Heathfield Grosvenor Lawyers

Do I Need a Privacy Policy on My Website in Australia?

The answer is mostly likely “yes”, even if you are a small business with annual turnover of less than $3,000,000.

Under the Privacy Act 1988 (Cth) (Privacy Act), various types of entities are, in summary, required to comply with a prescribed set of 13 “Australian Privacy Principles”.  The first principle requires a clearly expressed and up to date privacy policy, so that personal information is managed in an open and transparent manner.

Government agencies, private and not for profit organisations including individuals (e.g. sole traders), companies, partnerships, unincorporated associations, and trusts are all required to comply.  There are exemptions.  For example, small businesses (i.e. those with annual turnover of less than $3,000,000 and which are not for example related to a larger company that is subject to the Privacy Act) might be exempt in limited circumstances.

However, the practical reality is that as soon as small businesses handle any personal information and trade in personal information, they will be caught under the Privacy Act.  Various other scenarios may also render small businesses liable to compliance with the Australian Privacy Principles (for example, small businesses who provide services to or on behalf of government agencies, those who are “reporting entities” (a broad category) under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), or those who operate residential tenancy databases etc).  Furthermore, as soon as a business receives Tax File Number information about an individual (for example in a Tax File Number declaration upon the commencement of employment), certain obligations arise under the Privacy (Tax File Number) Rule 2015 (issued under s.17 of the Privacy Act).  Employers for example would be best advised to ensure that they have a privacy policy (and consent covering purpose of collection, use, disclosure, storage etc) in place, compliant contractual clauses, and provide collection notices where appropriate.  Non compliance with the Privacy Act can lead to significant fines.

As a bare minimum, a privacy policy needs to cover the following:

(a)       the kinds of personal information that the entity collects and holds;

(b)       how the entity collects and holds personal information;

(c)       the purposes for which the entity collects, holds, uses and discloses personal information;

(d)       how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;

(e)       how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;

(f)        whether the entity is likely to disclose personal information to overseas recipients;

(g)       if the entity is likely to disclose personal information to overseas recipients, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Heathfield Grosvenor Lawyers Pty Ltd