IPP 5.1 requires organisations to have a document that sets out “clearly expressed policies on its management of personal information.” However, it does not state what the policy needs to say.
- Use plain language and avoid legal jargon – to achieve a ‘clearly expressed’ policy.
- Do not just mirror the IPPs – explain how information flows in your organisation.
- Be specific about your organisations functions and how it will handle personal information.
- Highlight aspects that are likely to be relevant to the reader or which may be surprising or unexpected.