Australian Privacy Principles(APP) - OctopusBI

General compliance with the APP 1

APP 1.1

Does organization entity manage personal information in an open and transparent way?

Implementing practices, procedures and systems to ensure APP compliance

APP 1.2

Does organization entity take reasonable steps to implement practices, procedures and systems relating to the entity’s functions or activities that will:

• ensure the entity complies with the APPs and any binding registered APP code

• enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the APPs or such a code

Developing an APP Privacy Policy

APP 1.3

Does organization entity have a clearly expressed and up-to-date APP Privacy Policy about how it manages personal information and At a minimum, a clearly expressed policy should be easy to understand, easy to navigate, and only include information that is relevant to the management of personal information by the entity?

And the policy will usually be available on the entity’s website?

Is it written in a style and length that makes it suitable for web publication

Does organization entity regularly review and update its APP Privacy Policy to ensure that it reflects the entity’s information handling practices?

• This review could, at a minimum, be undertaken as part of an entity’s annual planning processes

• Does entity include a notation on the policy indicating when it was last updated?

• Does entity comment on the policy to evaluate its effectiveness, and explain how any comments will be dealt with?

APP 1.4

Does APP organization entity include following non-exhaustive list of information on the APP Privacy Policy?

• the kinds of personal information collected and held by the entity (APP 1.4(a)

• how personal information is collected and held (APP 1.4(b))

• the purposes for which personal information is collected, held, used and disclosed (APP 1.4(c))

• how an individual may access their personal information and seek its correction (APP 1.4(d))

• how an individual may complain if the entity breaches the APPs or any registered binding APP code, and how the complaint will be handled (APP 1.4(e))

• whether the entity is likely to disclose personal information to overseas recipients (APP 1.4(f)), and if so, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy (APP 1.4(g))

Making an APP Privacy Policy publicly available

APP 1.5

Does APP organization entity take reasonable steps to make its APP Privacy Policy available free of charge, and in an appropriate form with the objective of APP 1 of ensuring that personal information is managed in an open and transparent way?

Does APP organization entity, upon request, to take reasonable steps to provide a person or body with a copy of its APP Privacy Policy in the form requested?

If a request for access in a particular form is declined for a valid reason, Does APP organization entity explain this decision to the person or body making the request and APP organization entity prepared to undertake reasonable consultation with the requester about the request?

2.1

Does APP organization entity providing the option of dealing anonymously or by pseudonym for the individuals?

Does APP organization entity ensure that, if applicable, individuals are made aware of their opportunity to deal anonymously or by pseudonym with the entity? (If anonymity or pseudonymity is the default setting, this does not apply)

Does APP organization entity required to collect personal data in order to deliver a service to a individual?

Does APP organization entity enable individuals to exercise greater control over their personal information and decide how much personal information will be shared or revealed to others?

2.2

Does APP organization entity ensure that no more personal information collected than is required to facilitate the dealing with an individual?

3.1, 3.2

Does APP entity only collect personal information which is reasonably necessary for one or more of the entity’s functions or activities?

Collecting sensitive information

3.3

Does APP entity collects sensitive information? If yes, then APP entity express consent of the individual before you collect sensitive data?

Does APP entity only collect sensitive information which is reasonably necessary for one or more of the entity’s functions or activities?

Collecting information from third parties

3.6

Does APP entity collects data from third parties? If Yes, Does entity considered whether it is unreasonable or impracticable to obtain the personal data directly from the individual?

4.1

Does APP entity received any personal data that entity have not specifically requested from an individual?

4.3

If APP entity have received any personal data from an individual that entity did not request, does entity have procedures in place to either destroy or deidentify the data?

5.1

When APP entity collects personal information about an individual does take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters

5.2

Does APP entity’s notification statement include following contents?

• APP entity’s identity and contact details

• The fact and circumstances of collection

• Whether the collection is required or authorised by law

• The purposes of collection

• The consequences if personal information is not collected

• The entity’s usual disclosures of personal information of the kind collected by the entity

• Whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located

6.1

Does APP entity ensure that entity use or disclose personal data for the primary purpose for which it was collected?

6.2

Does entity disclose personal data for any secondary purpose?

If so, does entity check to see if entity hold the individual’s consent for the use and disclosure their personal data for the secondary purpose?

or

If else, does entity considered if the individual would reasonably expect entity to disclose the data for a secondary purpose? and, is that secondary purpose related to the primary purpose?

7.2

Option 1

Does APP entity collected personal data from the individual following requirements?

