Every business or organisation collects, uses and holds personal information differently. It is essential that you comply with the Australian Privacy Principles (APPs) which guide organisations and agencies about their obligations regarding people’s personal information. However, you will first need to understand what exactly constitutes personal information.
What Is Personal Information?
The Privacy Act 1988 (Cth) (the Privacy Act) defines personal information and includes information or an opinion about an identified individual, or an individual who is reasonably identifiable. It does not matter whether the information or opinion is true or whether it is recorded in material form or not. Information can still identify someone, or reasonably identify someone when combined with other information. Identity could involve factors like position, actions, behaviours, characteristics, attitudes, financial circumstances, marital status and others.
Understanding what constitutes personal information will assist you in abiding by all the other rules regarding the protection of an individual’s personal information.
What Is Reasonably Identifiable?
To determine whether information has ‘reasonably identified’ someone will depend on the context and circumstances. A practical approach will be taken to reach this determination. For example, if an organisation holds personal information that can identify an individual if linked to other information the business (or another entity) holds, it may not be practically possible to reasonably identify that person. The courts will also look at other factors that may limit an agency from reasonably identifying someone, including high costs, and the difficulty involved in making this identification.
What is an APP?
An APP stands for an Australian Privacy Principle which requires an APP entity (an agency or organisation that is bound) to have clear and up to date policies on how they manage personal information. If your business satisfies the definition of an institution or group, then you are required to comply with all APPs which include:
- The requirement to maintain open and transparent management of personal information;
- Directions for dealing with solicited and unsolicited personal information; and
- The obligation to explain to customers how your business uses their personal data for direct marketing.
Identifying The Type of Information You Collect
How does your business gather, hold and use personal information? For instance, why do you collect information on where the customer lives and how is this protected? You could complete an audit and record a list of personal information your business collects and your existing data handling practices.
Identify The Activities That Involve The Use of Personal Information
The next step is to determine and describe your business’ primary purpose for collecting and handling personal information. For example, does your business pass on personal data to other companies, and if so why? What about for direct marketing purposes? Other activities could include collecting residential addresses for delivery of products as well as managing employee records. You will need to list how you handle personal information for each activity of your business – the more specific you are, the better.
Don’t Copy The APPs Word For Word
Cover All Areas Of Your Business
If you are a big business that has many different services under the one roof, you will need to consult with the staff members from other departments to see what their protocols are for handling personal information.
Describe Consumer’s Support Avenues
Your policy should clearly set out whether the individual can choose how your business uses their personal information. For instance, do they have the right to access the information that you have collected? You should also provide customers with details about how they can make a complaint or get support if they have queries about how you are handling their personal information.
Keep It Simple And Make It Accessible
- Using plain language and avoiding legal terms;
- Breaking up text into paragraphs;
- Use headings and sub-headings; and
- Avoid unnecessary information.
Also, make sure that it is in a format that is relevant for your business activities. For example, if you deal online as well as from a store you should be able to provide your policy in a hard copy form, as well as on your website.