For certain businesses, it’s mandatory. For the rest, it’s just good business.
If your business is required to comply with the European General Data Protection Regulation (GDPR) – then legally, you must have one, regardless of industry or turnover.
If you collect any of the following or engage in the following activities, legally you must have one:
- handle consumer credit reporting information;
- handle tax file numbers;
- handle personal information contained on Personal Property Securities Register;
- handle My Health Record information covered by the My Health Records Act, 2012.
- operate a residential tenancy database;
- conduct activities of a reporting entity or authorised agent in relation to the Anti-Money Laundering and Counter-Terrorism Financing Act, 2006; and
- the conduct of a protected action ballot;
- a private sector health service provider, such as a private hospital, day surgery clinic, pharmacist, chiropractor or gym;
- a contracted service provider for an Australian Government contract;
- a business that sells or purchases personal information;
- a credit reporting body;
- an employee association registered or recognised under the Fair Work (Registered Organisations) Act, 2009;
- a business that has opted-in to the Privacy Act, 1988 (Cth) (Privacy Act);
- related to or a subsidiary of a business that is covered by the Privacy Act; or
- a business prescribed by the Privacy Regulation, 2013, such as a business that operates a residential tenancy database.
This is not an exhaustive list, and you may have specific regulatory compliance with your particular industry or if you are collecting certain information.
1. The kind of personal information you collect and hold
For good measure, you should include a definition of ‘personal information’. You can simply state the term has the same meaning given to it under the Privacy Act, or you can state that it includes any information that can personally identify an individual and provide examples.
There are many types of personal information. It is vital that you identify every type that you collect and hold, such as an individual’s name, address, telephone number, email address and occupation.
2. The purpose of collecting, holding, using and disclosing personal information
Some common purposes include:
- to provide your business’ services;
- to contact customers, answer enquires and provide requested information;
- to advertise your business’ services;
- to conduct market research; and
- to comply with a relevant Law or direction from a governmental authority.
3. How you collect and hold personal information
It is required that you include the manner in which you collect personal information. For most businesses this would include when an individual makes an enquiry about your products or services, when they fill in an online form, when an individual registers as a member of the website and during conversations between an individual and a representative of your business, to list a few.
4. Access and correction of personal information
The policy must include a section that documents how individuals can access and correct their personal information collected and held by you. You should acknowledge in the policy that an individual is entitled to access and correct their personal information at any time and provide the appropriate contact information.
5. How to make complaints
The individuals, from whom you have collected personal information, must be provided with a means of submitting a complaint about a breach of APPs and include information about how you will deal with such a complaint.
You should provide appropriate contact information for individuals to submit their complaints to and include that all complaints will be investigated and resolved within a reasonable time.
6. Whether personal information will be disclosed to overseas recipients and, if so, specify their country of origin
Individuals are entitled to be informed of whether their personal information is sent to overseas parties and in which countries those recipients are based. You must indicate whether this is a possibility so that individuals are fully informed when deciding whether to provide personal information.
7. Security of personal information
The Internet is inherently insecure, which means you need to take extra care when handling and storing personal information.
It’s also worth noting that while you strive to ensure the security of personal information, no data transmission over the internet can be guaranteed to be totally secure.
Contact us today if you require any assistance with Privacy Law advice.
- 27 March, 2020
- 27 March, 2020
- 17 February, 2020
Ian Aldridge is the owner and principal lawyer at Progressive Legal. After 12 years practicing as a litigation lawyer for small, medium and large firms in Australia and the UK, Ian returned to Australia disillusioned with the way Law was being practiced at all levels, especially for small business.
Ian started Progressive Legal in 2014 and provides a range of fixed-priced legal services for small business owners. Ian changed the way legal services are provided in Australia, by building Legal Shield™, a legal subscription to obtain tailored legal documents immediately and pay over time.
Ian has completed a Degree in Economics and Law from Macquarie University, has a Diploma of Legal Practice/Professional Program from the NSW College of Law (Commercial Law, Litigation, Legal Advice) and is a Key Personal of Interest (KPI).