22. Privacy Practice and Consent

Previous Next

2025.1

Niche Studio is committed to protecting the privacy of our customers and complies with the Australian Privacy Act 1988 and the 13 Australian Privacy Principles (APPs).

Policy Statements

Niche Studio policy requires that:

(a) Privacy policy shall be made available to inform Customers how Niche Studio collects, uses, secures and shares customer information.

(b) Valid consent must be obtained for data collected from a Customer and the purposes data is used for must be provided. Customer must be provided an option to opt-in or opt-out.

(c) Niche Studio must comply with all 13 Australian Privacy Principles (APPs) when handling personal information, including:

  • Open and transparent management of personal information
  • Collection of personal information only when necessary
  • Notification of collection at or before the time of collection
  • Use and disclosure only for the primary purpose of collection
  • Security of personal information through appropriate technical and organisational measures
  • Access and correction rights for individuals
  • Cross-border disclosure protections

(d) Privacy impact assessments must be conducted for new projects involving personal information.

(e) All staff must receive privacy training covering APP requirements and Niche Studio privacy procedures.

(f) A Privacy Officer must be appointed to oversee compliance with Australian privacy law and handle privacy complaints.

(g) For client projects involving additional compliance requirements (such as HIPAA or GDPR), Niche Studio must follow the procedures outlined in the Client Project Requirements Policy.

Controls and Procedures

Privacy Policy

Current Privacy Policy is published at https://policies.nichestud.io/privacy-policy/

Notice of Privacy Practice

Current Notice of Privacy Practice (NPP) is published at https://policies.nichestud.io/privacy-policy/

The Terms of Use and Consent for Niche Studio platform and applications are hosted online or within the application itself.

Australian Privacy Principles (APP) Compliance

Niche Studio complies with the Australian Privacy Act 1988 and the 13 Australian Privacy Principles (APPs) when handling personal information.

APP 1: Open and Transparent Management of Personal Information

  • Maintain a clearly expressed and up-to-date privacy policy
  • Make the privacy policy available free of charge
  • Ensure the privacy policy is written in plain language
  • Include information about how personal information is collected, used, and disclosed

APP 2: Anonymity and Pseudonymity

  • Give individuals the option of not identifying themselves when dealing with Niche Studio
  • Allow individuals to use pseudonyms where practicable
  • Only require identification when necessary for business purposes

APP 3: Collection of Solicited Personal Information

  • Only collect personal information that is reasonably necessary for business functions
  • Collect personal information only by lawful and fair means
  • Notify individuals about collection at or before the time of collection

APP 4: Dealing with Unsolicited Personal Information

  • Assess whether unsolicited personal information could have been collected under APP 3
  • Destroy or de-identify unsolicited personal information that could not have been collected
  • Notify individuals about unsolicited personal information where required

APP 5: Notification of Collection

  • Notify individuals about:

  • Identity and contact details of Niche Studio

  • Purpose of collection
  • Consequences if information is not collected
  • Third parties to whom information may be disclosed
  • Access and correction rights
  • Complaints process

APP 6: Use or Disclosure

  • Only use or disclose personal information for the primary purpose of collection
  • Obtain consent for secondary purposes unless an exception applies
  • Document all uses and disclosures of personal information

APP 7: Direct Marketing

  • Obtain consent before using personal information for direct marketing
  • Provide an opt-out mechanism for direct marketing
  • Not use sensitive information for direct marketing without consent

APP 8: Cross-border Disclosure

  • Take reasonable steps to ensure overseas recipients comply with APPs
  • Inform individuals about likely overseas disclosures
  • Obtain consent for overseas disclosures where required

APP 9: Adoption, Use, or Disclosure of Government Identifiers

  • Not adopt government identifiers as primary identifiers
  • Not use or disclose government identifiers unless required by law

APP 10: Quality of Personal Information

  • Take reasonable steps to ensure personal information is accurate, up-to-date, and complete
  • Review and update personal information regularly
  • Correct inaccuracies when identified

