Skip to content

5 Key Clauses Your Privacy Manual Must Include

Table of Contents

If your business collects personal information, you may have to comply with the Australian Privacy Principles (APPs). The APPs are a series of rules setting out how businesses must collect, use, and disclose personal information. Breaching these rules can result in huge fines. APP entities must implement procedures and practices to comply with privacy laws, one of which can be having an internal privacy manual. This article will set out five points that your privacy manual should include.

When Will I Use a Privacy Manual?

You will need to provide a privacy manual to all of your employees. This is because they are often the people who will be dealing with privacy queries from clients or customers. 

You can accompany the manual with formal training. Training can provide refreshers on updates to privacy law and any changes to how you deal with personal information as a company. While your privacy manual is an internal document, it outlines how your business collects the information of both internal employees and external customers.

1. Overview of Privacy Law Requirements 

Your manual should first provide an overview of the Privacy Act and what your business must do to comply with the APPs. 

The Privacy Act will apply to your business if you have an annual turnover of over $3 million. Within the Privacy Act, there are 13 Australian Privacy Principles (APPs) which set out how your business may:

  • collect;
  • use;
  • disclose; and
  • store personal information.

The APPs also set out access and correction rights for individuals and a requirement for regulated businesses to:

  • have a privacy policy; and
  • include specific details in that policy.
Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. How Your Business Collects Personal Information

This section of the document will outline details about your business’s collection of personal information. It should also detail that your employees have obligations to ensure the security of all personal information and always report any stolen information loss.

You will need to outline:

  • who you collect personal information from;
  • what personal information you will collect; 
  • where you store this information; and 
  • how you use this information.
Front page of publication
Spam Consent Factsheet

Before sending electronic messages, learn how your business can comply with the Spam Act with our free Spam Consent Factsheet.

Download Now

3. How You Deal With Requests, Complaints and Breaches

The Privacy Act makes clear that people your business collects personal information from can request:

  • access to their own information;
  • correction of their own information;
  • to be unsubscribed from communications; and
  • that their information is processed in a certain way or removed. 

Your manual should indicate what your employees need to do if they receive any requests. 

For example, it should explain that they should act on the request within a reasonable timeframe, such as five business days. 

Your manual should also outline how you handle complaints. Complaints may be made directly to your business or the Office of the Australian Information Commissioner (OAIC). 

Finally, a key aspect to include in your privacy manual is your business’ process on handling data breaches. A data breach is any unauthorised access to, disclosure, or use of personal information. Breaches can occur at any moment, so you need to have a data breach response plan in place if one does occur. 

Examples of data breaches include: 

You should contain any breaches quickly and take steps to minimise the damage, steps that your data breach response plan should outline.

4. How Third Parties Handle Your Information

In some circumstances, you must disclose personal information to third parties. Third parties might include:

  • software providers;
  • regulatory bodies;
  • auditors; and 
  • parties who process the data.

These third parties will also need to comply with your manual. You should set out which third parties can receive the information and what they can do with it. You should ensure that you have a good working knowledge of the third party’s approach to privacy and evaluate whether you can confidently trust them with the information you manage. 

5. Who is Responsible for Privacy Compliance?

OAIC recommends appointing a privacy officer within your business. A privacy officer will be responsible for:

  • answering privacy questions from employees;
  • dealing with complaints; and
  • stepping in if a privacy or data breach occurs. 

Your manual should outline situations where the privacy officer should be notified, such as if an employee wishes to make a complaint or if a data breach occurs. 

Key Takeaways

If your business is an APP entity, you must have a privacy manual. It is crucial that your manual details how your employees need to deal with any private information. Importantly, you will need to outline how your business deals with personal information and what you will do if there is a privacy breach. 

If you have any questions about drafting a privacy manual for your business, our experienced IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What fines may apply to a breach of the APPs? 

Since the APPs were updated in 2015, new fines have been implemented. Companies that breach them can be fined up to $10 million, while sole traders or individuals can be fined up to $500,000.

What is the Notifiable Data Breaches scheme?

The Notifiable Data Breaches Scheme applies to businesses that must comply with the APPs and outlines what their obligations are if an individual’s data is lost or susceptible to unauthorised access.

Related articles

We’re an award-winning law firm

  • Award

    2023 Fast Firms - Australasian Lawyer

  • Award

    2022 Law Firm of the Year - Australasian Law Awards

  • Award

    2021 Law Firm of the Year - Australasian Law Awards

  • Award

    2020 Excellence in Technology & Innovation Finalist - Australasian Law Awards

  • Award

    2020 Employer of Choice Winner - Australasian Lawyer