The Privacy Act 1988 (Cth) ('Privacy Act') requires all businesses to have a privacy policy in place, if that business is an Australian Privacy Principles entity ('APP entity').

What is a privacy policy?

A privacy policy is a document that sets out how a business collects, holds, uses, and discloses personal information.

Personal information is information that identifies a person, irrespective of whether the information is true or not. This information can include a person's name, physical or email address, photograph, telephone number, or their payment details.

There are several ways that a business can collect personal information. The collection of personal information can take place through online or physical forms, or customer databases (such as a phonebook). It is important to note that personal information can include the data collected from individuals who access a business' website.

What is an APP entity?

An APP entity is defined within the Privacy Act as being a business that needs to comply with the Australian Privacy Principles ('APP').

The scope of these businesses includes:

  • Commonwealth government agencies;
  • organisations with an annual turnover of more than $3 million (which includes not-for-profits, companies, sole traders, and partnerships); and
  • certain small business operators (such as health service providers and credit reporting entities).

If an entity falls into one of the above categories, it would be considered an APP entity and is required to have an up-to-date privacy policy.

It should be noted that even if your business does not fall within these categories, it is sensible to have a privacy policy in place, as it ensures that your entity is meeting commercial and community expectations regarding the way the entity treats personal information.

What should be included in a privacy policy?

The Australian Privacy Principles require that a privacy policy must, at a minimum, contain information covering:

  • the type(s) of personal information that the entity collects and holds;
  • how the entity collects and holds personal information;
  • the purposes for any collection, holding, use and disclosure of personal information;
  • how an individual may access the personal information, and how to correct any information held;
  • how an individual can complain about a breach of the APP and how the entity will deal with such a complaint;
  • whether the entity is likely to disclose personal information to overseas recipients; and
  • if it will disclose to overseas recipients, then the name of those countries.

It is important that businesses consider where the personal information will be held and whether it will be stored or used in any overseas jurisdictions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.