APP 11: Security of Personal Information

  • Take reasonable steps to protect personal information from misuse, interference, and loss
  • Implement appropriate technical and organisational security measures
  • Regularly review and update security measures

APP 12: Access to Personal Information

  • Provide individuals with access to their personal information upon request
  • Respond to access requests within 30 days
  • Provide information in the manner requested by the individual
  • Charge reasonable costs for providing access

APP 13: Correction of Personal Information

  • Correct personal information upon request
  • Notify third parties of corrections where appropriate
  • Refuse correction requests only in limited circumstances
  • Provide reasons for refusal in writing

Implementation Requirements

  • Conduct regular privacy impact assessments
  • Provide privacy training to all staff
  • Maintain records of personal information handling
  • Establish a privacy complaints process
  • Appoint a Privacy Officer responsible for APP compliance
  • Regularly review and update privacy practices

Monitoring and Compliance

  • Conduct annual privacy audits
  • Review privacy practices against APP requirements
  • Update procedures based on changes to privacy law
  • Document all privacy-related decisions and actions

GDPR Compliance for Client Projects

When Niche Studio works on client projects involving personal data of EU citizens, we must comply with the General Data Protection Regulation (GDPR).

Project Assessment

  1. Data Mapping: Identify all personal data that will be processed
  2. Legal Basis: Determine the legal basis for processing personal data
  3. Data Controller/Processor: Establish whether Niche Studio is a controller or processor
  4. Data Processing Agreement: Execute a DPA with the client if Niche Studio is a processor

Data Processing Agreement (DPA) Requirements

The DPA must include:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data and categories of data subjects
  • Niche Studio’s obligations and rights
  • Client’s instructions for processing
  • Security measures to protect personal data
  • Data breach notification procedures
  • Data subject rights and how to handle requests
  • Data retention and deletion requirements
  • Sub-processor requirements and approvals

Technical and Organizational Measures

Implement appropriate technical and organisational measures including:

Technical Measures:

  • Encryption of personal data in transit and at rest
  • Access controls and authentication
  • Regular security updates and patches
  • Secure development practices
  • Data backup and recovery procedures
  • Network security controls

Organizational Measures:

  • Staff training on GDPR requirements
  • Confidentiality agreements for all staff
  • Regular security assessments
  • Incident response procedures
  • Data protection impact assessments
  • Privacy by design implementation

Data Subject Rights

Support the following data subject rights:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights related to automated decision-making (Article 22)

Data Breach Notification

  1. Detection: Monitor for potential data breaches
  2. Assessment: Assess whether the breach poses a risk to data subjects
  3. Notification: Notify the client within 24 hours if Niche Studio is a processor
  4. Documentation: Document all data breaches and response actions
  5. Cooperation: Cooperate with the client in breach response

Cross-Border Data Transfers

  1. Adequacy Decision: Check if the destination country has an adequacy decision
  2. Safeguards: Implement appropriate safeguards if no adequacy decision exists
  3. Standard Contractual Clauses: Use SCCs where appropriate
  4. Documentation: Document all cross-border transfers and safeguards

Data Protection Impact Assessment (DPIA)

Conduct a DPIA when processing is likely to result in high risk to data subjects: 1. Systematic Description: Describe the processing operations 2. Necessity and Proportionality: Assess necessity and proportionality 3. Risk Assessment: Identify and assess risks to data subjects 4. Mitigation Measures: Identify measures to address risks 5. Documentation: Document the DPIA and mitigation measures

Regular Compliance Monitoring

  1. Quarterly Reviews: Review GDPR compliance quarterly
  2. Annual Assessments: Conduct annual GDPR compliance assessments
  3. Training Updates: Update training materials based on regulatory changes
  4. Procedure Updates: Update procedures based on lessons learned

Documentation Requirements

Maintain documentation of:

  • Data processing activities
  • Data protection impact assessments
  • Data breach incidents and responses
  • Staff training records
  • Technical and organisational measures
  • Data subject requests and responses
  • Cross-border data transfers
21. Third Party Security and Vendor Risk Management 23. Client Project Requirements