Developing Processes and Procedures

The aim of this factsheet is to provide businesses with instructions about creating processes to ensure they adhere to the six basic principles of securing data privacy. It will also include suggestions about handling complaints and other administrative requests.

The six principles are tabled below: 

  1. Fairness and Transparency
    For a business, this will require it to be honest, open and transparent with their customers and clients in the collection and management of  personal information.  
  2. Purpose of data use or disclosure
    This will require a business to disclose to advise its customers and clients the reasons it collects that specific type of information. It will also require the disclosure of how that data is used and shared. This disclosure requires the consent of the customer/client.
  3. Data minimisation and anonymisation
    Businesses are encouraged, where possible, to use anonymous data in its collection from customers and clients. Should personal information be required further, businesses should limit the collect and consider whether the further collection is reasonable and relevant. 
  4. Accuracy of data and the right to correct
    Businesses should aim to always have current and accurate data. They ought to then consider seriously the accessibility for a customer or client to amend their data, including requests for its deletion.
  5. Retention of data
    Consideration of the way personal information is stored and the length of time it is retained there should also be a priority. 
  6. Security of data
    Following from the fifth principle, that data should be stored securely. This will require businesses to have appropriate technical and organisational structures in place. One such method could be allowing individuals to elect to use a pseudonym instead of identifying themselves. 
Dispute resolution factors:
  • Determine who within your organisation will handle complaints and correction requests.
    • Ensure that the dispute resolution person is given the appropriate permissions. 
    • Ensure that the person (such as a designated privacy officer) reports regularly to their superiors, and where required, to the appropriate regulatory bodies. 
    • Consider the extent of the business' liability. Consider which mechanisms should be included in the dispute resolution process, such as whether agents and contractors are included. 
  • Create a comprehensive process and timeline for customers/clients to raise their queries/concerns.
    • Make this easily available.
    • Train staff members in the process for customers/clients to raise concerns or request that their data be amended. We'd suggest including this as an available link on the intranet or in other office procedure manuals so it can be easily accessed. 
  • Regularly review how the dispute resolution process is being used and actively seek feedback to ensure the process remains relevant. 
    • Consider whether changes to the Privacy Policy and its associated practices, procures or systems should be amended to reflect new changes. 
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us