Privacy policies seem mundane and only add to the hoops a business or their website has to jump through to be compliant. However, these policies are becoming increasingly important as our Australian and international laws become more focussed on the protection of personal data received from clients, customers and users.
A privacy policy really helps you and your business remain transparent and upfront with your clients and customer about how you collect, use, handle, store and disclose their personal or sensitive information. If you weren’t already aware, there is a difference between ‘personal’ and ‘sensitive’ information.
Personal information includes a broad range of information, or an opinion, that could identify an individual. What is considered personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances. It includes a person’s telephone number.
Sensitive information is a subset of personal information and includes information or an opinion about an individual’s health information, which further includes information about the health service provided to an individual or an illness.
In Australia, all businesses with an annual turnover of more than $3 million are required to have a privacy policy in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and its Australian Privacy Principles (also known as the APPs). So, not all businesses actually need a privacy policy. However, most do anyway, and even some specific businesses under the $3 million threshold are required to have a privacy policy. These are businesses that fall within the following categories:
- a private-sector health service provider. This includes a private hospital, a day surgery, a medical practitioner, a pharmacist, an allied health professional, a complementary therapist (such as a naturopath and a chiropractor), a gym or weight loss clinic, a childcare centre, a private school and a private tertiary educational institution.
- a business that buys or sells personal information.
- a credit reporting body.
- a contracted service provider for the Australian Government.
- an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009.
- other businesses set out under the Privacy Regulation 2013.
Those businesses that aren’t required to have a privacy policy may ‘opt into’ the APPs. So, if the Privacy Act applies to your business or if you choose to ‘opt in’, then you will need to comply with the APPS and ensure that you remain compliant these laws. Read more about a business’s privacy obligations under the APP here: https://www.oaic.gov.au/privacy/australian-privacy-principles/.
Even if your business is not required to comply with the APP, you may be required to comply with other regulation regarding handling credit information and tax file numbers. Learn more here: https://www.oaic.gov.au/privacy/privacy-for-organisations/small-business/.
You can check to see if your business requires a privacy policy through the OAIC’s small business privacy checker. The link is as follows: https://www.oaic.gov.au/privacy/privacy-for-organisations/small-business/#PrivacyChecklistForSmallBusiness.
If your business needs a privacy policy, we recommend getting in touch with a legal professional to ensure that it is adequately drafted and complies with the Privacy Act and the APPs. It might be tempting to ‘borrow’ another company’s privacy policy or copy and paste one from a quick google search, however this could land you in hot water. If the document is not relevant to your business, includes obligations that your business cannot meet or includes mistakes, then your business could be in trouble with the OAIC, particularly if a notifiable data breach occurs. Also, simply copying another business’s policy could lead to a copyright claim.
We can help you with drafting a privacy policy, including ensuring that it is tailored to how you do business with your customers. It is similar to a T&Cs document in the sense that it is an important document and one that shouldn’t be undervalued.