In Australia, there are a number of tech companies, startups included, that use cloud services to assist with the organising of their business data. As these cloud services are essentially 3rd parties that store data, the Australian Privacy Law governs their conduct. In particular, Australian Privacy Law impacts cloud services whenever personal information is being disclosed. This means that small businesses engaging these cloud services will be required to incorporate compliance policies that align with Australian Privacy Law requirements, namely where personal information is shared.
Tech companies should give some consideration to the privacy compliance requirements when dealing with cloud services. When in doubt, contact a tech lawyer to get in-depth advice on how to remain compliant with the APPs.
What defines ‘personal information’?
Under the APPs, the disclosure, use, and collection of, “personal information” is regulated. Personal information is defined as anything that can identify an individual. Someone’s identity can be determined depending on several factors, including the following:
- Where the information is being kept;
- How the information is being used; and
- To what extent the holder of the informations is capable of analysing this information.
What defines ‘collection’?
Generally, when information is both collected and disclosed, the APPs will apply. This means that by holding information on record, whether digitally or otherwise, the criterion of “collection” will be satisfied. For example, when visitors to your company site enter their information to ‘Sign up’, the digital storage of this information is regarded as a ‘collection’ under the law. Other forms of collection include receiving referrals, calls, emails etc., and recording these details in the process.
Simply collecting personal information is not sufficient to warrant the application of the APPs. There are other factors that must be considered, including the size of the tech company.
If the business makes more than $3 million annually, it will have to comply with the APPs. Those that make less than this threshold will not be required to meet the APPs regulations, unless some exception applies. For tech companies, ‘disclosure’ is the most pertinent exception. If these smaller tech companies do any of the following, they will have to comply with the APPs:
- Disclose someone’s personal information to get some advantage, service or benefit; or
- Give someone an advantage, service or benefit in exchange for personal information (that relates to another individual.
The exception to this exception is based on having the individual’s consent or being authorised by law to do so.
Ask a tech lawyer to assist you in determining whether or not you are disclosing anyone’s personal information by using a cloud service.
What defines ‘disclosure’ and ‘use’?
A tech company sometimes uses or discloses personal information. According to the APPs, the difference between the two concepts comes down to whether or not the tech company has ‘effective control’ of the personal information.
In other words, if you have effective control over the information, you will be using that information. This means that disclosure requires:
- Sharing the personal information with outside entities; and
- Losing effective control over the personal information.
It was very common for tech businesses to contract someone to manage their analytics, hosting and support for their business’ information stored using a cloud service. By giving the contractor access to the business’ information, the company will be deemed to have disclosed this information if they do not still have effective control over it.
What defines ‘effective control’?
It is not always an easy term to define, but some guidance is offered by the APPs. The following will be taken into account when determining whether or not the company has retained effective control over the personal information:
- The binding nature of the contract on both parties;
- The cloud service provider’s access to the personal information is conditional in that it may only handle the information in order to provide the service;
- The contractor is also required (under his or her contract) to abide by the requirements of the cloud service provider;
- The business’ capacity to recover, modify, or gain access to the information;
- Whether any others have access to the information and why; and
- How easy it is to delete the information from the cloud service provider’s data.
The important lesson to take away here is that even the smaller tech companies may have to comply with the APPs and have a tech lawyer assist with strengthening the compliance measures they are currently taking, such as Privacy Policies, consent forms and notifications. Contact LegalVision on 1300 544 755 and speak with one of our tech lawyers to get a better understanding of how the Australian Privacy law guidelines apply to your tech business.