5 Key Clauses Your Privacy Manual Must Include

If your business collects personal information, you may have to comply with the Australian Privacy Principles (APPs). The APPs are a series of rules setting out how businesses must collect, use, and disclose personal information. Breaching these rules can result in huge fines. APP entities must implement procedures and practices to comply with privacy laws, one of which can be having an internal privacy manual. This article will set out five points that your privacy manual should include.

When Will I Use a Privacy Manual?

You will need to provide a privacy manual to all of your employees. This is because they are often the people who will be dealing with privacy queries from clients or customers. 

You can accompany the manual with formal training. Training can provide refreshers on updates to privacy law and any changes to how you deal with personal information as a company. While your privacy manual is an internal document, it outlines how your business collects the information of both internal employees and external customers.

1. Overview of Privacy Law Requirements 

Your manual should first provide an overview of the Privacy Act and what your business must do to comply with the APPs. 

The Privacy Act will apply to your business if you have an annual turnover of over $3 million. Within the Privacy Act, there are 13 Australian Privacy Principles (APPs) which set out how your business may:

• collect;
• use;
• disclose; and
• store personal information.

The APPs also set out access and correction rights for individuals and a requirement for regulated businesses to:

• have a privacy policy; and
• include specific details in that policy.

2. How Your Business Collects Personal Information

This section of the document will outline details about your business’s collection of personal information. It should also detail that your employees have obligations to ensure the security of all personal information and always report any stolen information loss.

You will need to outline:

• who you collect personal information from;
• what personal information you will collect; 
• where you store this information; and 
• how you use this information.

Spam Consent Factsheet

Before sending electronic messages, learn how your business can comply with the Spam Act with our free Spam Consent Factsheet.

Download Now

3. How You Deal With Requests, Complaints and Breaches

The Privacy Act makes clear that people your business collects personal information from can request:

• access to their own information;
• correction of their own information;
• to be unsubscribed from communications; and
• that their information is processed in a certain way or removed. 

Your manual should indicate what your employees need to do if they receive any requests. 

For example, it should explain that they should act on the request within a reasonable timeframe, such as five business days. 

Finally, a key aspect to include in your privacy manual is your business’ process on handling data breaches. A data breach is any unauthorised access to, disclosure, or use of personal information. Breaches can occur at any moment, so you need to have a data breach response plan in place if one does occur. 

Examples of data breaches include: 

• the theft of company computers containing personal information; or 
• an employee forgetting to encrypt sensitive data on your business’s app. 

You should contain any breaches quickly and take steps to minimise the damage, steps that your data breach response plan should outline.

4. How Third Parties Handle Your Information

In some circumstances, you must disclose personal information to third parties. Third parties might include:

• software providers;
• regulatory bodies;
• auditors; and 
• parties who process the data.

These third parties will also need to comply with your manual. You should set out which third parties can receive the information and what they can do with it. You should ensure that you have a good working knowledge of the third party’s approach to privacy and evaluate whether you can confidently trust them with the information you manage. 

5. Who is Responsible for Privacy Compliance?

OAIC recommends appointing a privacy officer within your business. A privacy officer will be responsible for:

• answering privacy questions from employees;
• dealing with complaints; and
• stepping in if a privacy or data breach occurs. 

Key Takeaways

If your business is an APP entity, you must have a privacy manual. It is crucial that your manual details how your employees need to deal with any private information. Importantly, you will need to outline how your business deals with personal information and what you will do if there is a privacy breach. 

If you have any questions about drafting a privacy manual for your business, our experienced IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions