5 Min Read
Your Business Responsibilities Under the Privacy Act
Written by Ted Ringrose, Partner of Law Firm Ringrose Siganto
Our last article looked at whether your business is covered by the Privacy Act, and the benefits of complying with the Act even if itʼs not. Now that youʼve decided to become privacy compliant, what are your next steps? We break down the initial steps you need to take.
What personal information do you hold?
Step one is to work out what personal information you hold. You must compile a list of each type of personal information you collect and hold about your customers.
The law says personal information is 'information about an identified individual or an individual who is reasonably identifiable'. This includes a customerʼs name, date of birth, Medicare number or ID photo – information that is able to uniquely identify that person.
Importantly, it also includes any information that can be ‘linked back to a specific personʼ when considered together with other available information you hold.
In practice, if you hold a customerʼs information in a combined record (e.g. Name, Date of Birth, Address, Contact Details, Membership Number, Billing Details, Payment Record, Health Records), then all the information in that record will be personal information.
Certain types of personal information are also explicitly recognised as personal information under the Privacy Act, such as health information.
As you can see, the definition of personal information is very broad. If youʼre looking for further clarification, the Office of the Australian Information Commissioner has provided a handy guide to personal information.
- the types of personal information you collect and hold;
- how you collect that personal information;
- how that information is used (the purposes you require it for);
- whether and when you disclose personal information to third parties;
- how an individual may access or seek correction of their personal information
Before you can state these things in your policy, you must have answered the questions. Examine your practices and procedures and write down the flow of personal information.
If your business collects personal information from many people, or collects sensitive information (e.g. health data), talk to a privacy professional as your compliance needs will be more complex.
Have a summary of Privacy Act obligations handy
If you have particular concerns, it might be worth digging into the more detailed APP Guidelines or talk to a professional.
Keep these handy so you can efficiently deal with any privacy issues.
Think about your customersʼ expectations and commit to openness and transparency
A guiding principle to assist with privacy compliance is to stick to what your customers would expect. Ask yourself: How would our customers expect us to deal with their information? How would I expect my information to be dealt with if I were a customer?
For example, if you run a health clinic, customers wouldnʼt expect you to on-sell their personal information to a personal injury law firm and, indeed, might be very upset if you do.
By considering these simple questions, you are much more likely to achieve day to day Privacy Act compliance.
Individuals also have rights to access and correct their personal information. So, if your customers request to see or change their personal information, you should help them to do so and not be unresponsive or obstructive.
Legal obligations aside, committing to being open and transparent about your use of personal information will help promote trust between you and your customers and enhance your reputation.
About the Author
Ted Ringrose is a Partner of Ringrose Siganto, a law firm specialising in privacy law. Ted read history and law at the University of Queensland and has a Master of Public Affairs from the University of Sydney. He specialises in privacy law and telecommunications law.
Note: This does not constitute legal advice and is for general information only.