• Would the individual not reasonably expect APP entity to use or disclose their personal data for marketing purposes?

AND

• Have APP entity provided the individual with a simple and easy means by which they can opt-out from receiving marketing communications?

AND

• Have APP entity checked to ensure that the individual has not opted out of receiving marketing communications?

7.3

Option 2

Does APP entity collected personal data from the individual following requirements?

• Would the individual not reasonably expect APP entity to use or disclose their personal data for marketing purposes?

AND

• Has the individual consented to the use or disclosure of their personal data for marketing purposes? OR

  • Is it impracticable to obtain the individual’s consent?

AND

• Have APP entity provided the individual with a simple and easy means by which they can opt-out from receiving marketing communications?

• Have APP entity ensured that the opt-out is included within each marketing communication to the individual OR

  • Have you included a statement within the marketing communication that makes the individual aware that they can make an opt out request?

• Have APP entity checked to ensure that the individual has not opted out of receiving marketing communications?

7.3

Option 3

Does APP entity collected personal data from the individual following requirements?

• Has the individual consented to the use or disclosure of their personal data for marketing purposes? OR

  • Is it impracticable to obtain the individual’s consent?

AND

• Does APP entity provided the individual with a simple and easy means by which they can opt-out from receiving marketing communications?

• Does APP entity ensured that the opt-out is included within each marketing communication to the individual? OR

  • Does APP entity included a statement within the marketing communication that makes the individual aware that they can make an opt out request?

• Does APP entity checked to ensure that the individual has not opted out of receiving marketing communications?

7.4

Does APP entity use an individual’s sensitive data for marketing purposes? If so does APP entity obtained the consent of the individual before using their sensitive data for marketing purposes?

7.6

Does APP entity use or disclose personal data to facilitate direct marketing by third parties?

If so, does APP entity ensure the individual may:

• Request not to receive any marketing communications from you

AND

• Requests that APP entity not use or disclose their personal data to third parties

AND

• Request that APP entity provide the source of that information

7.7

• When an individual requests not to receive direct marketing communications from ;

  • Does APP entity ensure that APP entity do not apply a fee?

  • Does APP entity comply with the individual’s request within a reasonable period?

• When an individual requests that APP entity to not use or disclose their personal data to other organisations for marketing purposes;

  • Does APP entity ensure that you do not apply a fee?

  • Does APP entity comply with the individual’s request within a reasonable period?

Where an individual requests that APP entity provide the source from which APP entity obtained their personal information, does APP entity notify them within a reasonable period of time?

8.1

Does APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information?

8.2

APP entity does not need to take reasonable steps to ensure the overseas entity does not breach the APPs if you can satisfy either of the following:

• APP entity reasonably believe the overseas recipient is subject to similar laws as the APPs in order to protect the individuals personal data;

AND

• There are mechanisms that an individual can use to enforce the protection of the overseas laws.

Does APP entity informed the individual that APP entity will be disclosing their personal data to an overseas party? If so has the individual then consented to the disclosure of their personal data to an overseas party?

9.2

Does APP entity collect any government related identifiers from individuals?

10.1

An APP entity must also take reasonable steps to ensure that the personal information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant

10.2

Does APP entity take reasonable steps to ensure that the personal information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant?

11.1

Does APP entity take reasonable steps to protect the personal information that holds, from misuse, interference and loss, as well as unauthorised access, modification or disclosure

11.2

Does APP entity take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs?

12.1

Upon request, Does APP entity able to readily provide an individual with access to their personal data?

12.8

Does APP entity apply a fee for any request by an individual?

Does APP entity declined an individual access to their personal data? if so entity have provided written notice include following?

• the reasons for the refusal, except to the extent that it would be unreasonable to do so, having regard to the grounds for refusal

• the complaint mechanisms available to the individual, and

• any other matters prescribed by regulations made under the Privacy Act

13.1

Does APP entity take reasonable steps to correct personal information it holds, to ensure it is accurate, up-to-date, complete, relevant and not misleading, having regard to the purpose for which it is held?

13.2

Does APP entity will upon request by an individual whose personal information has been corrected, take reasonable steps to notify another APP entity of a correction made to personal information that was previously provided to that other entity.

13.3

Does APP entity give a written notice to an individual when a correction request is refused, including the reasons for the refusal and the complaint mechanisms available to the individual?

13.5

Does APP entity respond in a timely manner to an individual’s request to correct personal information or to associate a statement with the personal information?