Client Agency Privacy Checklist
This checklist outlines what agencies should consider in relation to their obligations under the Privacy Act 2020.
On this page
This checklist has been developed by Business Connect to assist Client Agencies to meet their obligations under the Privacy Act and Information Privacy Principles when developing services for use on the Business Connect platform.
This is not legal advice, and should not be relied upon solely to meet your Privacy Act obligations. Always talk to your Privacy Officer before finalising your service requirements and launching your service on Business Connect.
Download a PDF copy of this checklist:
Client Agency Privacy Checklist [PDF, 130 KB]
Have you considered what personal information you really need to deliver your service, and ensured that the forms you are developing request only that information?
A Client Agency must ensure that it collects only the personal information it needs to manage a specific service via Business Connect. This includes minimising the required fields to be completed within an application form and minimising the scope of documents a customer is required to submit in support of an application.
Have you ensured that you are providing adequate privacy transparency to customers in relation to your service?
A Client Agency must provide clear privacy notice to a customer about the personal information it is collecting, how it will be used or shared, and how a customer can access or correct it. This privacy notice should be included as a link in the service form(s). Client Agencies could create a service-specific privacy notice, or provide a link to their general privacy statements (as long as they cover the specific service). Client Agencies can also add ‘tips’ to questions in their service forms to help customers understand why certain data elements are required (such as sensitive information).
Have you ensured that customers will be able to access and correct the Business Connect data you hold about them in your backend systems?
A Client Agency must ensure that customers can access and correct their information. Before an application has been submitted, customers will be able to access and correct their information directly via Business Connect. However, once an application has been submitted, it will not be possible for a customer to correct it this way. Client Agencies need to ensure that they have internal processes in place to enable the correction of applications once submitted, and make these clear to customers via Business Connect.
Have you developed a data retention policy for the Business Connect data you hold in your backend systems?
The Business Connect platform is a transactional system only. It is not intended to be the system-of-record for a Client Agency’s service data. This means a Client Agency must ensure that it retains a copy of Business Connect data within its own backend system-of-record. The Client Agency is responsible for ensuring that this data is retained only for as long as it is needed for a lawful purpose. This will involve a consideration of any minimum data retention requirements set by relevant laws or regulations (including the Public Records Act or relevant General Disposal Authorities), and maximum data retention requirements set by its legitimate use of the information for the purposes of the service.
Have you set a data retention period for the Customer Data held on your behalf in Business Connect?
The Client Agency decides how long its Customer Data – such as submitted applications and associated correspondence – should be retained within Business Connect. This retention period should be conveyed to Business Connect when a new service is set up, and Business Connect will enable this within the platform.
Have you considered how you will use or share Business Connect data for the purposes of your service, and ensured that customers have been informed about this in your privacy statement?
A Client Agency must ensure that it uses Business Connect data only for the purpose of deciding on a service application, or in other ways as notified to customers in its privacy statement. A Client Agency must also ensure that it does not disclose Business Connect data, unless that disclosure is directly related to the processing of that application or has otherwise been notified to customers in its privacy statement.
Have you considered whether a full Privacy Impact Assessment (PIA) might be warranted for your service?
A PIA is a risk assessment used to help agencies identify and evaluate the potential privacy impact of a project, process, or change. Where a Client Agency is transferring an existing service to Business Connect, it may not need to complete a full PIA. However, a full PIA might be warranted if the Client Agency is (for example):
- developing an entirely new service;
- significantly changing an existing service;
- considering collecting sensitive personal information (such as financial information or health information) as part of the service; or
- intending to make a service available to consumers.