Skip to content
LegalVision

Navigating Data Rights and Obligations: A CRM Provider’s Guide

Avatar photo

By Christy Koufos
Law Graduate

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn

In Short

  • CRM providers must comply with Australian privacy laws and protect customer data.
  • Businesses remain responsible for ensuring their customer data is handled appropriately.
  • Clear data management policies help prevent privacy breaches and maintain customer trust.

Tips for Businesses

Ensure your CRM provider complies with privacy laws by regularly reviewing their data policies. Set clear guidelines for data collection, use, and storage. This will help minimise the risk of privacy breaches and protect your business from legal consequences.

Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

Data rights play an important role in protecting privacy. To properly protect individuals’ data rights, businesses must understand their obligations, especially if they provide Customer Relationship Management (CRM) services. CRM systems store large amounts of personal and sensitive information, so companies must comply with data protection laws. The Privacy Act 1988 and other regulations in Australia set out how CRM providers should collect, use, secure, and share this data. This article highlights key data rights and obligations CRM companies must follow under Australian law to minimise risks and build customer trust.

Front page of publication
2024 Key Data and Privacy Developments

The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.

Download Now

Australian privacy laws establish what personal information organisations can collect. Organisations may only collect personal information that is reasonably necessary or directly related to their work. You only need to obtain consent if the information is classified as ‘sensitive information’ or if the organisation plans to use or share personal information for a purpose different from the one it was originally collected for

Sensitive Information

Sensitive information generally carries more privacy protection than other personal information. It includes details about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, criminal record, health or genetic data, and certain biometric information, such as fingerprints.

For CRM providers, collecting basic personal details like names, contact information, purchase histories, and customer interactions may be permissible without consent as long as it relates to their central operations.  However, any sensitive information, such as medical conditions, political views, or union status that is not directly relevant, would require express consent from the customer.

How to Lawfully Collect Personal Information

The best practice is to collect personal information directly from individuals themselves rather than acquiring it from third-party sources. However, Australian privacy law does allow some exceptions where an individual would “reasonably expect” their personal information to be shared.

For example, a CRM provider could potentially obtain customer data from a partner company if:

  • there is an existing relationship or transaction between the individual and the partner that would imply consent for data sharing;
  • the partner notified the individual that their information may be disclosed to the CRM provider for customer management purposes; and
  • the individual was allowed to opt out of sharing their data but did not object.

CRM providers must inform individuals about what personal information they have collected, where it came from, and how it will be used and shared. Typically, the CRM provider requires the organisation, through their contract, to include this information in its privacy notices.

For more information, see the Australian Privacy Principles (APP) Guidelines, Chapter 3.

Disclosure Obligations

When collecting personal information, you must endeavour to take reasonable steps at the time of gathering the personal information to notify individuals of the following:

  • your (the CRM’s) identity and contact details;
  • the fact and method by which their personal information was collected;
  • whether the collection is required or authorised by law;
  • the reasons for collecting their personal information;
  • the consequences of non-collection of personal information;
  • your usual disclosures/recipients of that kind of personal information;
  • access to your privacy policy; and
  • if you are likely to disclose personal information to overseas recipients, and if practicable, the countries where those recipients are located

These disclosure obligations help promote transparency and allow individuals to make an informed choice about providing their personal information. The disclosure should occur before, during collection, or as soon as practicable afterwards.

Failing to properly notify individuals about the collection and use of their personal data can lead to breaches of the Privacy Act’s requirements around open and transparent management of personal information.

Continue reading this article below the form
Loading form

Information Destruction and Retention 

The Privacy Act principles can impose an obligation on organisations that collect personal information to destroy, delete or de-identify such information after a certain period of time or in specific circumstances.

For example, if an organisation collected personal information solely to identify an individual and completed that identification process, the organisation may no longer have a lawful ground to retain the personal information. In such cases, the organisation must destroy or de-identify the information to prevent misuse or unauthorised disclosure.

CRM providers should establish clear data retention and destruction procedures. Retaining data for longer than is reasonably necessary could expose you to a greater risk of experiencing a significant data breach (for which the regulator may take action).

Key Takeaways

CRM providers in Australia must comply with the Privacy Act 1988 to protect customer data and build trust. They often collect personal data without consent unless it involves sensitive information. Providers should inform customers about how they collect, use, and disclose data and follow strict data retention and destruction practices to prevent misuse. Proper compliance avoids legal breaches and ensures transparency.

If you need help navigating your data rights and obligations, our experienced data and privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

Do I always need customer consent to collect personal information?

Organisations typically require consent only for collecting ‘sensitive information’ or if they will use or disclose your personal information for a purpose other than its original collection. Consent may not be mandatory for basic personal details needed for your operations.

Can I obtain customer data from partner companies?

Yes, if the individual reasonably expects to share their data and has had a chance to opt-out, you must still notify them about the collection.

How long can I retain personal data?

Only for a reasonable period/ as long as there is a lawful purpose. You may need to destroy or de-identify personal information once it has served its primary purpose.

Register for our free webinars

Avoiding NDIS Pitfalls: Key Breaches and How to Prevent Them

Online
Understand NDIS pitfalls and reduce the risk of breaches affecting your business. Register for our free webinar.
Register Now

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Stone & Chalk Tech Central, Level 1 - 477 Pitt St Haymarket 2000
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now
See more webinars >
Christy Koufos

Christy Koufos

Read all articles by Christy

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Privacy Laws: Your Obligations as a Business

How Do I Comply With the Privacy Act?

What is ‘Personal Information’ Under Australian Privacy Law?

How Can I Take Advantage of the Consumer Data Right (CDR)?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards