*Please note that this article provides general information only and will not be applicable in all circumstances, nor should it be relied upon as legal advice. Should you wish to obtain legal advice, we recommend that you get in touch with us.

What is a privacy policy?

A privacy policy is a document that sets out how an individual, company, organisation or agency deals with the personal and sensitive information it receives in the course of its operations including the personal information of employees, customers, clients and any third-party. Privacy policies must contain certain content to ensure they comply with the law, including:

the types of personal information collected and held by the entity (for example, a person’s name, address and phone number, or ‘sensitive information’ including a person’s racial or ethnic origin);
how the entity collects and holds personal information;
the purposes for which the entity collects, holds, uses and discloses personal information; and
how an individual may access personal information about the individual that is held by the entity and seek the correction of such information.

Privacy policies are directly affected by local legislation, and it is important to ensure that your privacy policy deals with the local legislation of the persons whose information you are collecting. For example, you may need a privacy policy which is both compliant with Australian law and the General Data Protection Regulation (“GDPR”). Additionally, different privacy requirements will apply depending on the type of information collected. For example, entities that collect sensitive information will be subject to stronger regulation in their use of such information.

Does my business need a privacy policy?

Not all businesses require a privacy policy, however many do. Whether your business does require a privacy policy is governed by the Privacy Act 1988 (Cth), and, specifically, the Australian Privacy Principles (“APPs”). The APPs state that ‘an APP entity must have a clearly expressed and up-to-date policy…about the management of personal information by the entity.’

An APP entity refers to an organisation (including an individual, body corporate, partnership, unincorporated association or trust) or an agency (which refers to a government agency). Small business operators with an annual turnover of less than $3m will be excluded from being an APP entity, unless they (among other things):

provide a health service or hold health information other than in employee records;
collect or disclose personal information for some benefit, service or advantage;
are a contracted service provider for a Commonwealth contract; or
are a credit reporting body.

Importantly, registered political parties and state or territory authorities are excluded from the definition of an APP entity.

Despite an entity not being necessarily considered an APP entity, it is good practice and prudent to have a privacy policy which sets out how your entity collects, holds, and uses personal information.

How can I put a privacy policy in place?

The APPs require APP entities to take reasonable steps to make their privacy policies freely available and in an appropriate form for their customers to access. For this reason, businesses typically display privacy policies on their websites.

It is important to enlist the help of a lawyer to prepare a privacy policy, as there are 13 APPs which must be addressed in this document. Additionally, entities will differ in how they utilise the personal information they collect, meaning an off-the-shelf or ‘standard’ solution may be inappropriate for addressing their requirements. This is particularly the case if a business is operating in numerous jurisdictions and requires a GDPR compliant privacy policy or similar.