When managing your compliance with the Australian Privacy Act, accurately adding and maintaining records of your assets and suppliers is crucial. This form is designed to help you capture all the necessary details. Below is an explanation of each field to guide you through the process.
Please note that the information in this article is general in nature. Professional advice should be sought on specific matters, and with lawyers under Costs Agreement and to which Legal Professional Privilege (LPP) applies.
Form Fields Breakdown
Category: Select the type of asset or supplier. Options include categories like Software, Hardware, Outsourced Services, etc. This helps classify the asset or supplier for easier management and reporting.
Name: Enter the name of the asset or supplier. This should be the formal name that identifies the asset or the supplier’s business name.
Owner: Choose the person responsible for managing the asset or supplier within your organisation. Typically, this could be a team lead, manager, or a designated privacy officer.
Status: Set the current status of the asset or supplier, such as Active or Decommissioned. This helps track the operational status of each entry.
Date Added: Record the date when the asset or supplier was first added to your system. This is important for tracking and audit purposes.
Last Review Date: Enter the date when the asset or supplier was last reviewed. Regular reviews are essential for ensuring ongoing compliance with the Privacy Act.
Next Review Date: Set the next scheduled review date. Keeping this up-to-date ensures that the asset or supplier is regularly assessed for compliance and relevance.
Criticality: Select the criticality level of the asset or supplier, such as Low, Medium, or High. This indicates how vital the asset or supplier is to your operations and helps prioritise management efforts.
Risk: Assess and choose the risk level associated with the asset or supplier, such as Low, Medium, or High. This helps identify potential vulnerabilities that may need to be mitigated.
Data Types Shared: Specify the types of personal data shared with this asset or supplier. Examples include Customer Data, Employee Data, etc. This is crucial for understanding and managing privacy risks.
Data Storage Location: Indicate where the data is stored, whether on-premises, in the cloud, or in a specific geographic location. If you're unsure, a quick Google search can usually help. For example: where does Xero store its data? This information is vital for compliance with data storage regulations under the Privacy Act.
Data Classification: Choose the classification level of the data handled by the asset or supplier, such as Public, Internal, Confidential, or Sensitive. This helps ensure appropriate security measures are in place.
Subprocessor: Select Yes or No to indicate whether this asset or supplier uses a subprocessor. Knowing this helps manage third-party risks and ensures the subprocessor complies with the Privacy Act.
Publish in Privacy Policy: Decide whether to include this asset or supplier in your public-facing privacy policy. This is important for transparency with your customers and stakeholders.
Legal Obligations: Enter any legal obligations associated with this asset or supplier, such as data retention requirements or specific compliance mandates.
Annual Security Review Completed: Indicate whether an annual security review has been completed for this asset or supplier. Regular security reviews are a best practice for maintaining compliance.
Vendor Monitoring: Select Yes or No to indicate if ongoing monitoring of the supplier is in place. Monitoring is crucial to ensure the supplier continues to meet your security and compliance standards.
Custom Fields: Use this section to add any custom fields that your organisation requires. This flexibility allows you to capture unique data points not covered by the standard fields.
Completing the 'Add Asset or Supplier' form accurately is key to maintaining your organisation’s compliance with the Australian Privacy Act. By understanding and filling out each field carefully, you ensure that all relevant information is documented, which helps mitigate risks and manage compliance effectively.