fbpx
Skip to content

Am I Legally Required to Have a Privacy Policy for My Business?

Table of Contents

A privacy policy is a document that sets out how your business handles personal information. If your business needs to comply with the Australian Privacy Principles (APPs), then you are legally required to have a privacy policy. For smaller businesses that are not required to comply with the APPs, it is best practice to become familiar with the APPs and have a privacy policy in place so that: 

  • your business is transparent about its privacy practices; 
  • your customers have confidence in you; and 
  • as your business grows and you need to comply with the APPs, you are in a good position to do so. 

This article will unpack whether you are legally required to have a privacy policy. 

What is a Privacy Policy?

A privacy policy is a document that explains how your business handles personal information. It should act as a guide for how your business collects, holds, uses and discloses personal information.

Personal information is information that can be used to identify a person, whether true or not. Your business probably collects all sorts of personal information, such as: 

  • names and contact details;
  • photographs and payment details; and
  • information about browser session and location data.

All APP entities must have a privacy policy. 

What is an APP Entity?

An APP entity is a business that needs to comply with the Australian Privacy Principles.

If your business generates more than $3 million in turnover annually, then it is an APP entity and you must comply with the Australian Privacy Principles. 

You must also comply with the Australian Privacy Principles if your business generates $3 million or less in turnover annually, but you:

  • provide a health service and hold health information other than in an employee record; 
  • buy or sell personal information; or
  • are a contracted service provider for a Commonwealth contract (but compliance will only be required for the activities that are for the purposes of a Commonwealth contract).

There are other tests that may make your business an APP entity, so you should always speak with a privacy lawyer to confirm if any apply to you.

Health Services

It is not just typical health service providers such as doctors that need to comply with the APPs. Examples of types of businesses that are considered to be a health service include:

  • gyms;
  • child care centres, private schools and private tertiary institutions;
  • naturopaths and chiropractors; and
  • hospitals, day surgeries, medical centres, pharmacists, and allied health professionals such as physiotherapists.

Health information is classified as a type of sensitive information and attracts higher privacy standards than other types of personal information. Health information can include:

  • information about an individual’s physical or mental health;
  • records held by a fitness club about an individual; and
  • an individual’s healthcare identifier when it is collected to provide a health service.

If you provide a health service and collect health information, it is important that you have a privacy policy in place and seek legal advice on how to comply with the APPs.

Buying and Selling Personal Information

If you disclose personal information about another individual for a benefit (such as a financial reward) or provide a benefit to collect personal information about another individual from anyone else, then you will be an APP entity.

Example of businesses that trade in personal information include:

  • businesses that sell lists of personal information (e.g. names and phone numbers) to another business for the purposes of direct marketing. The business that purchases the list is also an APP entity;
  • lobby groups that pay another entity to collect information about the political preferences of an individual; or
  • finance brokers who sell lists of individuals to finance companies without the individuals’ consent.

Contracting with a Commonwealth Agency

If your business provides services as part of a commonwealth contract, then you are an APP entity. If you:

  • provide services to a government agency under a government contract; or
  • are a subcontractor for a government contractor, you will need to comply with the APPs.
Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Should Be Included in my Privacy Policy?

If your business is an APP entity, then you must have a privacy policy. The APPs set out a list of required information that must be provided in your privacy policy. These include:

  • the kinds of personal information you collect and hold;
  • how you collect and hold personal information;
  • the purposes for which you collect the personal information;
  • how an individual may access their personal information and seek its correction; 
  • how an individual may make a complaint if you breach the APPs and how you will handle their complaint; and
  • whether you are likely to disclose personal information to overseas recipients, and if so, to which countries.

Where Should I Put my Privacy Policy?

You should put your privacy policy at the footer of your website and make it easily available if someone asks to see it.

For example, if a patient at your medical practice asks to see your privacy policy, you could have a laminated hard copy version on hand.

What is the Difference Between a Privacy Policy and a Collection Notice?

If you are an APP entity, then you need to notify parties at the time you are collecting personal information from them that you are doing so. If it is impractical to do so at the time, then you should notify them as soon as you can.

The APPs set out a list of matters that you need to make the relevant individual aware of when you are collecting their personal information. There are some things on the list which might not be in your privacy policy. Therefore, this is usually done through a collection notice.

A collection notice can be likened to a summary of your privacy policy and will be specific to the situation where you are collecting information. 

For example, if someone is purchasing a bag from your website, you may set out:

  • that you are collecting personal information for the purposes of processing their order and shipping them the bag; 
  • who you are likely to disclose the information to; 
  • whether you are likely to disclose the information to an overseas recipient; and 
  • where they can find your privacy policy. 

A privacy lawyer will be able to guide you through how to use a collection notice and what to include.

Key Takeaways

If your business is an APP entity, then you must have a privacy policy to set out how you collect, hold, use and disclose personal information.

If you are not an APP entity, it is still best practice to have a privacy policy to show your customers your commitment to protecting their personal information and so that you are ready when you become an APP entity. Your privacy policy should address specific matters set out in the APPs and be in an accessible location, such as on your website. If you are an APP entity, you should also be using a collection notice in relation to collecting personal information from individuals. 

If you have any questions about whether or not you need a privacy policy or collection notice, our experienced business lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What is a privacy policy?

A privacy policy is a document explaining how your business handles personal information. It should be used as a guide for how your business collects and uses information. 

What is personal information?

Personal information is any information, whether true or not, that can be used to identify a person. Personal information commonly collected by businesses include names, contact details, photographs and payment details. 

What is an APP entity?

An APP entity is a business that is required to comply with the Australian Privacy Principles. There are specific categories that are used to determine if your business is an APP entity. 

We’re an award-winning law firm

  • Award

    2023 Fast Firms - Australasian Lawyer

  • Award

    2022 Law Firm of the Year - Australasian Law Awards

  • Award

    2021 Law Firm of the Year - Australasian Law Awards

  • Award

    2020 Excellence in Technology & Innovation Finalist - Australasian Law Awards

  • Award

    2020 Employer of Choice Winner - Australasian Lawyer