Every business or organisation collects, uses and holds personal information differently. It is essential that you comply with the Australian Privacy Principles (APPs) which guide organisations and agencies about their obligations regarding people’s personal information. However, you will first need to understand what exactly constitutes personal information.

What Is Personal Information?

The Privacy Act 1988 (Cth) (the Privacy Act) defines personal information and includes information or an opinion about an identified individual, or an individual who is reasonably identifiable. It does not matter whether the information or opinion is true or whether it is recorded in material form or not. Information can still identify someone, or reasonably identify someone when combined with other information. Identity could involve factors like position, actions, behaviours, characteristics, attitudes, financial circumstances, marital status and others.

Understanding what constitutes personal information will assist you in abiding by all the other rules regarding the protection of an individual’s personal information.

What Is Reasonably Identifiable?

To determine whether information has ‘reasonably identified’ someone will depend on the context and circumstances. A practical approach will be taken to reach this determination. For example, if an organisation holds personal information that can identify an individual if linked to other information the business (or another entity) holds, it may not be practically possible to reasonably identify that person. The courts will also look at other factors that may limit an agency from reasonably identifying someone, including high costs, and the difficulty involved in making this identification.

What is an APP?

An APP stands for an Australian Privacy Principle which requires an APP entity (an agency or organisation that is bound) to have clear and up to date policies on how they manage personal information. If your business satisfies the definition of an institution or group, then you are required to comply with all APPs which include:

  • The requirement to maintain open and transparent management of personal information;
  • Directions for dealing with solicited and unsolicited personal information; and
  • The obligation to explain to customers how your business uses their personal data for direct marketing.

Creating Your APP Privacy Policy

Your privacy policy has to contain and adhere to certain APP provisions, but it also must be tailored to your unique business operations. When drafting your privacy policy you should think about the following:

Identifying The Type of Information You Collect

How does your business gather, hold and use personal information? For instance, why do you collect information on where the customer lives and how is this protected? You could complete an audit and record a list of personal information your business collects and your existing data handling practices.

Identify The Activities That Involve The Use of Personal Information

The next step is to determine and describe your business’ primary purpose for collecting and handling personal information. For example, does your business pass on personal data to other companies, and if so why? What about for direct marketing purposes? Other activities could include collecting residential addresses for delivery of products as well as managing employee records. You will need to list how you handle personal information for each activity of your business – the more specific you are, the better.

Your Audience

Don’t just think about your privacy policy as a form of risk management. Instead, focus on creating a transparent document that informs your customers of how you handle their personal information. You should use this procedure to build trust in your relationship with clients.

Don’t Copy The APPs Word For Word

Yes, your privacy policy needs to comply with particular APPs, but that does not mean you need to replicate them completely. In fact, this could lead to creating a privacy policy that is quite general and in turn uninformative. Your privacy policy needs to be specific to your business’ operations.

Cover All Areas Of Your Business

If you are a big business that has many different services under the one roof, you will need to consult with the staff members from other departments to see what their protocols are for handling personal information.

Your privacy policy will also need to be communicated throughout the business so that everyone handles information in the same way. You could even create a video describing the procedures you have in place that adhere to the APPs so that all staff can easily understand and comply with company policy.

Describe Consumer’s Support Avenues

Your policy should clearly set out whether the individual can choose how your business uses their personal information. For instance, do they have the right to access the information that you have collected? You should also provide customers with details about how they can make a complaint or get support if they have queries about how you are handling their personal information.

Keep It Simple And Make It Accessible

A complex and legally dense privacy policy is useless if you clients can’t understand – use plain language and ensure your policy is easy to read by:

  • Using plain language and avoiding legal terms;
  • Breaking up text into paragraphs;
  • Use headings and sub-headings; and
  • Avoid unnecessary information.

Also, make sure that it is in a format that is relevant for your business activities. For example, if you deal online as well as from a store you should be able to provide your policy in a hard copy form, as well as on your website.

Key Takeaways

The law continues to develop to reflect changes in how businesses collect personal information. For example, researchers have already found that certain apps may be sharing personal information, like email addresses, with third parties, without stating so in their policies. Keep checking for any changes to Australian privacy law that may affect your business operations. Importantly, if you have any questions about complying with the APPs or drafting a privacy policy, ask! You can get in touch with our IT lawyers on 1300 544 755.

Annie Gunn

Ask Annie a Question

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.