Does your company need a privacy policy? – Data protection

The Privacy Act 1988 (Cth) (‘Privacy Act’) requires all companies to have a privacy policy in place, if that company is an Australian Privacy Principles subject (‘APP subject’).

What is the privacy policy?

A privacy policy is a document that sets out how a company collects, holds, uses and discloses personal information.

Personal information is information that identifies a person, regardless of whether the information is true or not. This information may include a person’s name, physical or email address, photo, phone number, or payment information.

There are several ways a company can collect personal information. The collection of personal information may take place through online or physical forms or user databases (such as a directory). It is important to note that personal information may include information collected from individuals who access a company’s website.

What is an APP entity?

An The APP entity is defined within the Privacy Act as a company that must comply with the Australian Privacy Principles (“APP”).

The scope of these jobs includes:

• Commonwealth Government Agencies;




• organizations with an annual turnover of more than $3 million (which includes not-for-profit organisations, companies, sole traders and partnerships); and




• certain small business entities (such as health care providers and credit reporting entities).

If the entity falls into one of the above categories, it will be considered APP entity and is required to have an up-to-date privacy policy.

It should be noted that even if your business does not fall into these categories, it is sensible to have a privacy policy as it ensures that your entity meets commercial and community expectations regarding how the entity handles personal information.

What should be included in the privacy policy?

The Australian Privacy Principles require that a privacy policy must contain, as a minimum, information covering:

• type(s) of personal data collected and held by the entity;




• how the entity collects and stores personal data;




• purposes for any collection, holding, use and disclosure of personal data;




• how an individual can access personal data and how to correct any information they hold;




• how an individual can complain about a violation of the APP and how the entity will handle such a complaint;




• whether the entity is likely to disclose personal information to foreign recipients; and




• if they will disclose to foreign recipients, then the name of those countries.

It is important for companies to consider where personal data will be stored and whether it will be stored or used in foreign jurisdictions.

The content of this article is intended to provide a general guide to the subject. Expert advice should be sought regarding your specific circumstances.