(1) The object of this section is to ensure that an affected information recipient manages the regulated information of the recipient in an open and transparent way.
Compliance with this Division etc.
(2) An affected information recipient must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the recipient's functions or activities that:
(a) will ensure that the recipient complies with this Division and the registered CR code if it binds the recipient; and
(b) will enable the recipient to deal with inquiries or complaints from individuals about the recipient's compliance with this Division or the registered CR code if it binds the recipient.
Policy about the management of regulated information
(3) An affected information recipient must have a clearly expressed and up-to-date policy about the recipient's management of the regulated information of the recipient.
(4) Without limiting subsection (3), the policy of the affected information recipient must contain the following information:
(a) the kinds of regulated information that the recipient collects and holds, and how the recipient collects and holds that information;
(b) the purposes for which the recipient collects, holds, uses and discloses regulated information;
(c) how an individual may access regulated information about the individual that is held by the recipient and seek the correction of such information;
(d) how an individual may complain about a failure of the recipient to comply with this Division or the registered CR code if it binds the recipient;
(e) how the recipient will deal with such a complaint.
Availability of policy etc.
(5) An affected information recipient must take such steps as are reasonable in the circumstances to make the policy available:
(a) free of charge; and
(b) in such form as is appropriate.
Note: An affected information recipient will usually make the policy available on the recipient's website.
(6) If a person or body requests a copy, in a particular form, of the policy of an affected information recipient, the recipient must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
Interaction with the Australian Privacy Principles
(7) If an affected information recipient is an APP entity, Australian Privacy Principles 1.3 and 1.4 do not apply to the recipient in relation to the regulated information of the recipient.