Last updated on 21 December 2020 by Jocelyn Mackie (Former civil litigation attorney. Content legal strategist at TermsFeed)
If your business is registered in Australia or you plan to expand your website or app to the Australian market, you must comply with the Privacy Act of 1988.
Even the possibility of doing business in Australia requires that you are familiar with this act. If your e-commerce store offers international shipping, including to Australia, implementing the privacy guidelines from this act will prove helpful.
This review discusses the original act and the 2014 updates. Here's how you can comply with the privacy principles of this act and protect your company from liability and customer mistrust.
The Privacy Act was originally enacted in 1988 due to concerns about the availability of records to unauthorized individuals. It underwent changes in 2000 and 2014 with the latest changes addressing privacy concerns in online transactions.
This is how the act evolved.
The original version of the Privacy Act was limited to state agencies or companies that contracted with government offices. It expanded to include private companies in 2000 and its principles applied to them despite their government contract status.
The Privacy Act defines personal information as facts or opinions about an individual that made the identity of that individual apparent or reasonably ascertainable.
Generally, this would include names, addresses, numerical identifiers, birth dates, bank account details, telephone numbers, email addresses, and even rumors or gossip about a person's private life.
Ethnic identity, sexual orientation, gender, trade information, education, and other personal facts are considered sensitive information that falls under similar protection.
The 1988 version of the Privacy Act was the beginning of enacting privacy principles. Before, there was no guarantee of privacy in Australia.
Called the "Information Privacy Principles or IPPs", there were 11 guidelines for handling information. They addressed the following topics:
In 1988, the focus was on paper records since there were no cloud drives or massive data exchange that year as there is now. Needless to say, the digital revolution required privacy reforms.
The first change in these updates was covered organizations. While the updates in 2000 changed the law so it applied to private companies, the latest developments expanded that net further.
Covered entities now include any company of any size with a gross income of AUD $3M.
Companies may fall under the duties of the Act even if they do not meet the revenue standard. These exceptions include:
The other change to the law included expanding the 11 IPPs to 13 Australian Privacy Principles or APPs. These prove handy for guiding your entity to compliance. While the 13 new principles are similar to the original 11, they do a better job of taking the digital age into account.
If your business or organization implemented a Privacy by Design approach, you are already ahead with meeting these 13 principles.
However, if you are still considering making internal changes compatible with Privacy by Design, carefully review these principles if any part of your business occurs in Australia.
You are required to open and transparent with your users about the information you collect and how you use it. Explain clearly how you collect information, the purpose of collection, how you use it, how your user can correct any information, and any possible overseas disclosures.
However, entities that handle immense amounts of personal information also offer a privacy FAQ.
One of our many testimonials:
St. George Bank no doubt handles personal information as it is one of the largest banks in Australia. If you visit its page on privacy, it lays out all these terms very clearly in an easy-to-read FAQ format:
When you click on the question on kinds of information they collect and hold, you find a very clear answer using layperson terms:
It starts out plainly stating that it is bound by the Privacy Act of 1988:
Individuals may wish to use a service under an alias or anonymous identity.
As an online service (website or mobile app), you are required to provide this option unless it is impractical for you.
Obviously, a banking or insurance service cannot cater to anonymous or pseudo anonymous identities. For some services, this is less essential.
While it does not appear any of them are based in Australia or actively pursuing business there, anonymous social media apps are popular. Users can post rants with unpopular opinions, share lustful fantasies, and even discuss their deepest secrets.
If you are looking at developing one of these apps, you may wish for personal information for targeted marketing or account maintenance. However, it may not necessarily be impractical if you bypass collecting it. In these cases, you likely want to provide the option for a user to remain anonymous or offer a pseudonym.
This principle addresses the collection and sharing of information. While you may have already been open and transparent about your policies, this addresses what you're allowed to do as opposed to how you communicate it.
If you have the consent of the user to collect personal or sensitive information, that is always authorized. That's why if you are in doubt of whether you can collect information, you should attempt to secure consent first.
