In our technological and globalised world, the confidentiality of data is increasingly a concern. Businesses typically respond to these concerns using a comprehensive privacy policy. However, privacy policies can sometimes be a source of confusion. Commercial entities are sometimes unsure if they are legally required to have a privacy policy and what information it should contain. If you are a marketing and advertising agency with such questions, this article discusses why you need a privacy policy, when you need one and what it should say.

Why Do I Need a Privacy Policy?

Some commercial enterprises (such as marketing and advertising agencies) require a privacy policy to meet their legal obligations under the Australian Privacy Principles (APP). These principles comprise Schedule 1 of the Privacy Act 1988 (Cth) (the Act). As the APP amended the Act, it is legally binding.

Principle 1 aims to ensure that all APP entities manage personal information openly and transparently. These entities must take reasonable steps to implement internal practices, processes and procedures so as to comply with the APP. Such entities also need to be able to handle customer enquiries and complaints about their compliance with the APP efficiently.  

Principle 1.3 requires all APP entities to have a clearly expressed and up to date policy concerning their management of personal information.

When Do I Need a Privacy Policy?

In short, you must have a privacy policy if you meet the definition of an ‘APP entity’.

Section 6 of the Act defines an APP entity as either an agency or organisation.

Under the Act, agency refers to government departments and other public bodies or offices including (among others) Ministers, the Australian Federal Police and Federal Courts. It is a concept distinct from marketing or advertising agency.

An organisation under the Act is:

  • An individual;
  • Body corporate;
  • Partnership;
  • Any other unincorporated association; or
  • Trust.

Unless that organisation is a:

  • Small business operator;
  • Registered political party; or
  • An agency or a state or territory authority or a prescribed instrumentality of a state or territory.

Further, a small business operator is an individual, body corporate, partnership, unincorporated association or trust who:

  • Carries on one or more small businesses; and
  • Does not carry on a business that does not qualify as a small business.

A small business is a business whose annual turnover for the preceding financial year was $3,000,000 or less.

In simpler terms then, your marketing and advertising agency must have a privacy policy if your business structure makes you an organisation under the Act and your annual turnover exceeds $3,000,000.

However, even if your business is not legally obliged to have a privacy policy, it is an excellent idea to have one regardless. Many customers like to know how a business they engage with handles their data.  They may be more inclined to use your services if that information is readily accessible to them. This kind of reasoning is not legal but commercial. A privacy policy can inspire customer confidence and build goodwill.

Contents of a Privacy Policy

In general, they should tell consumers their privacy rights. This includes how you handle, secure and protect your data as well as how you identify potential risks to that data. 

It should detail how your organisation deals with data you no longer require, how individuals can access their data and how your agency handles complaints about data management. 

It should also discuss how your organisation manages the quality of its data and its policies when engaging independent contractors to whom you might disclose information. 

Your policy should be structured well with the clear use of headings. Use plain language and focus on the likely concerns of your customers. Be specific but don’t hesitate to summarise if necessary. 

Above all, ensure that your policy is easy to read and accessible. You could think about linking it electronically to the APP. Also, provide information that will allow a consumer to contact you to ask a question or make a complaint.   

The Office of the Australian Information Commissioner provides a helpful guide to developing an APP Privacy Policy. The guide is informative, easy to read and includes practical tips and checklists for drafting a privacy policy. It is freely available on their website.

Key Takeaways

Unless your marketing and advertising agency is turning over $3,000,000, you are not legally required to have a privacy policy in place. However, regardless of size, a legitimate privacy policy can be the difference in winning over a customer by building a sense of trust.

If you need assistance drafting a privacy policy, or looking to improve your existing policy, it is an excellent idea to speak with a lawyer. They can draft one that is tailored to your agency’s needs and meets all your legal requirements. Their assistance can give you the security of knowing that your agency is meeting its obligations and building goodwill.

Contact LegalVision’s online law specialist lawyers to assist you. Questions? Call us on 1300 544 755.

Carole Hemingway

Next Steps

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.