Every business or organisation collects, uses and holds personal information differently. Therefore, you must comply with the Australian Privacy Principles (APPs), which guide organisations and agencies about their obligations regarding people’s personal information. However, you will first need to understand what exactly constitutes personal information.
What is Personal Information?
The Privacy Act 1988 (Cth) (the Privacy Act) defines personal information as any information or opinion about an identified or reasonably identifiable individual. It does not matter whether the information or opinion is true or whether it is recorded in material form or not. Information can still identify or reasonably identify someone when combined with other information.
Identity could involve factors like:
- position;
- actions;
- behaviours;
- characteristics;
- attitudes;
- financial circumstances; and
- marital status.
Importantly, personal information includes ‘sensitive information’. This is defined in the Privacy Act as any reference to:
- racial or ethnic origin;
- political opinions;
- membership or a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- sexual preferences or practices; or
- criminal record.
Understanding what constitutes personal information will assist you in abiding by all the other rules regarding protecting an individual’s personal information.
What is Reasonably Identifiable?
To determine whether information ‘reasonably identifies’ someone depends on the context and circumstances. You must take a practical approach to reach this determination. For example, suppose an organisation holds personal information that can identify an individual if linked to other information the business (or another entity) holds. Here, it may not be practically possible to reasonably identify that person. The courts will also look at other factors limiting an agency from reasonably identifying someone. For example, this may include high costs and the difficulty involved in making this identification.
Continue reading this article below the formWhat is an APP?
An APP stands for an Australian Privacy Principle which requires an “APP entity” to have clear and up-to-date policies on how they manage personal information. If your business satisfies the definition of an institution or group, you are required to comply with all APPs, which include:
- the requirement to maintain open and transparent management of personal information;
- directions for dealing with solicited and unsolicited personal information; and
- the obligation to explain to customers how your business uses their personal data for direct marketing.
Are You an APP Entity?
If you are a business or an Australian Government agency with an annual turnover of more than $3,000,000, you are an APP entity with responsibilities under the law. There are some exceptions to this general rule where small business owners with an annual turnover of less than $3,000,000 must abide by the APPs, such as:
- a private sector health care provider;
- a business that sells or purchases personal information;
- a credit reporting body; and
- a contracted service provider for an Australian government contract
Although the APPs may not apply to your business in its early stages, it is good practice to comply with the APPs to future-proof your business.
It’s now easier than ever to start a business online. But growing and sustaining an online business requires a great deal of attention and planning.
This How to Start an Online Business Manual covers all the essential topics you need to know about starting your online business.
The publication also includes eight case studies featuring leading Australian businesses and online influencers.
Creating Your APP Privacy Policy
Your privacy policy has to contain and adhere to certain APP provisions, but it also must be tailored to your unique business operations. Let us explore some factors you should consider when drafting your privacy policy.
Identifying the Type of Information You Collect
Consider how your business gathers, holds and uses personal information. For instance, why do you collect information on where the customer lives, and how do you protect this? You could complete an audit and record a list of personal information your business collects and your existing data handling practices.
Identify Activities Involving Personal Information
The next step is to determine and describe your business’ primary purpose for collecting and handling personal information. For example, consider whether your business passes on personal data to other companies and, if so, why. You should also consider direct marketing purposes. Other activities could include collecting residential addresses for the delivery of products and managing employee records. Finally, you will need to list how you handle personal information for each activity of your business. The more specific you are, the better.
Your Audience
Avoid viewing your privacy policy as merely a form of risk management. Instead, focus on creating a transparent document that informs your customers of how you handle their personal information. In addition, you should use this procedure to build trust in your relationship with clients.
Do Not Copy the APPs Word For Word
Yes, your privacy policy needs to comply with particular APPs. However, this does not mean you need to replicate it entirely. In fact, this could lead to creating a privacy policy that is quite general and, in turn, uninformative. Your privacy policy needs to be specific to your business operations.
Cover All Areas of Your Business
Suppose you are a big business that has many different services under one roof. In that case, you will need to consult with the staff members from other departments to see their protocols for handling personal information.
Your privacy policy will also need to be communicated throughout the business so that everyone handles information similarly. You could even create a video describing the procedures that adhere to the APPs so that all staff can easily understand and comply with company policy.
Describe Consumer’s Support Avenues
Your policy should set out whether the individual can choose how your business uses their personal information. For instance, do they have the right to access the information that you have collected? You should also provide customers with details about how they can make a complaint or get support if they have queries about how you are handling their personal information.
Simplicity and Accessibility
A complex and legally dense privacy policy is useless if your clients cannot understand it. Accordingly, ensure your policy is easy to read by:
- using plain language and avoiding legal terms;
- breaking up text into paragraphs;
- using headings and sub-headings; and
- avoiding unnecessary information.
Also, ensure that it is in a relevant format for your business activities. For example, if you deal online and from a store, you should be able to provide your policy in a hard copy form and on your website.
Key Takeaways
The law continues to develop to reflect changes in how businesses collect personal information. For example, researchers have already found that certain apps may be sharing personal information, like email addresses, with third parties, without stating so in their policies. Keep checking for any changes to Australian privacy law that may affect your business operations.
If you need help complying with the APPs, our experienced IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Any information or opinion about an identified or reasonably identifiable individual. It does not matter whether the information or opinion is true or whether it is recorded in a material form or not. Information can still identify someone when combined with other information. Identity could involve factors like position, actions, behaviours, characteristics, attitudes, financial circumstances, marital status and others.
APP means Australian Privacy Principle. These are principles outlining key obligations imposed on each “APP entity”. This includes having clear and up-to-date policies on managing personal information.
We appreciate your feedback – your submission has been successfully received.
