Privacy's Ten Commandments
Coming privacy legislation is based on 10 key National Privacy Principles (NPPs):
1.Collection
The law says: You can only collect information relevant to your business, by fair means, and not in an -unreasonably intrusive" way. Let customers know when you collect information. Don't use back-handed means or get data from other parties with less stringent privacy controls.
What this means for you: Link every page on your site to a clear, coherent and specific privacy policy. State who you are, what data you're collecting, who else will see it, why you need the data, and what will happen if you don't have it. Consider adding this information onto specific Web pages where you collect personal information.
2.Use and disclosure
The law says: You can't disclose personal information unless it's for a specific need and customers would -reasonably expect" you to do so. Include contact details and opt-out instructions in any marketing communication, then facilitate and honour their requests to that effect.
What this means for you: Hiding behind anonymous remailers (ie spamming) is bad business practice and will get you blacklisted across the Web so fast your head will spin. Customers are trusting you when they give you personal information, and it's in your best interest not to abuseâ€"or even stretchâ€"that trust in any way. Use commonsense and run questionable ideas past a privacy consultant.
3.Data quality
The law says: Make sure the personal information you collect, use or disclose is accurate, complete and up-to-date.
What this means for you: As anybody who's maintained a database knows, inaccurate and out-of-date information is all too common. Offer online self-service tools, and encourage customers to notify you of any changes to their information.
4.Data security
The law says: You have to take -reasonable steps" to protect personal information from misuse and loss from unauthorised access, modification or disclosure. Destroy or eliminate identifying details from information you no longer need for a specific purpose.
What this means for you: Implement appropriate security measures that both protect data (ie encryption) and prevent unauthorised access to and/or use of that data (ie authentication and activity logging).
5.Openness
The law says: You must document your personal information management policy and make this policy available to anyone that asks for it.
What this means for you: Prominently include links to your privacy policy on your Web site. Consider pairing these links with the logo for APSAC certification, if you've gone down that path.
6.Access and correction
The law says: In all but frivolous or legally compromising situations, you have to let customers see the information you have about them. They must be able to correct incorrect information.
What this means for you: Establish mechanisms to allow customer access to their information. This might be through a call centre, faxback service, or ideally straight through your Web site. You'll also need to provide a procedure for customers to update information that's not correct, such as an online self-service portal.
7.Identifiers
The law says: You cannot use the same identification number or code that another company or agency has assigned to a particular customer.
What this means for you: This is designed to prevent aggregation of customer data from multiple sources. Only a customer's name may be used as an identifier by multiple companies. Develop your own process for identifying customers and don't include those numbers when sharing data with other companies. Be particularly careful where multiple divisions of a company may have access to similar data.
8.Anonymity
The law says: Wherever it's practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
What this means for you: Don't demand personal information just to access the site. Build a basic level of functionality that's available to anybody, and consider offering extra value-adds if customers tell you more about themselves.
9.Transborder data flows
The law says: Don't transfer information out of Australia unless the recipient is in a jurisdiction where privacy is up to NPP standards and the recipient is likely to uphold the privacy. Get approval for such transfers from customers wherever possible.
What this means for you: Be very, very careful about who you share data with. If you compromise customers' privacy, even inadvertently, it could lose you customers and cause major problems for your company's reputation.
10.Sensitive information
The law says: Don't collect sensitive information about people unless they've authorised it, would authorise it but can't, or you need it to benefit public health or safety.
What this means for you: Although it doesn't define 'sensitive', this principle is intended to protect medical records and other healthcare-related information. If you're working in this area, get advice before implementing anything dealing with such data.
See the full text of the National Privacy Principles, or contact the Privacy Commissioner's Privacy Hotline on 1300 363 992 if you have further questions. Another valuable source of privacy-related information is the Attorney-General's page.
