5 Min Read
Your Business Responsibilities Under the Privacy Act
Written by Ted Ringrose, Partner of Law Firm Ringrose Siganto
Our last article looked at whether your business is covered by the Privacy Act, and the benefits of complying with the Act even if itʼs not. Now that youʼve decided to become privacy compliant, what are your next steps? We break down the initial steps you need to take.
What personal information do you hold?
Step one is to work out what personal information you hold. You must compile a list of each type of personal information you collect and hold about your customers.
The law says personal information is 'information about an identified individual or an individual who is reasonably identifiable'. This includes a customerʼs name, date of birth, Medicare number or ID photo – information that is able to uniquely identify that person.
Importantly, it also includes any information that can be ‘linked back to a specific personʼ when considered together with other available information you hold.
In practice, if you hold a customerʼs information in a combined record (e.g. Name, Date of Birth, Address, Contact Details, Membership Number, Billing Details, Payment Record, Health Records), then all the information in that record will be personal information.
Certain types of personal information are also explicitly recognised as personal information under the Privacy Act, such as health information.
As you can see, the definition of personal information is very broad. If youʼre looking for further clarification, the Office of the Australian Information Commissioner has provided a handy guide to personal information.
Creating a privacy policy
Now you know what types of personal information you have, the next step is to create a privacy policy. In it, you will have to state:
- the types of personal information you collect and hold;
- how you collect that personal information;
- how that information is used (the purposes you require it for);
- whether and when you disclose personal information to third parties;
- how an individual may access or seek correction of their personal information
Before you can state these things in your policy, you must have answered the questions. Examine your practices and procedures and write down the flow of personal information.
To help you, the Information Commissioner has provided a guide to drafting privacy policies.
You also will find Australian privacy policy templates online. These might suit businesses which only handle a small amount of personal information.
If your business collects personal information from many people, or collects sensitive information (e.g. health data), talk to a privacy professional as your compliance needs will be more complex.
Stick to your privacy policy commitments
The Privacy Act is designed to enable your customers to make an informed choice about how to manage their personal information, based on what you told them in your privacy policy.
That means itʼs important to stick to what you have committed to in your privacy policy.
If you state that you only collect customersʼ personal information for the purpose of managing their membership or appointments, then you shouldnʼt transfer or sell their information to others without first (as an absolute minimum) reflecting this in your privacy policy.
Have a summary of Privacy Act obligations handy
A privacy policy is just part of the picture. There are 13 Australian Privacy Principles (‘APPsʼ) in the Privacy Act which set out the requirements for how organisations must treat personal information, and when it may be disclosed.
If you have particular concerns, it might be worth digging into the more detailed APP Guidelines or talk to a professional.
Keep these handy so you can efficiently deal with any privacy issues.
Think about your customersʼ expectations and commit to openness and transparency
A guiding principle to assist with privacy compliance is to stick to what your customers would expect. Ask yourself: How would our customers expect us to deal with their information? How would I expect my information to be dealt with if I were a customer?
For example, if you run a health clinic, customers wouldnʼt expect you to on-sell their personal information to a personal injury law firm and, indeed, might be very upset if you do.
By considering these simple questions, you are much more likely to achieve day to day Privacy Act compliance.
Individuals also have rights to access and correct their personal information. So, if your customers request to see or change their personal information, you should help them to do so and not be unresponsive or obstructive.
Legal obligations aside, committing to being open and transparent about your use of personal information will help promote trust between you and your customers and enhance your reputation.
About the Author
Ted Ringrose is a Partner of Ringrose Siganto, a law firm specialising in privacy law. Ted read history and law at the University of Queensland and has a Master of Public Affairs from the University of Sydney. He specialises in privacy law and telecommunications law.
---
Note: This does not constitute legal advice and is for general information only.