Businesses are increasingly looking to trade in personal information as part of their business model. If your business is trading in personal information, you may have specific legal obligations under Australian privacy law.
In this article, we look at how to determine whether your business is trading in personal information and whether you need to comply with the Privacy Act 1998 (Cth) and the Australian Privacy Principles (APPs).
What Does “to Trade in Personal Information” Mean?
Australian privacy law considers your business to trade in personal information if it buys or sells personal information in return for:
- a payment; or
- another benefit, such as a discount.
An example of this type of business is a company which buys a database of information from a seller, where the individuals in the database did not know the company would share their information with a third party (and therefore did not consent to share their information with that seller).
Do I Need to Comply with the Privacy Act?
If you buy or sell personal information, your operations will usually fall under the Privacy Act and you will be classed as an APP entity. This means you need to comply with the APPs, so it is vital you understand your obligations under the principles. A lawyer can help review your business plans and make sure you are aware of your responsibilities.
You are only exempt from complying with the APPs if:
- you obtain consent to sell personal information from the individuals whom you hold that information on; or
- you are authorised by law to do so.
To qualify for exemption, you must also:
- operate as a small business with an annual turnover of $3 million or less;
- not be considered an APP entity for any other reason, such as being a health service provider (note that the full list is more expansive); and
- obtain consent in the appropriate manner under the Privacy Act.
The Australian Privacy Principles
If your business is not exempt, you will need to abide by the APPs. In particular, be aware of two key principles that require compliance.
- Unsolicited information: From time to time, your business may receive some unsolicited personal information, whether by accident or for payment. To determine whether you can keep this information, ask yourself: would I have been able to solicit this information under the APPs if I had not received it in an unsolicited manner? If the answer is ‘no’, you cannot keep this information.
- Disclosure of information: You must comply with the APPs when disclosing any information you have collected to third parties. If you have not obtained consent, the APPs generally only permit disclosure if the purpose of the disclosure is related to the reason for collecting that information in the first place. If the information you are planning to trade is “sensitive” under the Privacy Act, then the purpose must be directly related to the purpose you gave initially.
This is a complex area of privacy law. It requires detailed assessment of your business’ circumstances, plans and the various laws that apply to you. If this information has raised any red flags for you, you should seek specific legal advice on your obligations.
Best Practice is to Obtain Clear Consent
If you are unsure of what you can and cannot do, it is advisable to be as transparent as possible with the people from whom you collect personal information.
- all the information you may collect; and
- the reasons for collecting this information.
Case Study: Obtaining Consent
- providing you with information about products and services you may be interested in; or
- allowing polls, questionnaires or surveys to be conducted by those third parties.
These broad statements give them a lot of flexibility when disclosing the personal information they collect.
You should consider where you stand under privacy law if you plan to trade personal information with third parties. A privacy lawyer can assist you with understanding your position and help you put in place key documents.
If you need help handling your business’ privacy structures, get in touch with LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.