How Do I Comply With The Privacy Act?

Summary

• Businesses that qualify as APP entities under the Privacy Act 1988 (Cth), generally those with annual turnover above $3 million or those handling health information or fulfilling Commonwealth contracts, must comply with the Australian Privacy Principles, including maintaining a privacy policy, issuing privacy collection notices and notifying the OAIC of eligible data breaches.
• Personal information can only be used for the primary purpose for which it was collected, or for secondary purposes where the individual would reasonably expect such use or has consented, with stricter rules applying to sensitive information including health, racial, religious and biometric data.
• When disclosing personal information to overseas third parties, including platforms such as Stripe or Mailchimp, businesses must take reasonable steps to ensure those parties handle the information in accordance with the Australian Privacy Principles.
• This article is a guide to Privacy Act compliance for business owners in Australia, written by LegalVision’s business lawyers.
• LegalVision specialises in advising clients on privacy law, data protection compliance and the Australian Privacy Principles.

Tips for Businesses

Prepare a data breach response plan before you need it, not after an incident occurs. Review what personal information you are collecting and whether you actually need it. If you use overseas platforms to process customer data, check their privacy policies and consider adding contractual compliance obligations.

The Privacy Act 1988 (Cth) is a federal law that governs how organisations collect, use, store and disclose personal information in Australia. Administered by the Office of the Australian Information Commissioner (OAIC), it establishes 13 Australian Privacy Principles that apply to APP entities, including businesses with annual turnover above $3 million and those handling health or sensitive information. The OAIC has authority to investigate complaints, conduct audits and impose civil penalties for serious or repeated breaches, with maximum penalties now reaching $50 million following recent amendments. This article explores how you can proactively ensure that your business complies with the Privacy Act 1988 (Cth).

1. Ensure You Have a Privacy Policy

A privacy policy is a standard document for a business that receives or handles personal information. If your business is an APP entity, then you must have a privacy policy. However, even if it is not compulsory for your business, we recommend you have one for best practice. 

An APP entity is subject to the Australian Privacy Principles. Your business may be an APP entity if it: 

• generates over $3 million in annual turnover; or
• engages in specific activities, including but not limited to handling health information, trading personal information, or fulfilling a Commonwealth contract. 

A privacy policy can address the key Australian Privacy Principles. Your privacy policy should outline to your customers what information you collect from them. Also, your privacy policy should state how you intend to use this information. Businesses commonly use this document for dealings with the public. Furthermore, it can help foster trust among your customer base. Your privacy policy should be available to customers through a link or pop-up on your website. If customers can create an account on your website, you should clearly indicate which personal information is optional for them to disclose.

2. Develop a Privacy Manual 

While a privacy policy is a public-facing document, a privacy manual is an internal document that outlines how you will collect, use, store and handle the personal information of people in your organisation. You can introduce a privacy manual into your business through formal training processes. Sometimes businesses appoint a privacy officer who can answer employee questions or take enquiries from the public regarding privacy compliance. You will be more inclined to successfully manage privacy if you ensure your employees understand your policy.

3. Ensure Data Security 

There are some practical methods you can implement to ensure your compliance with the Australian Privacy Principles. This can include limiting access to personal information to authorised personnel who require it to perform their everyday tasks. This can also include only collecting and storing personal information that is absolutely necessary and nothing more, as well as ensuring the proper disposal of personal information if you have no plans to use it. By ensuring you have properly destroyed personal information once you no longer need it, you lessen the likelihood of external third parties gaining access to this information. Periodically reviewing the personal information you store can ensure you are purging outdated or unnecessary data from your systems.

You should implement strong data protection controls, including: 

• data encryption; 
• access control;
• cyber security detection systems; and
• employee training. 

4. Plan for Data Breaches 

A data breach involves unauthorised access to or disclosure of personal information. In today’s digital landscape, it is not a question of whether your business will experience a data breach but when. Therefore, preparing for these incidents is crucial.

If your business is an APP entity, under the Notifiable Data Breaches (NBD) scheme, you must notify the Office of the Australian Information Commissioner (OAIC) and your affected customers of the breach if it is likely to lead to significant harm to individuals involved. 