However, there are circumstances where you can collect information automatically.
First, be aware that you can only solicit information that's necessary for the transaction.
For example, asking a user about sexual orientation is not relevant when you are securing car insurance for them. However, date of birth, name, where they live, and types of cars they own is necessary information for an insurance policy.
Second, the transparency requirement in the first principle also applies to this one.
It also includes any information collected from third parties, including their identities:
This becomes necessary since insurance companies frequently have to confirm information given to them. However, as this is explained to users before they get involved with IAG, once again, they know what to expect with their personal information being handled.
Sometimes, a security breach or user error results in personal information you do not need to be disclosed to you. You did not ask for it or solicit it but there are still responsibilities when you face this outcome. That is why you need an in-house process that deals with unsolicited personal information.
Your first step is to determine if receiving the information was appropriate under Australian Privacy Principle 3. If that is the case, you can retain it.
However, if it is not appropriate for you to keep this information, then determine if it could be found in a commonwealth record. Arrest records and pending civil lawsuits, for example, are public record so you could conceivably find those facts in them if you looked. That would also be a lawful collection under the Australian Privacy Principle 3.
If the information does not fall under either of these considerations, then you need to destroy it or unlink the individual's identity from it. You will not be permitted to retain it.
Under this principle, you must take reasonable steps to notify users of certain matters. This include:
This email notification from Medium would also satisfy Australian Privacy Principle 5:
The act allows for the disclosure and use of personal information if that will satisfy the primary purpose for its collection.
You are not allowed to disclose or use information for curiosity sake or for other purposes not connect to your business goals.
If there is a secondary purpose for use or disclosure, you must meet one of the exceptions. Most are connected to civil lawsuits or criminal activity and since you will normally receive a court order in these instances, you will likely understand your need to disclose.
In other cases, you need the consent of the user or at least set up a reasonable expectation that their information would be disclosed in this matter. Health situations, like sharing records between doctors, would be an example of the latter.
Disclosure of information for direct marketing is generally not allowed. You can do so if you have consent through an opt-in procedure. However, you also need to offer users a choice to opt out.
Notice that while it is clear that data will be disclosed, it also provides the opt-out procedure. A user also can email them and request removal from these lists. Under Australian Privacy Principle 7, Lowes must comply with that request in a timely manner.
Overseas disclosures become tricky because the Privacy Act will no longer comply. While other countries have their own privacy laws, many Australian citizens will not be reassured by them. Therefore, you must follow the principles even as you disclose information to your overseas partners.
Lowe's also embraces this step but does not name in particular partner countries:
Be aware if you disclose information overseas, your company will be responsible for any privacy breaches by your partner company.
You want to choose your foreign partners and vendors very carefully if you plan to disclose user personal information to them.
This is not an Australian Privacy Principle that will come up frequently.
The Australian Privacy Principle 9 restricts the use of government identifiers and includes a number, letter, symbol or any combination of those things to identify an individual. These are assigned by an agency, state or territorial authority, or contracted service provider of an agency or authority.
Since users are unlikely to be aware of or disclose these to you, there is only a small chance you will come across this situation.
Since personal information can include opinions, it's important that you keep it updated and if notified of errors, correct it. You should take precautions to only collect accurate information in the first place but also take the additional step of allowing users to correct their personal information.
Officeworks takes a more detailed approach. It offers contact information for users who want to view the personal information they hold as well as make corrections:
If you make decisions based on inaccurate information you can face liability. You want to assure accuracy when it is within your control but also make corrections quickly when you are notified of errors.
The Privacy by Design trend plays an important role with this Australian Privacy Principle. Not only do you need to have clear policies regarding personal information but you must take precautions with it.
Privacy by Design dictates that you consider privacy at the beginning of development and remain aware of it as you provide your product or service. Australian Privacy Principle 11 advances that mindset indirectly by requiring that you take steps to protect data from interference, loss, and misuse.
Authentication, meaning a login screen with a username and password, is one way to control access. If you are dealing with very sensitive information, like providing banking notices to customers, you may wish to use encryption.
