Privacy Notices
In a seashell...
-
You need to specify your purposes in your privacy notice for individuals.
-
You must provide individuals with a clear and easy to understand statement about your practices and policies with respect to personal information.
-
Privacy notices have specific requirements beyond the general obligation for transparency in the fairness principle.
Section 9, Privacy notices, states that:
(1) An organisation shall provide individuals with a clear and easily accessible statement (“privacy notice”) about its practices and policies with respect to personal information, including;
(a) the fact that personal information is being used;
(b) the purposes for which personal information is or might be used;
(c) the identity and types of individuals or organisations to whom personal information might be disclosed;
(d) the identity and location of the organisation, including information on how to contact it about its handling of personal information;
(e) the contact details of the privacy officer;
(f) the choices and means the organisation provides to an individual for limiting the use of, and for accessing, correcting, blocking, erasing and destroying, his personal information.
(2) Organisations shall take all reasonably practicable steps to ensure that the privacy notice is provided either before or at the time of collection of personal information, or, where that is not possible, as soon thereafter as is reasonably practicable.
(3) Organisations are not obliged to provide a privacy notice if—
(a) all of the personal information held by it is publicly available information; or
(b) the organisation can reasonably determine that all uses made, or to be made, of the personal information are within the reasonable expectations of the individual to whom the personal information relates.
A privacy notice should precede any collection of personal information. Privacy notices are both good practice and are increasingly required by law in various jurisdictions.
Privacy notices should provide the individual with answers to the following questions:
-
Who is collecting the personal information and by which methods?
-
What personal information is being collected?
-
How will the personal information be used?
-
How can consent for collection and use of the personal information be provided and removed?
-
With whom will the personal information be shared?
-
How long will the personal information be retained?
The notice should contain details about the life cycle of personal information:
-
How personal information is collected and by whom?
-
How the personal information will be used?
-
To whom will the personal information be disclosed? and
-
How long information will be retained?
Details about how personal information is destroyed are not generally disclosed in a privacy notice.
Checklist
☐ We have clearly, easily, and accessibly stated our practices and policies for using personal information.
☐ We include details of our purposes in our privacy notice for individuals.
☐ We regularly review our privacy notice for individuals.