You can prepare a Data Breach Response Plan that clearly outlines all roles and responsibilities in handling a data breach. This will position your business in good stead when a data breach occurs, and your business will be able to respond proactively instead of reactively, minimising brand or reputational damage and financial losses. 

5. Privacy Collection Notice

Having a Privacy Collection Notice (PCN) available at the point of collecting personal information of your customers is essential if you are an APP entity, but also best practice if you are not. A PCN is like a mini Privacy Policy and will inform your customers of what personal information you are collecting from the individual in that particular situation, why you are collecting it, and how it will be used or disclosed. You can only collect personal information that you reasonably need for your business purposes.

There are additional considerations for sensitive information. Sensitive information includes details about an individual’s health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record or biometric information. If you are collecting sensitive information, you will need to either obtain the individual’s consent or rely on another reason for collection under the Australian Privacy Principles. These other reasons include:

• where you are permitted or required by law (for example, if you are legally required to collect criminal record checks from contractors); 
• where you suspect a threat to the life or safety of an individual and cannot reasonably collect consent (for example, if you collect health information from an NDIS participant’s family member in the case of an emergency); and
• where the collection is reasonably necessary for a legal claim (for example, collecting information about an individual’s religious beliefs or racial or ethnic origin to defend a discrimination claim). 

6. Using Personal Information

Primary Purpose

You can use personal information for the primary purpose, which is the purpose you initially collected it for. For example, if you collect a customer’s email when they order a product from your site, the primary purpose might be to send them an order confirmation email.

Secondary Purpose

You can use personal information for secondary purposes if you either have the person’s consent, or: 

• the secondary purpose is related to the original reason you collected the personal information; and
• the person would reasonably expect their personal information to be used in this way. 

You may collect customer feedback to address a specific complaint. Additionally, this information can later inform broader service improvements – an outcome customers would reasonably anticipate.

For sensitive information, the secondary purpose must be directly related to the primary purpose. Typically, you should obtain the person’s consent to use sensitive information for other purposes to ensure that you are handling it in accordance with the Australian Privacy Principles. 

Responding to Access and Correction Requests

Under APP 12 and APP 13, individuals have the right to request access to their personal information and ask you to correct it if it is inaccurate, out of date or incomplete.

If a customer, employee or other individual makes an access request, you must respond within a reasonable time and provide the information in the format they request, where practicable. You cannot charge a fee simply for making the request, though you may recover reasonable costs for giving access.

You can refuse an access request in limited circumstances, such as where providing the information would pose a serious threat to someone’s safety or unreasonably affect another person’s privacy. If you refuse, you must give reasons and tell the individual how they can complain.

For correction requests, if you agree the information is incorrect, you must take reasonable steps to fix it. If you disagree, you must allow the individual to attach a statement noting the disputed information.

Having a clear internal process for handling these requests reduces response times and lowers the risk of a complaint to the OAIC.

7. Disclosing Personal Information

The Australian Privacy Principles also set out requirements for APP entities to follow when disclosing personal information to other people or entities. If you share personal information with third parties, this will typically be considered a secondary purpose and you will need to follow the rules mentioned above. 

Additional requirements apply when disclosing personal information overseas. You need to take reasonable steps to ensure that the third party you are sharing personal information with also complies with the Australian Privacy Principles. This includes situations where you use services or platforms provided by overseas providers such as Stripe or Mailchimp. Reasonable steps could involve checking their privacy policy to see how they handle information or inserting contractual clauses that require them to comply with the Australian Privacy Principles as if they were an APP entity themselves.

Key Takeaways

As a business owner, you must ensure your business is compliant with the Privacy Act. Non-compliance with the Privacy Act can have adverse repercussions. Customers may be releasing their information through various means. Although you may find it quite easy or straightforward to collect personal information, you must understand and do need to consider your obligations around privacy. Whatever your business does, you will likely have a level of access to your customers’ personal information. By keeping the above pointers in mind, you will be better equipped to address privacy issues in your organisation.

If you are unsure of your privacy obligations or what your organisation needs to do to comply with the Privacy Act, LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced privacy lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee..

Frequently Asked Questions

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.