Developing Processes and Procedures
The aim of this factsheet is to provide businesses with instructions about creating processes to ensure they adhere to the six basic principles of securing data privacy. It will also include suggestions about handling complaints and other administrative requests.
The six principles are tabled below:
- Fairness and Transparency
For a business, this will require it to be honest, open and transparent with their customers and clients in the collection and management of personal information.
- Purpose of data use or disclosure
This will require a business to disclose to advise its customers and clients the reasons it collects that specific type of information. It will also require the disclosure of how that data is used and shared. This disclosure requires the consent of the customer/client.
- Data minimisation and anonymisation
Businesses are encouraged, where possible, to use anonymous data in its collection from customers and clients. Should personal information be required further, businesses should limit the collect and consider whether the further collection is reasonable and relevant.
- Accuracy of data and the right to correct
Businesses should aim to always have current and accurate data. They ought to then consider seriously the accessibility for a customer or client to amend their data, including requests for its deletion.
- Retention of data
Consideration of the way personal information is stored and the length of time it is retained there should also be a priority.
- Security of data
Following from the fifth principle, that data should be stored securely. This will require businesses to have appropriate technical and organisational structures in place. One such method could be allowing individuals to elect to use a pseudonym instead of identifying themselves.
- Determine who within your organisation will handle complaints and correction requests.
- Ensure that the dispute resolution person is given the appropriate permissions.
- Ensure that the person (such as a designated privacy officer) reports regularly to their superiors, and where required, to the appropriate regulatory bodies.
- Consider the extent of the business' liability. Consider which mechanisms should be included in the dispute resolution process, such as whether agents and contractors are included.
- Create a comprehensive process and timeline for customers/clients to raise their queries/concerns.
- Make this easily available.
- Train staff members in the process for customers/clients to raise concerns or request that their data be amended. We'd suggest including this as an available link on the intranet or in other office procedure manuals so it can be easily accessed.
- Regularly review how the dispute resolution process is being used and actively seek feedback to ensure the process remains relevant.