Reading time: 4 minutes

If your business collects personal information, you may have to comply with the Australian Privacy Principles (APPs). The APPs are a series of rules setting out how businesses must collect, use, and disclose personal information. Breaching these rules can result in huge fines. APP entities must implement procedures and practices to comply with privacy laws, including having an internal privacy manual. This article will set out five points that your privacy manual should include.

When Will I Use a Privacy Manual?

Before diving into what a privacy manual will include, you must understand when you will need to use one. You will need to provide a privacy manual to all of your employees. This is because they are often the people who will be dealing with privacy queries from clients or customers. 

You can accompany the manual with formal training. Training can provide refreshers on updates to privacy law and any changes to how you deal with personal information as a company. While your privacy manual is an internal document, it outlines how your business collects the information of both internal employees and external customers.

1. Overview of Privacy Law Requirements 

Your manual should first provide an overview of the Privacy Act and what your business must do to comply with the APPs. 

Businesses that need to comply with the European Union’s (EU) General Data Protection Regulation (GDPR) are those which:

  • are established in the EU;
  • offer goods or services to EU-based individuals; or
  • monitor the behaviour of EU citizens.

If this applies to you, your manual should outline your obligations under the GDPR. This will include how you process personal information in a lawful and confidential way. 

2. How Your Business Collects Personal Information

This section of the document will outline details about your business’s collection of personal information. It should also detail that your employees have obligations to ensure the security of all personal information and to always report any loss of stolen information.

You will need to outline:

  • who you collect personal information from;
  • what personal information you collect; 
  • where you store this information; and 
  • how you use this information.

3. How You Deal With Requests, Complaints and Breaches

Under the law, people that you collect personal information from can request:

  • access to their own information;
  • to be unsubscribed from communications; and
  • that their information is amended, processed in a certain way, or removed. 

Your manual should set out what your employees need to do if they receive any of these requests. 

For example, it should explain that they should act on the request within a reasonable timeframe, such as five business days. 

Your manual should also outline how you handle complaints. Complaints may be made directly to your business or to a relevant privacy regulatory organisation. 

A data breach is any unauthorised access to, disclosure, or use of personal information. Breaches can occur at any moment, so you need to have a data breach response plan in place if one does occur. 

Examples of data breaches include: 

You should contain any breaches quickly and take steps to minimise the damage.

4. How Third Parties Handle Your Information

In some circumstances, you will need to disclose personal information to third parties. Third parties might include:

  • software providers;
  • regulatory bodies;
  • auditors; and 
  • parties who process the data.

These third parties will also need to comply with your manual. You should set out which third parties can receive the information and what they are allowed to do with it.

Under the GDPR, people can request that their personal information is sent to third parties.

5. Who Is Responsible for Privacy Compliance?

The Office of the Australian Information Commissioner (OAIC) recommends appointing a privacy officer within your business. A privacy officer will be responsible for:

  • answering privacy questions from employees;
  • dealing with complaints; and
  • stepping in if a privacy or data breach occurs. 

Your manual should outline situations where the privacy officer should be notified, such as if an employee wishes to make a complaint or if a data breach occurs. 

Key Takeaways

If your business is an APP entity, you will need to have a privacy manual. It is crucial that your manual details how your employees need to deal with any private information. Importantly, you will need to outline how your business deals with personal information and what you will do if there is a privacy breach. If you have any questions about drafting a privacy manual for your business, call LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.


How Franchisors Can Avoid Misleading and Deceptive Conduct

Wednesday 18 May | 11:00 - 11:45am

Ensure your franchise is not accused of misleading and deceptive conduct. Register for our free webinar today.
Register Now

New Kid on the Blockchain: Understanding the Proposed Laws for Crypto, NFT and Blockchain Projects

Wednesday 25 May | 10:00 - 10:45am

If you operate in the crypto space, ensure you understand the Federal Government’s proposed licensing and regulation changes. Register today for our free webinar.
Register Now

How to Expand Your Business Into a Franchise

Thursday 26 May | 11:00 - 11:45am

Drive rapid growth in your business by turning it into a franchise. To learn how, join our free webinar. Register today.
Register Now

Day in Court: What Happens When Your Business Goes to Court

Thursday 2 June | 11:00 - 11:45am

If your business is going to court, then you need to understand the process. Our free webinar will explain.
Register Now

How to Manage a Construction Dispute

Thursday 9 June | 11:00 - 11:45am

Protect your construction firm from disputes. To understand how, join our free webinar.
Register Now

Startup Financing: Venture Debt 101

Thursday 23 June | 11:00 - 11:45am

Learn how venture debt can help take your startup to the next level. Register for our free webinar today.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer