In 2014, the Enhancing Privacy Protection Act (Privacy Act) marked substantial changes to the existing privacy laws in Australia.
Privacy Act of Australia
The Privacy Act incorporates 13 Privacy Principles that dictates how personal information must be handled by covered organizations.
What is a covered organization as defined by Australia Privacy Act? A covered organization is any company, of any size, with an annual gross income of more than $3,000,000.
These kind of companies are subject to the Privacy Act and its regulations. However, businesses whose income is less than that might still be covered by one of the exceptions outlined in the Act:
As a business, you can still choose to opt-in and be covered by the Act. If any business would otherwise not be covered, the business can petition to be covered to assure users that the business is committed to privacy.
Many small businesses (including general website owners and independent mobile app developers) will not be covered by the Australia Privacy Act, but still, might find some benefit in voluntarily choosing to be covered.
Even if you are or not covered by Act, you must consider implementing Privacy by Design techniques to have better privacy practices and maintain high standards of compliance with the Act's Privacy Principles.
Through the "Privacy by Design" technique, you should strive to build the protection of collected personal information right within your systems, from the start, in order to comply with current data protection principles.
This could be achieved by improving the practices at any steps you're collecting personal data: collection, use (including data matching, targeted advertising, and analytics), disclosure to third parties, storage, and destruction. Use this information when drafting your legal agreement.
This is important. As mobile apps and Internet of Things apps (IoT) continue to increase in usage, regulation and scrutiny over data protection will also increase.
By implementing better technique and paying attention to what personal information you're collecting and how your business will be able to remain compliant.
Principles from the Privacy Act
If a business is covered by the Privacy Act and must adhere to the Australian Privacy Principles, they are considered a "covered entity" for the purposes of the law.
Each Principle covers a different aspect of privacy protection, some being more critical than others.
Privacy Principle 1
Principle 1 wants to ensure that entities (businesses, developers, etc.) managing any kind of collected personal information are doing it in an open and transparent manner.
This requires that the business takes all reasonable steps to ensure its compliance with the Australian Privacy Principles.
It must contain specific information including the kinds of personal information are collected, how the information is collected, how the information is used, how an individual may complain about a breach of a Privacy Principle, and information regarding disclosure of private information overseas (outside Australia.)
And it must be available in an appropriate form and free to the user to read and find.
Privacy Principle 2
Principle 2 states that covered entities must provide an anonymity or pseudo-anonymity option to individuals in interactions that would involve disclosure of personal information.
However, exceptions exist to this.
If you're developing a website or mobile app where users can create content, consider providing an anonymity and pseudo-anonymity option.
Privacy Principle 3
Principle 3 details how covered entities interact with personal information.
For example, the covered entity must only collect personal information when it's reasonably necessary or it's directly related to the entity's business.
If the information is deemed to be sensitive, the covered entity must obtain meaningful consent first.
You may only collect personal information by lawful and fair means.
Southern Payment Systems does not sell or rent you or your customers personal information to marketers or third parties.
Privacy Principle 4
Principle 4 lays out how entities must deal with unsolicited personal information.
Any information received, which was not solicited, must be dealt with according to certain guidelines.
Within a reasonable amount of time, the covered entity must determine if the unsolicited personal information they've received could have been collected under the Privacy Principle 3.
If the information couldn't have been collected as outlined in Principle 3, the entity should destroy or de-identify the personal information within a reasonable amount of time.
Privacy Principle 5
Principle 5 covers the notion of notification of collection of personal information.
A covered entity must take reasonable steps to notify users of certain aspects of the information that are being used and collected.
Privacy Principle 6
Principle 6 provides guidelines for using or disclosing personal information on behalf of the covered entity.
For example, private information that has been collected shouldn't be shared unless the individual has meaningfully consented or certain exceptions apply.
We may disclose personally identifiable information to third parties whose practices are not covered by this privacy statement (e.g., other marketers, magazine publishers, retailers, participatory databases, and non-profit organizations) that want to market products or services to you. If a Issue Network site shares personally identifiable information, it will provide you with an opportunity to opt out or block such uses either at the point of submission of your personally identifiable information or prior to any such disclosure.
Privacy Principle 7
Principle 7 describes that personal information should not be disclosed for the purpose of direct marketing (subject to certain exceptions.)
This Principle spells out the subtle nuances of when and how personal information may be shared for direct marketing.
You should read thoroughly before you attempt to use personal information for ads or targeted marketing.
Privacy Principle 8
Principle 8 wants to ensure that when a covered entity is dealing in a cross-border (outside Australia) disclosure of personal information, that they take all steps reasonable under the circumstances to not breach the Principles and the provisions of the Privacy Act.
Privacy Principle 9
Principle 9 outlines the adoption, use, and disclosure of government related identifiers.
Privacy Principle 10
Principle 10 simply states that the quality of personal information must be up to date.
Specifically, the covered entity must take reasonable steps to ensure that the information collected is accurate, thorough and up to date.
Privacy Principle 11
Principle 11 details the security precautions that covered entities must adhere to in order to remain in compliance.
Personal information must be protected from misuse, interference, loss, and unauthorized access, use and disclosure.
When the personal information is no longer needed for the purpose it was collected for, that information must be destroyed in a reasonable manner.
Privacy Principle 12
Principle 12 states that if a covered entity has private information about an individual, then if requested, the entity must give the individual access to the information.
Specific exceptions to this are laid out.
Privacy Principle 13
Finally, Principle 13 covers the correction of personal information.
If a user notifies the covered entity that the information they have stored from that user is incorrect or the covered entity discovers an error through some other reasonable means, then the covered entity must take corrective action.
If a user asks to update their personal information (if they can't do this themselves,) you must update that information.
Online businesses operating from Australia must be very certain that they are complying with the Australian Privacy Act.
How to comply
It's important to maintain your compliance with Australia's Privacy Act.
Here's a quick checklist that might help you:
- Delegate a person to maintain and review your privacy protection safeguards and keep these practices up-to-date.
That delegated person should develop and implement privacy practices and procedures that adhere to the Australia's Privacy Act and Principles and enable enquiries to be dealt with in a timely fashion.
- Ensure third party compliance: contracts should be used when dealing with other companies and parties in regards to users' personal information that you're collecting.
- Meaningful consent should be obtained at the appropriate time and in an acceptable manner.
- Have a system in place to overcome the small screen challenge, if your business also operates a mobile app (iOS, Android, Windows)
- Provide notice and get consent at the point of download, in the case of apps.
- Explain users how their private information is being handled and used at multiple steps in your website/mobile app to ensure that their consent is significant.
- Only collect what's actually needed for your website/mobile app to operate.
- Don't mine for data or collect information that might be useful at some future point, but it's currently not.
- Allow users to opt-out of their personal information being collected, if possible.
- Secure the information you get from users.
- Delete data when it's no longer needed for its purpose.
- Establish appropriate safeguards that will protect the collected personal information.
- Use encryption when storing or transferring any data.
But what is personal information as defined by Australia's Privacy Act?
By law, it's any information about an identified individual or an individual who is reasonably identifiable regardless whether the information is true or false or if it's recorded.
- a person's name
- phone number
- medical records
- employment information
- bank account information
- IP addresses
Mobile applications also provide another list of examples:
- unique identifiers
- contact lists
- location information (geolocation)
- any facial or voice recognition
- biometrics data
All these examples could be used to reasonably identify a person.
- First stage: Collection of information.
In your agreement, you should detail the following: what personal information you collect, and how they do that, the reasons for which you maintain that information, and whether that information is disclosed to parties outside Australia.
This information is key to fulfilling certain Australian Privacy Principles such as #1, #12 and #13.
- Second stage: What's important to a user.
Include descriptions about how the information is disclosed and if it's disclosed overseas (outside Australia.)
Also include a section regarding each individual's rights, particularly how individuals may access or correct their personal information and make complaints or ask questions.
Consider these tips as well:
- The page where your agreement will be posted should including headings to help facilitate finding any information more easily.
- Consider how your audience will be accessing the page.
Agreements not related to personal information should have their own separate pages, e.g. Terms and Conditions, Cookies Policy.
You're required to have this agreement freely available and in an appropriate form (such as on the mobile application itself.)
An additional requirement is that the agreement should be reasonably available in whatever form it's requested. For users who might have disabilities, and if your website or mobile app has users with disabilities, take this into account.
The agreement should be regularly reviewed and updated appropriately to correspond with the nature of your business and how your business model evolves.
Here are a few examples of different AU business websites and their Privacy Policies that demonstrate Privacy Act 1988 compliance of both the website and business practices.
This is a very common way that businesses in Australia start their introduction into their Privacy Policies in a way that lets a reader know that the business is compliant with the Privacy Act or the 13 Principles.
This embodies the idea of the Privacy Act and Principles - that personal information needs to be collected only in certain ways and then must be stored and protected to a high standard.
The Computershare Australia website has nine different Privacy Policies that cover a range of different areas of the company.
Computershare states that they are "required to comply with the Australian Privacy Principles contained in the Privacy Act 1988." This is different from the way that the previous two examples phrased this in that it explicitly mentions that the business is "required to comply" with the Act.
National Diabetes Service Scheme of Australia
The National Diabetes Service Scheme of Australia takes an approach with their introduction that's somewhere in the middle of the previous examples.
Dividing sections of this kind of legal agreement into sections that match up with requirements of the 13 Privacy Principles is an easy way to organize your agreements and make sure you stay compliant.
Computershare Australia takes the approach of combining multiple sections into one. Their first section after the introduction - Information Collection, Use and Disclosure - deals with all three topics. Users can find information here on what information is collected, how this information is used, and in what circumstances and how this information is disclosed to third parties.
Both approaches work fine, so long as the required information is there for users to access.
The NDSS website takes a third approach and divides each topic up into smaller sections. There's a separate section for Security of your information, Use of your information, and Disclosure of your information. This breakdown of topics makes it easy for a user to find a specific section and information quickly and easily.
Energy Australia puts its main privacy points into question format and makes sure to cover all bases of being compliant, including how a user can correct and access personal information, as seen below.
There's flexibility in the format of your legal pages.
The other guides: for United States, for Europe or for Canada