Do you need a Privacy Policy?

Articles, Commercial Contracts

In Australia, the Privacy Act 1988 (Cth.) (Privacy Act) regulates how personal information needs to be handled if you are required to comply with the Privacy Act. The Privacy Act includes the Australian Privacy Principles (APPs) which are contained in Schedule 1 of the Privacy Act. The APPs set out 13 principles on how all organisations which are required to comply with the Privacy Act must handle, use and manage personal information.

Section 6 of the Privacy Act, defines ‘personal information’ as:

“…information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identified.

Some common examples of personal information include an individual’s name, signature, address, date of birth, job title, gender, bank account details, commentary or opinion about a person and, in some circumstances, telephone numbers and email addresses. Information is only ‘personal information’ if you can identify or reasonably ascertain the identity of an individual from that information.

When do you have to comply with the Privacy Act?

There are a number of triggers which require a business to comply with the Privacy Act including when a business (including a sole trader, trust, company or partnership):

  1. handles personal information and had a turnover in any year since 2002 in excess of AUD$3 million in a year;
  1. trades in personal information (either with or without the consent of customers). Trading in personal information includes, for example, where a business sells its customer list to a marketing company;
  1. provides services in the nature of a healthcare service provider;
  1. keeps a residential tenancy database;
  1. is related to an organisation with a larger turnover that is required to comply with the Privacy Act;
  1. provides services to the Commonwealth Government or the government of Norfolk Island under a Commonwealth contract;
  1. provides credit reporting services or is an authorised agent of a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth.);
  1. is an employee association recognised under the Fair Work (Registered Organisations) Act 2009 (Cth.);
  1. is a business prescribed by the regulations;
  1. is required to comply with Commonwealth metadata retention laws under the Telecommunications (Access and Intercept) Act 1979 (Cth.); or
  1. has voluntary opted-in to the Privacy Act.

In respect of the last item, notwithstanding that an entity would not otherwise be required to comply with the Privacy Act, the Act has a mechanism that allows an entity to voluntary ‘opt-in’ to the Privacy Act. The rationale behind ‘opting-in’ is to increase consumer confidence and trust in a business’ operations.

If you receive tax file numbers, i.e. your business employs individuals in any capacity, then you must comply with provisions of the Privacy Act, known as the TFN Rule.

Privacy Policy

APP 1 requires an entity to comply with the Privacy Act by (amongst other things set out in the APPs) having a clearly expressed and up to date privacy policy about the management of personal information by the entity.

The Privacy Policy, at a minimum, must contain the following information:

  1. the kinds of personal information that the entity collects and holds;
  1. how the entity collects and holds personal information;
  1. the purposes for which the entity collects, holds, uses and discloses personal information;
  1. how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
  1. how an individual may complain about a breach of the APPS, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
  1. whether the entity is likely to disclose personal information to overseas recipients; and
  1. if the entity is likely to disclose personal information to overseas recipients–the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

What happens if I breach the Privacy Act?

The Australian Information Commissioner (Commissioner) is responsible for administering the Privacy Act.

If you are covered by the Privacy Act and someone believes that you have not complied with the Privacy Act in handling their personal information (such as not having a privacy policy), the individual affected is entitled to make a complaint to the Commissioner. The Commissioner can also independently investigate and, if necessary, make determinations about your handling of personal information.

Section 52 of the Privacy Act gives the Commissioner broad powers concerning determinations of complaints. The Commissioner has the power to:

  1. make directions;
  2. award damages (including compensation for injury to feelings);
  3. accept enforceable undertakings;
  4. seek civil penalties; and/or
  5. seek an injunction from the court to stop conduct that is in breach of the Privacy Act.

Following a serious or repeated breach of the Privacy Act the Commissioner may apply to a competent court to enforce a prior determination and apply for civil penalties of up to $340,000 for individuals and $1.7 million for a corporation may then be sought.

How we can help you

We consider it prudent that all businesses which plan to grow their revenue have a compliant Privacy Policy.

Please do not hesitate to contact us if you need any advice concerning your Privacy Policy or to have a Privacy Policy prepared.

People

With the technical skills, diverse backgrounds and practical experience to match, our teams care about their clients.

Our Expertise

We have a strong reputation for providing specialist, market-leading advice in the practices we offer. Our teams are experts in their field and provide an unrivalled service to clients.

News

We want to share our knowledge with you. A collection of news and insights into those areas in which we specialise.

Resources

We offer a relevant, easy access platform that allows clients and colleagues to gain access to relevant resources.

Contact Us

With offices in Sydney and Melbourne, our team pride themselves on always being available for their clients.

Careers

We are collaborative, respectful and inclusive. Recruiting the best talent is only half of the equation; providing a culture that enables development is the other.

See our exciting opportunities available for graduates, lawyers, legal support staff and business services professionals.