What is a privacy policy and does my business need one?

privacy-policy.jpg

A privacy policy is used by a business to govern how it collects personal information from customers. Privacy policies can often be found on the bottom of websites as a link or may be incorporated in physical forms that customers sign.

 

The purpose of a privacy policy is to outline to clients how the business appropriately handles, uses and manages privacy information.  A privacy policy should outline what information you collect in the course of conducting your business.

Australian privacy laws are governed by the Privacy Act 1988 (the Act) which, incorporates thirteen (13) Australian Privacy Principles (Principles). 

The Principles cover:

  1. open and transparent management of personal information;

  2. anonymity and pseudonymity;

  3. collection of solicited personal information;

  4. dealing with unsolicited personal information;

  5. notification of the collection of personal information;

  6. use or disclosure of personal information;

  7. direct marketing;

  8. cross-border disclosure of personal information;

  9. adoption, use or disclosure of government related identifiers;

  10. quality of personal information;

  11. security of personal information;

  12. access to personal information;

  13. correction of personal information.

 

Generally, a privacy policy should be accessible in any reasonable requested form, free of charge, displayed on the business’ website and include the following:

  • The kinds of personal information you collect and hold;

  • How you collect and hold that personal information;

  • The purposes which you collect, hold, use and disclose personal information;

  • How an individual may their access personal information held by you and seek the correction of such information;

  • How an individual can complain about a breach and how you will deal with a complaint; and

  • Whether you’re likely to disclose personal information to an overseas recipient and if so, to specify the overseas counties if it is practicable.

 

When outlining what kinds of privacy information a business collects it is important to distinguish between:

  • Personal information: which relates to information/opinions that identify an individual such as contact and financial details (whether they are true or not); and

  • Sensitive information: which relates to information/opinions about things like health, religion, political opinions, race or ethnicity.

 

The Act and Principles apply to:

  • organisations and companies with an annual turnover over $3 million;

  • all private health service providers; and

  • some small businesses.

 

If your business meets the relevant criteria, you will need to have a privacy policy. Coutts can assist you in determining whether you need a privacy policy. The Office of Australian Information Commission also has a checklist to assist small businesses to assess whether they need to comply with the Act.

 

Entities required to have a privacy policy must not breach the Principles. There could be consequences for businesses such as a fine where the business does not have a privacy policy when required to or if the business breaches the policy, the Act or Principles.

 

Coutts have experience in reviewing and drafting privacy policies to meet the requirements of the Act and the Principles. Coutts recognise the importance of understanding your business and your specific processes and procedures to ensure the policy reflects how you do business. For further information on privacy policies please contact the Commercial Law team.

For further information please don’t hesitate to contact:

Keely Irving
Lawyer
keely@couttslegal.com.au
02 4607 2124

This blog is merely general and non specific information on the subject matter and is not and should not be considered or relied on as legal advice. Coutts is not responsible for any cost, expense, loss or liability whatsoever in relation to this blog, including all or any reliance on this blog or use or application of this blog by you.