Do I need a Privacy Policy for my Business

Do I need a Privacy Policy for my Business

Whether a privacy policy is mandatory depends on whether a business meets the criteria in the Privacy Act 1988 (Cth) (‘Privacy Act’) and the Australian Principles (‘APPs’). The APPs supplement the Privacy Act and require that private sector organisations with an annual turnover of $3 million have a Privacy Policy in place if that business collects personal information. Note that even if annual turnover does not exceed $3 million, there are instances where the Privacy Act will still apply to a company. These circumstances include, without limitation, where a company trades in personal information by buying or on-selling it, or businesses related to an entity that has privacy obligations. Even where having a Privacy Policy is not mandated by law, it is considered best practice to have a bespoke Privacy Policy in place that fulfils legal requirements while also taking into account the unique circumstances of the particular business.

For the purposes of Australian privacy law, “personal information” is said to be information or opinions that identify or reasonably could identify an individual. Key examples of personal information include names, addresses, telephone numbers, dates of birth, medical records, bank accounts and opinions.

Implementing a properly drafted Privacy Policy ensures legal compliance with the Privacy Act and the APPs. A Privacy Policy also provides customers with increased confidence in how their personal information is or will be utilised and significantly reduces the likelihood of a privacy dispute arising.

According to the APPs, a Privacy Policy must detail important information including how that information is or will be collected, utilised, disclosed (for example, as compelled by law), stored, altered (if it is discovered to be incorrect, outdated or otherwise inaccurate) and the customer’s rights to access his or her information once collected.

Note that where the Privacy Act applies to a business, serious or repeated failure to introduce a Privacy Policy can result in fines of up to $1.7 million for companies and up to $340,000 for individuals.

The alternative to implementing a Privacy Policy is gaining the consent of every customer for the use of his or her personal information, which can be both cumbersome and difficult to prove where the consent that a business seeks to rely upon is implied.

Upon request, we can quickly draft a Privacy Policy that fulfils the legal requirements under the Privacy Act and APPs while ensuring it is tailored to your business. If you need advice feel free to contact our Business Law team by submitting an online inquiry, or calling us on (07) 5592 1921.