In most cases, providing a login and authentication is sufficient.
You can find these methods employed frequently with banks and retail outlets. Lowe's Menswear, for example, has a quick login for frequent customers who wish to keep their information protected:
Unless you have a compelling reason, you must allow users to access their own personal information.
The only exceptions to this rule include government secrets and protected documents. Since as a website or app you are unlikely to trade in this type of information, you can assume that requests submitted by users to see their own personal data are valid.
This is similar to Australian Privacy Principle 10 which requires that the personal information you collect on users is accurate and up to date.
Australian Privacy Principle 13 takes this idea one step further and requires that you have a process for fixing errors when you are notified of them or discover them.
As shown in the examples under Australian Privacy Principle 10, Privacy Policies promise users accurate accounts and immediate correction when errors are discovered. You will need an in-house process for addressing these situations, especially when the error involves an opinion about another person.
Also, if you do business with other companies that must comply with the Privacy Act, you will need to inform them of the changes in the information.
Not only must you keep your own records accurate but any third parties that have access to the information must be informed of the changes.
The Australian Privacy Principles listed above create a checklist for your privacy protection procedures.
In addition to following them, there are best practices to follow as you navigate the Privacy Act of 1988 and assure your company's compliance with it.
When you collect more personal information than necessary to run your website or app, you risk exposing yourself to unnecessary liability. This is based on the simple formula that the more private information you collect, the more difficult it is to keep it safe.
That is why when you design the app you need to realistically assess what is needed to help it operate. The same is true for an ecommerce site or another online service.
When you add features or upgrade, reassess the need for information.
If you require more data from users, you will need to update your agreements and policies. However, if your changes lead you to require less information, that will likely make your business practices legal.
Facebook, while a US-based company, does a good job at this in its Data Policy page:
St. George, the bank used as an example, did this very well. Its pages are easy to navigate and the language is clear. Any customer could visit this page and secure answers to their questions. If they could not find an answer, contact information was easily accessible too.
Taking a similar approach helps with transparency by making your policies regarding collection, creation, retention, and disclosure of personal data very clear.
Consent overrules many restrictions under the Privacy Act and the Privacy Principles.
If you feel a disclosure is necessary or wish to pursue a unique marketing campaign that uses personal information, ask the customer first.
While most of these efforts are covered by the principles, the area of Internet marketing is changing quickly with new options. That can make it difficult to determine whether a new practice is appropriate under the law. In those cases, ask first with a new opt-in/opt-out request.
Your company will have to assess information constantly. As mentioned, you'll need to determine if you are collecting just enough to provide your service. In addition, you also have to monitor it for accuracy and make corrections when errors come to your attention.
The best way to manage this system is to limit it to one department or employee whose main job is assessing information.
You always need to be aware of when your information needs change and keep up with those developments. That will help you remain compliant.
If you need to disclose personal information to third parties, only partner with those who are also held to the Privacy Act. When you reach out overseas, find companies that operate in jurisdictions with privacy laws.
The U.S., Canada, the U.K., and E.U. members are safe bets. If you have a new partner in an unfamiliar location, have your legal department assess the privacy laws first.
Whether it is questions about your information practices or requests for corrections, you need to be accessible to your users.
Create separate email addresses if needed but provide a way for people to get a hold of you when they have questions.
Here's how the Bureau of Meteorology is displaying its contact information on its Privacy Notice page:
While many companies state that they are willing to assist users with questions, they do not always provide clear contact information. Support better goodwill and compliance by keeping contact information visible.
Checking your data protection measures frequently helps users trust you and keeps you in compliance with the principles. If you have specialists in this area, you can perform these audits in-house. However, it is often recommended that you hire an IT security consultant since they can often find shortcomings that you might miss.
The Privacy Act provides a good checklist with its principles. If you follow them plus apply these general good practices, you are likely to stay in compliance with the Privacy Act and reassure users that their personal data is safe with you.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
21 December 2020