Table of Contents
- When Will I Use a Privacy Manual?
- 1. Overview of Privacy Law Requirements
- 2. How Your Business Collects Personal Information
- 3. How You Deal With Requests, Complaints and Breaches
- 4. How Third Parties Handle Your Information
- 5. Who is Responsible for Privacy Compliance?
- Key Takeaways
- Frequently Asked Questions
If your business collects personal information, you may have to comply with the Australian Privacy Principles (APPs). The APPs are a series of rules setting out how businesses must collect, use, and disclose personal information. Breaching these rules can result in huge fines. APP entities must implement procedures and practices to comply with privacy laws, one of which can be having an internal privacy manual. This article will set out five points that your privacy manual should include.
When Will I Use a Privacy Manual?
You will need to provide a privacy manual to all of your employees. This is because they are often the people who will be dealing with privacy queries from clients or customers.
You can accompany the manual with formal training. Training can provide refreshers on updates to privacy law and any changes to how you deal with personal information as a company. While your privacy manual is an internal document, it outlines how your business collects the information of both internal employees and external customers.
1. Overview of Privacy Law Requirements
Your manual should first provide an overview of the Privacy Act and what your business must do to comply with the APPs.
The Privacy Act will apply to your business if you have an annual turnover of over $3 million. Within the Privacy Act, there are 13 Australian Privacy Principles (APPs) which set out how your business may:
- collect;
- use;
- disclose; and
- store personal information.
The APPs also set out access and correction rights for individuals and a requirement for regulated businesses to:
- have a privacy policy; and
- include specific details in that policy.
2. How Your Business Collects Personal Information
This section of the document will outline details about your business’s collection of personal information. It should also detail that your employees have obligations to ensure the security of all personal information and always report any stolen information loss.
You will need to outline:
- who you collect personal information from;
- what personal information you will collect;
- where you store this information; and
- how you use this information.
Before sending electronic messages, learn how your business can comply with the Spam Act with our free Spam Consent Factsheet.
3. How You Deal With Requests, Complaints and Breaches
The Privacy Act makes clear that people your business collects personal information from can request:
- access to their own information;
- correction of their own information;
- to be unsubscribed from communications; and
- that their information is processed in a certain way or removed.
Your manual should indicate what your employees need to do if they receive any requests.
For example, it should explain that they should act on the request within a reasonable timeframe, such as five business days.
Finally, a key aspect to include in your privacy manual is your business’ process on handling data breaches. A data breach is any unauthorised access to, disclosure, or use of personal information. Breaches can occur at any moment, so you need to have a data breach response plan in place if one does occur.
Examples of data breaches include:
- the theft of company computers containing personal information; or
- an employee forgetting to encrypt sensitive data on your business’s app.
You should contain any breaches quickly and take steps to minimise the damage, steps that your data breach response plan should outline.
4. How Third Parties Handle Your Information
In some circumstances, you must disclose personal information to third parties. Third parties might include:
- software providers;
- regulatory bodies;
- auditors; and
- parties who process the data.
These third parties will also need to comply with your manual. You should set out which third parties can receive the information and what they can do with it. You should ensure that you have a good working knowledge of the third party’s approach to privacy and evaluate whether you can confidently trust them with the information you manage.
5. Who is Responsible for Privacy Compliance?
OAIC recommends appointing a privacy officer within your business. A privacy officer will be responsible for:
- answering privacy questions from employees;
- dealing with complaints; and
- stepping in if a privacy or data breach occurs.
Key Takeaways
If your business is an APP entity, you must have a privacy manual. It is crucial that your manual details how your employees need to deal with any private information. Importantly, you will need to outline how your business deals with personal information and what you will do if there is a privacy breach.
If you have any questions about drafting a privacy manual for your business, our experienced IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Since the APPs were updated in 2015, new fines have been implemented. Companies that breach them can be fined up to $10 million, while sole traders or individuals can be fined up to $500,000.
The Notifiable Data Breaches Scheme applies to businesses that must comply with the APPs and outlines what their obligations are if an individual’s data is lost or susceptible to unauthorised access.
We appreciate your feedback – your submission has been successfully received.
