If this is your first rodeo, a great starting point is to consider what information your organisation collects and how your organisation uses that information as the core aim is to educate users and providers on your organisation's handling of personal information. In addition to that, some hot tips from our combined experience of having reviewed what feels like more privacy policies than there are episodes of The Bold & The Beautiful include:
- the reader should be able to understand your business' functions, activities and procedures for handling personal information; and
- focus on what is important to readers and provide information in layers so that you can be succinct while ultimately being as specific as possible.
If you too have a PhD in privacy policies, don't rest on your elbow patches yet! Reforms to the Privacy Act proposed by the Attorney-General's department propose to introduce standardised terminology and iconography, re-emphasise the requirement that privacy policies be clear and understandable, and additionally require that privacy policies include:
- the rights of the individual (proposed to be expanded) and your organisation's procedures for responding to an individual's request to exercise their rights;
- the types of personal information that will be used in substantially automated decisions which have a legal or similarly significant effect on an individual's rights; and
- maximum and minimum personal information retention periods that must be reviewed periodically.
Now you have our permission to rest!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.