You most likely will have heard of, and seen, a privacy policy. A collection notice is a lesser-known document, but can be crucial for your business. If your business is an APP entity, you will need to comply with the Privacy Act, and you should have both documents. This article will explain the differences between a privacy policy and collection notice, and when you will need to have each.
What Is an APP Entity?
An APP entity is a business that must handle any personal information it collects in accordance with the Privacy Act. If your business does not comply with the Act, you could face regulatory action and receive fines.
If your business has an annual turnover of $3 million or more, you are an APP entity. Therefore, you will need to comply with the Privacy Act. You will also be an APP entity if your company:
- holds health information;
- provides a health service; or
- buys and sells personal information.
If your business is an APP entity, you must understand how to handle personal information under the Privacy Act.
If you are not an APP entity right now, you may become one in the future if your turnover reaches over $3 million. Therefore, it is best practice to comply with the Privacy Act from the start.
What Is a Privacy Policy?
A privacy policy is a document that acts as a guide on how you collect and manage personal information. Personal information is any information that can be used to identify a person, whether true or not.
A privacy policy should clearly set out the types of personal information your business:
- collects;
- holds;
- uses; and
- discloses.
If your business is an APP entity, your privacy policy must also include all of the requirements set out under the Australian Privacy Principles (APPs).
Some of the core requirements include that the privacy policy:
- explains how you collect, use and disclose personal information;
- is easy to read;
- outlines if you disclose personal information overseas;
- outlines what countries you disclose it to;
- provides details about a person’s rights under privacy laws;
- outlines how someone can make a privacy complaint to your business; and
- explains how someone can make a complaint to the privacy regulator.
Once you have prepared a privacy policy for your business, you will need to make the privacy policy easily accessible. This way, anyone interested in your privacy management practices can easily read about this in your privacy policy.
You should also make your privacy policy known at any time that you collect personal information.
Continue reading this article below the formWhat Is a Collection Notice?
When collecting someone’s information, you must notify them that you are doing so. That is unless it is impracticable to notify the person at that time. In which case, you may still need to notify them after you have collected their personal information.
A collection notice can be likened to a summary of the privacy policy, as it sets out the key details that someone should know about how you will use their personal information. It is shorter than a privacy policy but does not replace it altogether. It will often refer to, or directly link to, the privacy policy.
When Do I Use a Privacy Policy or Collection Notice?
You will often need both a privacy policy and collection notice as they serve different purposes. The privacy policy is a document that captures information about all of your businesses’ privacy practices. It also provides an overview of how you:
- collect;
- hold;
- use; and
- disclose personal information.
In comparison, you will use a collection notice to notify someone on the most crucial things they should know when you are collecting their personal information.
It is best practice to use a collection notice each time you collect personal information.
It is also important that your privacy policy is available on the footer of your website and available within your collection notices.
However, it is generally accepted that if you have drafted your privacy policy with all of the relevant APP matters included, you can use a privacy policy at the point of collection, rather than a specific collection notice.
Key Takeaways
If your business is an APP entity under the Privacy Act, you must be aware of the difference between a privacy policy and a collection notice. You also need to know how to prepare and use these documents in line with the APPs. If your privacy policy is drafted in line with the APPs, you may not need to use a collection notice when collecting your user’s personal details. If you have any questions about when to use a privacy policy or collection notice, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.
We appreciate your feedback – your submission has been successfully received.