Privacy Officer
|
Appoint a privacy officer (if you haven’t already). We recommend that the Franchisor has a privacy officer that acts as a central point of control / contact for franchisees for privacy related matters. Each franchisee should also have a person nominated as their privacy officer.
|
Ensure your privacy officer is up to speed with privacy laws including the changes under the Act.
|
Collecting Information
|
Audit what information you collect (and how you collect it), including any information you collect online.
|
Check whether your privacy policy allows you to collect the information you and/or your franchisees are collecting.
|
Check whether you need to collect the personal information you and/or your franchisees are collecting.
|
If personal information is collected from children or young people, check that it is collected fairly.
|
Disclosing information
|
Identify who you and your franchisees disclose personal information to (and where in the world it goes).
|
If you or your franchisees send personal information overseas, check whether you comply with the changes to the Act.
|
Check that the network’s privacy policy accurately and clearly describes who information is disclosed to, and how information will be protected if you transfer information overseas (if applicable).
|
Check that your agreements with third parties allow you to comply with your obligations under the Act (for example, by including a process for reporting breaches and restrictions on transferring data overseas). Your template franchise agreement should also include these clauses.
|
Privacy Breaches
|
Create a data breach response plan and update your privacy policy with how you will respond to a breach.
|
Update your franchise manual to include your data breach response plan, with a clear process for franchisees to report, manage and notify data breaches. Consider this being led and controlled by you to ensure compliance and to manage potential brand/PR damage.
|
|
Test your breach response plan within your franchisees – you can use the Privacy Commissioner’s
online NotifyUs tool to run through example situations without submitting information to the Privacy Commissioner. |
Storage and Security
|
Review the safeguards and policies you have in place for protecting the personal information you and/or your franchisees collect. You may need to update your franchise manual.
|
If permitted by your franchise agreement, consider auditing how your franchisees are dealing with personal information, including its collection, storage, and disposal.
|
If you or your franchisees deal with account numbers, drivers licence numbers or other unique identifiers, consider how you can protect against these being misused. Updated your franchise manual if required. |
Ensure that you and your franchisees are not keeping personal information longer than needed.
|
Check that you and your franchisees are disposing of personal information securely when finished with it
|
Access
|
Check you have a process in place to respond to requests for access to or correction of personal information within the statutory timeframes. This could be controlled by the franchisor.
|
Training
|
Ensure that your franchisees and their employees understand the privacy obligations under the Act, the process to follow if there is a privacy breach, and your internal privacy policies.
|
Update your documents
|
Depending on the nature of your franchise, as part of completing this warrant of fitness you will need to review and update a number of documents you and your franchisees use. These could include:
Privacy policy – Your privacy policy should be easy to understand and accurately set out:
- the personal information collected and who the information is disclosed to (make sure you allow disclosure to and use by the franchisor and related entities);
- what information will be used for;
- how the information is stored, kept secure and disposed of;
- whether the information is sent overseas (and if so how it will be protected);
- how an individual can access and correct their information; and
- how you/the franchisee will respond to a privacy breach.
|
Franchise manual – Your franchise manual should be updated with a new data breach response plan, and privacy policies and procedures which clearly set out franchisees’ obligations in relation to privacy, including in relation to sending personal information overseas.
|
Internal privacy policy - You may want to create a separate internal privacy policy for franchisees to provide to their staff to follow (or update your existing one).
|
Internal training modules – If you provide franchisees with training booklets or modules, these should be updated to include privacy obligations.
|
Franchise agreement – Consider updating your template franchise agreement to include or update specific privacy related terms. For your existing franchisees, consider if changes to the manual are sufficient.
|
Customer agreements and sign up forms – Remove any personal information you don’t need to collect, and make changes if information is sent overseas. Don’t forget online forms.
|
|
Third party agreements (e.g. supplier agreements) – Updates should include a privacy breach process and clauses that ensure information sent overseas is protected. |
|
Cloud storage agreements – Check whether your agreements enable you to comply with your obligations under the Act, including your obligation to report privacy breaches, and provide individuals
with access to and correction of their information. |
|
Insurance – Check whether your insurance policy covers you for a privacy breach. |