Businesses are increasingly looking to trade in personal information as part of their business model. If your business is trading in personal information, you may have specific legal obligations under Australian privacy law.
In this article, we look at how to determine whether your business is trading in personal information and whether you need to comply with the Privacy Act 1998 (Cth) and the Australian Privacy Principles (APPs).
What Does “to Trade in Personal Information” Mean?
Australian privacy law considers your business to trade in personal information if it buys or sells personal information in return for:
- a payment; or
- another benefit, such as a discount.
An example of this type of business is a company which buys a database of information from a seller, where the individuals in the database did not know the company would share their information with a third party (and therefore did not consent to share their information with that seller).
Do I Need to Comply with the Privacy Act?
If you buy or sell personal information, your operations will usually fall under the Privacy Act and you will be classed as an APP entity. This means you need to comply with the APPs, so it is vital you understand your obligations under the principles. A lawyer can help review your business plans and make sure you are aware of your responsibilities.
Continue reading this article below the formExemptions
You are only exempt from complying with the APPs if:
- you obtain consent to sell personal information from the individuals whom you hold that information on; or
- you are authorised by law to do so.
To qualify for exemption, you must also:
- operate as a small business with an annual turnover of $3 million or less;
- not be considered an APP entity for any other reason, such as being a health service provider (note that the full list is more expansive); and
- obtain consent in the appropriate manner under the Privacy Act.
The Australian Privacy Principles
If your business is not exempt, you will need to abide by the APPs. In particular, be aware of two key principles that require compliance.
- Unsolicited information: From time to time, your business may receive some unsolicited personal information, whether by accident or for payment. To determine whether you can keep this information, ask yourself: would I have been able to solicit this information under the APPs if I had not received it in an unsolicited manner? If the answer is ‘no’, you cannot keep this information.
- Disclosure of information: You must comply with the APPs when disclosing any information you have collected to third parties. If you have not obtained consent, the APPs generally only permit disclosure if the purpose of the disclosure is related to the reason for collecting that information in the first place. If the information you are planning to trade is “sensitive” under the Privacy Act, then the purpose must be directly related to the purpose you gave initially.
This is a complex area of privacy law. It requires detailed assessment of your business’ circumstances, plans and the various laws that apply to you. If this information has raised any red flags for you, you should seek specific legal advice on your obligations.
Best Practice is to Obtain Clear Consent
If you are unsure of what you can and cannot do, it is advisable to be as transparent as possible with the people from whom you collect personal information.
Have an easy-to-read but comprehensive privacy policy in place that sets out:
- all the information you may collect; and
- the reasons for collecting this information.
Make the policy easily accessible on your website. Ask users to tick a box to agree that they have read your privacy policy and agree to its terms.
You may be thinking about providing information to third parties. For example, your business may provide personal information to insurers so that their marketing team can reach out to targeted individuals. If so, be clear about this in your privacy policy.
Case Study: Obtaining Consent
An example of companies who collect and sell data are the new dockless bike-sharing businesses, such as Ofo. Ofo’s privacy policy states that it may share your information with third parties for the purposes of:
- providing you with information about products and services you may be interested in; or
- allowing polls, questionnaires or surveys to be conducted by those third parties.
These broad statements give them a lot of flexibility when disclosing the personal information they collect.
Ofo has attracted media criticism which argues that its privacy policy is misleading because users need to read through and interpret the policy to understand how their personal information will be used. This information includes location data which identifies when and where users are using the Ofo bikes. Many users likely remain unaware of where their data is going because they have not read the privacy policy.
Technically, however, users consent to Ofo’s stated use of their information when they sign up and agree to the privacy policy. Failing to read the policy is unlikely to be an excuse under the law, unless it is difficult to understand or extremely long. But given the criticism levelled against Ofo and other bike-sharing businesses, you may choose to alert users to your disclosure on both your website and your privacy policy. Whether or not you do is a commercial decision for you.
Key Takeaways
You should consider where you stand under privacy law if you plan to trade personal information with third parties. A privacy lawyer can assist you with understanding your position and help you put in place key documents.
If you need help handling your business’ privacy structures, get in touch with LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.
We appreciate your feedback – your submission has been successfully received.
