Reading time: 4 minutes

If your business collects personal information, you may have to comply with the Australian Privacy Principles (APPs). The APPs are a series of rules setting out how businesses must collect, use, and disclose personal information. Breaching these rules can result in huge fines. APP entities must implement procedures and practices to comply with privacy laws, including having an internal privacy manual. This article will set out five points that your privacy manual should include.

When Will I Use a Privacy Manual?

Before diving into what a privacy manual will include, you must understand when you will need to use one. You will need to provide a privacy manual to all of your employees. This is because they are often the people who will be dealing with privacy queries from clients or customers. 

You can accompany the manual with formal training. Training can provide refreshers on updates to privacy law and any changes to how you deal with personal information as a company. While your privacy manual is an internal document, it outlines how your business collects the information of both internal employees and external customers.

1. Overview of Privacy Law Requirements 

Your manual should first provide an overview of the Privacy Act and what your business must do to comply with the APPs. 

Businesses that need to comply with the European Union’s (EU) General Data Protection Regulation (GDPR) are those which:

  • are established in the EU;
  • offer goods or services to EU-based individuals; or
  • monitor the behaviour of EU citizens.

If this applies to you, your manual should outline your obligations under the GDPR. This will include how you process personal information in a lawful and confidential way. 

2. How Your Business Collects Personal Information

This section of the document will outline details about your business’s collection of personal information. It should also detail that your employees have obligations to ensure the security of all personal information and to always report any loss of stolen information.

You will need to outline:

  • who you collect personal information from;
  • what personal information you collect; 
  • where you store this information; and 
  • how you use this information.

3. How You Deal With Requests, Complaints and Breaches

Under the law, people that you collect personal information from can request:

  • access to their own information;
  • to be unsubscribed from communications; and
  • that their information is amended, processed in a certain way, or removed. 

Your manual should set out what your employees need to do if they receive any of these requests. 

For example, it should explain that they should act on the request within a reasonable timeframe, such as five business days. 

Your manual should also outline how you handle complaints. Complaints may be made directly to your business or to a relevant privacy regulatory organisation. 

A data breach is any unauthorised access to, disclosure, or use of personal information. Breaches can occur at any moment, so you need to have a data breach response plan in place if one does occur. 

Examples of data breaches include: 

You should contain any breaches quickly and take steps to minimise the damage.

4. How Third Parties Handle Your Information

In some circumstances, you will need to disclose personal information to third parties. Third parties might include:

  • software providers;
  • regulatory bodies;
  • auditors; and 
  • parties who process the data.

These third parties will also need to comply with your manual. You should set out which third parties can receive the information and what they are allowed to do with it.

Under the GDPR, people can request that their personal information is sent to third parties.

5. Who Is Responsible for Privacy Compliance?

The Office of the Australian Information Commissioner (OAIC) recommends appointing a privacy officer within your business. A privacy officer will be responsible for:

  • answering privacy questions from employees;
  • dealing with complaints; and
  • stepping in if a privacy or data breach occurs. 

Your manual should outline situations where the privacy officer should be notified, such as if an employee wishes to make a complaint or if a data breach occurs. 

Key Takeaways

If your business is an APP entity, you will need to have a privacy manual. It is crucial that your manual details how your employees need to deal with any private information. Importantly, you will need to outline how your business deals with personal information and what you will do if there is a privacy breach. If you have any questions about drafting a privacy manual for your business, call LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.


Key Considerations When Buying a Business

Thursday 11 November | 11:00 - 11:45am

Learn which questions to ask when buying a business to avoid legal and operational pitfalls, so you can hit the ground running. Join our free webinar.
Register Now

Innovation Nation: How to Make the Most of Australia’s Business Innovation and Investor Visas

Thursday 18 November | 11:00 - 11:45am

Want to expand your business into Australia? You need the right visa. Register for our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer