Do you make sure people know the difference between information they need to provide and information that is optional?
Personal information may only be collected for a specific (lawful) purpose that is related to a function of activity of your business.
For example (1):
John has a garden services business. He collects his customers’ names and contact numbers in order to render his services at their homes. John would also like to collect his customers’ email addresses so he can email their bills instead of posting them through their front doors. As this is not necessary for him to carry out his services, he tells his customers that giving him this information is optional.
If he were to use the information to commence marketing other services, then is falls foul of the Act, unless he obtained consent for other direct marketing. See also point 10 hereafter.
For example (2):
Peter’s business is providing an online subscription-based newsletter. He collects the name, email address and phone number of his subscribers, as well as their specific weekly, monthly or yearly order, and details of their payments.
Peter creates a document that details what personal data he collects and how long he holds it (the retention period). At the end of the retention period, he securely destroys the data by shredding it. he does not hold onto details of subscribers when they cancel the subscription.
He also annually checks the personal data he holds to make sure everything has been deleted at the end of its retention period.