;

    • Does APP entity ensure that APP entity do not apply a fee?

    • Does APP entity comply with the individual’s request within a reasonable period?

  • When an individual requests that APP entity to not use or disclose their personal data to other organisations for marketing purposes;

    • Does APP entity ensure that you do not apply a fee?

    • Does APP entity comply with the individual’s request within a reasonable period?

Yes

FC

Where an individual requests that APP entity provide the source from which APP entity obtained their personal information, does APP entity notify them within a reasonable period of time?

Yes

FC

APP 8 — Cross-border disclosure of personal information

Comments

Status

8.1

Does APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information?

Education institute data: Octopus BI will always be guided by the direction given by the client. Octopus BI will not disclose any client data unless the client requests this in writing.

CRM marketing data: Octopus BI will not disclose any data to 3rd party companies ( Local or overseas). Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

3rd party application:

AWS/ Google GCP or any other 3rd party applications used by Octopus BI is covered by a similar laws as the APP.

NA

8.2

APP entity does not need to take reasonable steps to ensure the overseas entity does not breach the APPs if you can satisfy either of the following:

  • APP entity reasonably believe the overseas recipient is subject to similar laws as the APPs in order to protect the individuals personal data;

AND

  • There are mechanisms that an individual can use to enforce the protection of the overseas laws.

Education institute data: Octopus BI will always be guided by the direction given by the client. Octopus BI will not disclose any client data unless the client requests this in writing.

CRM marketing data: Octopus BI will not disclose any data to 3rd party companies ( Local or overseas) Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

3rd party application:

AWS/ Google GCP or any other 3rd party applications used by Octopus BI is covered by a similar laws as the APP.

FC

Does APP entity informed the individual that APP entity will be disclosing their personal data to an overseas party? If so has the individual then consented to the disclosure of their personal data to an overseas party?

Education institute data: Octopus BI will always be guided by the direction given by the client. Octopus BI will not disclose any client data unless the client requests this in writing.

CRM marketing data: Octopus BI take the consent when a prospective client fills out a form to sign up for Octopus BI services.

NA

APP 9 — Adoption, use or disclosure of government related identifiers

Comments

Status

9.2

Does APP entity collect any government related identifiers from individuals?

Not unless provided by the client. Octopus BI do not collect any government related identifiers for marketing purposes.

NA

APP 10 — Quality of personal information

Comments

Status

10.1

An APP entity must also take reasonable steps to ensure that the personal information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant

Education institute data: The data disclosed by the education institutes is only been used to analyze data and provide insights.

CRM data: CRM data is only been used to market our clients after getting consent from them.

FC

10.2

Does APP entity take reasonable steps to ensure that the personal information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant

10.2

Does APP entity take reasonable steps to ensure that the personal information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant??

Education institute data: The data disclosed by the education institutes is only been used to analyze data and provide insights.

CRM data: CRM data is only been used to market our clients after getting consent from them.

FC

APP 11 — Security of personal information

Comments

Status

11.1

Does APP entity take reasonable steps to protect the personal information that holds, from misuse, interference and loss, as well as unauthorised access, modification or disclosureand loss, as well as unauthorised access, modification or disclosure

Data are encrypted in transit and rest.

Onprem- Schools are responsible to backup their data.

Cloud - Octopus keep a daily backup for 30 days

FC

11.2

Does APP entity take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs?

Data can be destroyed

FC

APP 12 — Access to personal information

Comments

Status

12.1

Upon request, Does APP entity able to readily provide an individual with access to their personal data?

Yes

FC

12.8

Does APP entity apply a fee for any request by an individual?

No

NA

Does APP entity declined an individual access to their personal data? if so entity have provided written notice include following?

  • the reasons for the refusal, except to the extent that it would be unreasonable to do so, having regard to the grounds for refusal

  • the complaint mechanisms available to the individual, and

  • any other matters prescribed by regulations made under the Privacy Actthe Privacy Act

Octopus BI staff are trained to respond to individual requests via the support portal.

FC

APP 13 — Correction of personal information

Comments

Status

13.1

Does APP entity take reasonable steps to correct personal information it holds, to ensure it is accurate, up-to-date, complete, relevant and not misleading, having regard to the purpose for which it is held?

FC

13.2

Does APP entity will upon request by an individual whose personal information has been corrected, take reasonable steps to notify another APP entity of a correction made to personal information that was previously provided to that other entity.

Octopus BI doesn’t provide data to a 3rd party for any other purporse.

NA

13.3

Does APP entity give a written notice to an individual when a correction request is refused, including the reasons for the refusal and the complaint mechanisms available to the individual?

Octopus BI manage any correction requests via the support portal. The support team will notify the individual via support tickets.

FC

13.5

Does APP entity respond in a timely manner to an individual’s request to correct personal information or to associate a statement with the personal information?

Yes, Via support tickets.

FC