If your business collects personal information, you may have to comply with the Australian Privacy Principles (APPs). The APPs are a series of rules setting out how businesses must collect, use, and disclose personal information. Breaching these rules can result in huge fines. APP entities must implement procedures and practices to comply with privacy laws, including having an internal privacy manual. This article will set out five points that your privacy manual should include.

When Will I Use a Privacy Manual?

Before diving into what a privacy manual will include, you must understand when you will need to use one. You will need to provide a privacy manual to all of your employees. This is because they are often the people who will be dealing with privacy queries from clients or customers. 

You can accompany the manual with formal training. Training can provide refreshers on updates to privacy law and any changes to how you deal with personal information as a company. While your privacy manual is an internal document, it outlines how your business collects the information of both internal employees and external customers.

1. Overview of Privacy Law Requirements 

Your manual should first provide an overview of the Privacy Act and what your business must do to comply with the APPs. 

Businesses that need to comply with the European Union’s (EU) General Data Protection Regulation (GDPR) are those which:

  • are established in the EU;
  • offer goods or services to EU-based individuals; or
  • monitor the behaviour of EU citizens.

If this applies to you, your manual should outline your obligations under the GDPR. This will include how you process personal information in a lawful and confidential way. 

2. How Your Business Collects Personal Information

This section of the document will outline details about your business’s collection of personal information. It should also detail that your employees have obligations to ensure the security of all personal information and to always report any loss of stolen information.

You will need to outline:

  • who you collect personal information from;
  • what personal information you collect; 
  • where you store this information; and 
  • how you use this information.

3. How You Deal With Requests, Complaints and Breaches

Under the law, people that you collect personal information from can request:

  • access to their own information;
  • to be unsubscribed from communications; and
  • that their information is amended, processed in a certain way, or removed. 

Your manual should set out what your employees need to do if they receive any of these requests. 

For example, it should explain that they should act on the request within a reasonable timeframe, such as five business days. 

Your manual should also outline how you handle complaints. Complaints may be made directly to your business or to a relevant privacy regulatory organisation. 

A data breach is any unauthorised access to, disclosure, or use of personal information. Breaches can occur at any moment, so you need to have a data breach response plan in place if one does occur. 

Examples of data breaches include: 

You should contain any breaches quickly and take steps to minimise the damage.

4. How Third Parties Handle Your Information

In some circumstances, you will need to disclose personal information to third parties. Third parties might include:

  • software providers;
  • regulatory bodies;
  • auditors; and 
  • parties who process the data.

These third parties will also need to comply with your manual. You should set out which third parties can receive the information and what they are allowed to do with it.

Under the GDPR, people can request that their personal information is sent to third parties.

5. Who Is Responsible for Privacy Compliance?

The Office of the Australian Information Commissioner (OAIC) recommends appointing a privacy officer within your business. A privacy officer will be responsible for:

  • answering privacy questions from employees;
  • dealing with complaints; and
  • stepping in if a privacy or data breach occurs. 

Your manual should outline situations where the privacy officer should be notified, such as if an employee wishes to make a complaint or if a data breach occurs. 

Key Takeaways

If your business is an APP entity, you will need to have a privacy manual. It is crucial that your manual details how your employees need to deal with any private information. Importantly, you will need to outline how your business deals with personal information and what you will do if there is a privacy breach. If you have any questions about drafting a privacy manual for your business, call LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy