Does my business need a privacy policy?

You might have noticed that many businesses’ websites contain a privacy policy. Recent changes in the law have made these privacy policies more important. If you are a business owner, or if you run a not-for-profit, you might need one too.

Most businesses and not-for-profit organisations with an annual turnover greater than $3 million will be subject to the Privacy Act. The Privacy Act also covers some specific types of businesses and not-for-profits with less than $3 million annual turnover, including:

Most businesses and not-for-profit organisations with an annual turnover greater than $3 million will be subject to the Privacy Act. The Privacy Act also covers some specific types of businesses and not-for-profits with less than $3 million annual turnover, including:

• Private sector health service providers. (This includes a very broad range of businesses, including hospitals, doctors’ clinics, and similar traditional health service providers, but also gyms, weight loss clinics, childcare centres, and private schools.)
• Employee associations under the Fair Work (Registered Organisations) Act 2009.
• Contracted service providers for a Commonwealth contract.
• Businesses that sell or purchase personal information.
• Credit reporting bodies.
• Businesses related to a business that is covered by the Privacy Act (e.g. a subsidiary of a company covered by the Privacy Act).
• Other types of businesses prescribed by regulations.

If the Privacy Act does apply to your business or not-for-profit, then you need to comply with the Australian Privacy Principles. The Australian Privacy Principles only took effect in March 2014.*

Australian Privacy Principle No. 1 is about open and transparent management of personal information. It requires you to have a clearly expressed and up-to-date privacy policy, and to make that policy available to members of the public free of charge.

There is no requirement to have your privacy policy on your website, but most businesses decide that it is a simple way to comply with the requirements of Australian Privacy Principle No. 1.

Basically, the purpose of your privacy policy is simply to explain to consumers and potential consumers how you manage their personal information. There is no template for a privacy policy that you must follow. However, the Australian Privacy Principles require your privacy policy to address certain topics. You must explain in your privacy policy:

• the kinds of personal information that your business collects and holds;
• how you collect and hold personal information;
• the purposes for which you collect, hold, use and disclose personal information;
• how an individual may access personal information about that individual that is held by your business and seek the correction of such information;
• how an individual may complain about a breach of the Australian Privacy Principles and how your business will deal with such a complaint;
• whether your business is likely to disclose personal information to overseas recipients; and
• if your business is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

It is important to ensure your privacy policy covers all these topics. Your privacy policy should be clearly expressed. As far as is possible, it should be written in plain English, rather than like a legal contract.

Before drafting a policy, you need to think about all the ways your business collects, holds, uses and discloses personal information. ‘Personal information’ is any information or any opinion that is about an identified individual, or an individual whose identity is reasonably apparent or ascertainable, whether that information is true or false, or recorded in a material form or not. You need to make sure that your privacy policy doesn’t leave out anything that you do with your customer’s personal information.

It is also important to read all the Australian Privacy Principles before drafting a privacy policy. Many of these Principles deal with how you should be collecting, holding, using and disclosing personal information. You need to make sure that your business complies with all these Principles, and that your privacy policy reflects that.

Johnston Withers is able to advise you as to whether or not your business or not-for-profit is covered by the Privacy Act, and to draft your privacy policy or provide advice about an existing privacy policy you might have in place. Costs vary – but as a guide we can generally provide advice and draft your policy for a fee of approximately $900 (plus GST).

We can also provide advice about broader privacy issues, such as advice as to whether your business practices in relation to your customers’ personal information are fully compliant with privacy laws.

* Note: If you are doing your own research about the Australian Privacy Principles, be careful not to confuse them with the “National Privacy Principles”. The National Privacy Principles applied to businesses before March 2014, and they are quite different to the Australian Privacy Principles. The National Privacy Principles have now been repealed, but there is still a lot of information about them on the Internet, which could be misleading.

If you need advice in this important area of commercial business planning, please contact Andrew Mitchard or any other members of our commercial & property team on (08) 8231 1110.