Privacy Policy – Does my business need one?

Privacy Policy – Does my business need one?

A privacy policy is an important legal document for your business.  

With privacy becoming more and more important in the 21st century, the Law now requires certain businesses to have a privacy policy and that it be clearly displayed on your website and brought to the attention of a consumer, client or customer, before you collect any of their personal information. 

Am I required to have a Privacy Policy? 

For certain businesses, it’s mandatory. For the rest, it’s just good business.  

If your business is required to comply with the European General Data Protection Regulation (GDPR) – then legally, you must have one, regardless of industry or turnover. 

privacy policy

If you collect any of the following or engage in the following activitieslegally you must have one: 

Contact Us

  • By submitting this form, your information will be dealt with in accordance with our Privacy Policy. You agree to receive emails from us, however you can unsubscribe at any stage.
  • This field is for validation purposes and should be left unchanged.

If you are any of the following – legally you must hava privacy policy: 

  • a private sector health service provider, such as a private hospital, day surgery clinic, pharmacist, chiropractor or gym; 
  • a contracted service provider for an Australian Government contract; 
  • a business that sells or purchases personal information; 
  • a credit reporting body; 
  • an employee association registered or recognised under the Fair Work (Registered Organisations) Act, 2009; 
  • a business that has opted-in to the Privacy Act, 1988 (Cth) (Privacy Act);  
  • related to or a subsidiary of a business that is covered by the Privacy Act; or 
  • a business prescribed by the Privacy Regulation, 2013, such as a business that operates a residential tenancy database. 

This is not an exhaustive list, and you may have specific regulatory compliance with your particular industry or if you are collecting certain information.  

For the rest of businesses and not-for-profit organisations, under the Privacy Actif youturnover is more than $3 million per annum, then the business is legally required to have a privacy policy and must comply with the 13 Australian Privacy Principles (APPs) 

Having a privacy policy is beneficial (even if you’re not legally required to have one), because it allows you to be transparent with customers and clients about what personal information your business collects, the purpose for collecting such information, how the information is collected and the situations in which the personal information will be shared with third parties.   

What must be included in a Privacy Policy?

At the outset the privacy policy should be easy to findwritten in plain English, be concise, and current. In accordance with section 1.4 of the APPs, must include the following: 

1. The kind of personal information you collect and hold

For good measure, you should include a definition of ‘personal information’. You can simply state the term has the same meaning given to it under the Privacy Actor you can state that it includes any information that can personally identify an individual and provide examples 

There are many types of personal information. It is vital that you identify every type that you collect and holdsuch as an individual’s name, address, telephone number, email address and occupation.

2. The purpose of collecting, holding, using and disclosing personal information

You must be transparent concerning the reasons for collecting, holding, using and disclosing personal information, so the individuals to whom the personal information belongs are fully informed and know exactly what they are consenting to when agreeing to the privacy policy.  

Some common purposes include: 

  • to provide your business’ services;  
  • to contact customers, answer enquires and provide requested information; 
  • to advertise your business’ services; 
  • to conduct market research; and 
  • to comply with a relevant Law or direction from a governmental authority. 

3. How you collect and hold personal information

It is required that you include the manner in which you collect personal information. For most businesses this would include when an individual makes an enquiry about your products or services, when they fill in an online form, when an individual registers as a member of the website and during conversations between an individual and a representative of your business, to list a few.  

4. Access and correction of personal information

The policy must include a section that documents how individuals can access and correct their personal information collected and held by you. You should acknowledge in the policy that an individual is entitled to access and correct their personal information at any time and provide the appropriate contact information. 

5. How to make complaints

The individuals, from whom you have collected personal information, must be provided with means of submitting a complaint about a breach of APPs and include information about how you will deal with such a complaint.   

You should provide appropriate contact information for individuals to submit their complaints to and include that all complaints will be investigated and resolved within a reasonable time. 

6. Whether personal information will be disclosed to overseas recipients and, if so, specify their country of origin

Individuals are entitled to be informed of whether their personal information is sent to overseas parties and in which countries those recipients are basedYou must indicate whether this is a possibility so that individuals are fully informed when deciding whether to provide personal information.

7. Security of personal information

The Internet is inherently insecure, which means you need to take extra care when handling and storing personal information.  

It should be noted in the privacy policy that your business takes reasonable steps to ensure personal information is protected from misuse, interference and loss, and from unauthorised access, modification or disclosure 

It’s also worth noting that while you strive to ensure the security of personal information, no data transmission over the internet can be guaranteed to be totally secure. 

Key Takeaways

As you can see, there’s a lot more to an Australian privacy policy that one might expect.  

It is imperative to have a privacy policy if your business is regulated under the Privacy Act, the My Health Records Act or the GDPR applies to your business to ensure you are complying with your legal obligations, but even if it doesn’t apply, it is wise to have one so that clients are clear on what personal information you are collecting and how it will be used and disclosed  

We can draft your privacy policy for a fixed fee of just $600 + GST, fully tailored for your business, compliant with the GPDR and drafted by a qualified lawyer. 

Contact us today if you require any assistance with Privacy Law advice.

Contact Us

  • By submitting this form, your information will be dealt with in accordance with our Privacy Policy. You agree to receive emails from us, however you can unsubscribe at any stage.
  • This field is for validation purposes and should be left unchanged.