Does your business need a privacy policy?

The answer is mostly likely “yes”, even if you are a small business with annual turnover of less than $3,000,000.

Under the Privacy Act 1988 (Cth) (Privacy Act), various types of entities are, in summary, required to comply with a prescribed set of 13 “Australian Privacy Principles”.  The first principle requires a clearly expressed and up to date privacy policy, so that personal information is managed in an open and transparent manner.

Government agencies, private and not for profit organisations including individuals (e.g. sole traders), companies, partnerships, unincorporated associations, and trusts are all required to comply.  There are exemptions.  For example, small businesses (i.e. those with annual turnover of less than $3,000,000 and which are not for example related to a larger company that is subject to the Privacy Act) might be exempt in limited circumstances.

However, the practical reality is that as soon as small businesses handle any personal information and trade in personal information, they will be caught under the Privacy Act.  Various other scenarios may also render small businesses liable to compliance with the Australian Privacy Principles (for example, small businesses who provide services to or on behalf of government agencies, those who are “reporting entities” (a broad category) under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), or those who operate residential tenancy databases etc).  Furthermore, as soon as a business receives Tax File Number information about an individual (for example in a Tax File Number declaration upon the commencement of employment), certain obligations arise under the Privacy (Tax File Number) Rule 2015 (issued under s.17 of the Privacy Act).  Employers for example would be best advised to ensure that they have a privacy policy (and consent covering purpose of collection, use, disclosure, storage etc) in place, compliant contractual clauses, and provide collection notices where appropriate.  Non compliance with the Privacy Act can lead to significant fines.

As a bare minimum, a privacy policy needs to cover the following:

(a)       the kinds of personal information that the entity collects and holds;

(b)       how the entity collects and holds personal information;

(c)       the purposes for which the entity collects, holds, uses and discloses personal information;

(d)       how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;

(e)       how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;

(f)        whether the entity is likely to disclose personal information to overseas recipients;

(g)       if the entity is likely to disclose personal information to overseas recipients, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Contact our Sydney business lawyers for assistance in relation to the above.  Our commercial lawyers, business lawyers, and disputes lawyers provide expertise in corporate and commercial advisory services as well as litigation and dispute resolution.  Take a look also at a sample selection of our more basic fixed fee legal services.

HEATHFIELD GROSVENOR

Level 21, 133 Castlereagh Street

Sydney NSW 2000

Australia

T: +61 2 8005 7388

F: +61 2 8310 9779

E: contact@hglaw.com.au

www.hglaw.com.au

The information provided in this article is provided by way of general information only. It does not constitute legal advice, and should not be relied upon as such. Specific independent legal advice should be obtained before deciding to act, or not to act, upon the views expressed or information contained in this article. 

Copyright of Heathfield Grosvenor 2017. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *