As a small business owner, it is vital that you and your business comply with Australian privacy laws. The main thing you need to be aware of is the Australian Privacy Principles, which are 13 points that make up the centre of our privacy framework.
Understanding the Australian Privacy Principles can be a bit tricky so we’ve put together a simple guide for you and your business.
Read on to learn more.
Does Your Business Come Under The Privacy Act 1988 (Cth)?
First you must determine if your business comes under the Privacy Act 1988 (Cth) (Privacy Act).
Not all, but some small businesses come under the Privacy Act.
The Office of the Australian Information Commissioner (OAIC) defines a small business that must comply with the Privacy Act as any business that has an annual turnover of $3 million or more.
For the purposes of the Privacy Act, an annual turnover includes:
- All income from all sources.
An annual turnover does not include:
- Assets held
- Capital gains or
- Capital sales
Further, the OAIC outlines that regardless of turnover, the Privacy Act covers any business that is:
- A health service provider
- Trading in personal information
- A contractor that provides services under a Commonwealth contract
- Operating a residential tenancy database
- A credit reporting body
- A reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism FInancing Act 2006 (Cth)
- Employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009 (Cth)
- A business that conducted protection action ballots
- A business accredited under the Consumer Data Right system
- A business that is related to a business that the Privacy Act covers
- A business prescribed by the Privacy Regulation 2013
- A business that has opted in to be covered by the Privacy Act
The OAIC has a privacy checklist for small businesses. It contains 15 questions to determine whether your business comes under the Privacy Act. It can be found here.
If the Privacy Act does in fact cover your business, it is important to understand your obligations under the Australian Privacy Principles.
Complying With The Australian Privacy Principles
If your business is covered under the Privacy Act, there are 13 Australian Privacy Principles (APP) that your business will have to comply with.
It is important to understand each APP to ensure that your business is compliant.
Let’s consider each APP singularly to best understand how your business’ obligations.
APP 1: Open and Transparent Management of Personal Information
Your business must manage all personal information in an open and transparent way.
Personal information can be defined as information or an opinion about an identified or reasonably identifiable individual.
Information is still personal whether or not it is true. Equally, it remains personal information whether it is recorded in a material form or not.
Ensuring open and transparent management of personal information can be achieved by having clear procedures when encountering personal information.
APP 2: Anonymity and Pseudonymity
Your business must give individuals the option of not identifying themselves or using a pseudonym.
A pseudonym can be understood to be a name, term or description that is different to an individual’s real name.
There are however exceptions to this APP.
For example, you do not have to give individuals the option of not identifying themselves or using a pseudonym if:
- Your business is otherwise required by Australian Law to have the individual identify themselves or
- It is impractical for your business to deal with an anonymous individual or an individual using a pseudonym.
APP 3: Collection of Solicited Personal Information
This APP outlines when it is appropriate for your business to collect personal information.
Solicited personal information is where your business requests personal information.
For example, if, in the course of business, you require an individual’s response containing their personal information, this would be considered ‘solicited personal information’.
Where collected by lawful and fair means, your business may collect solicited personal information, so long as it is reasonably necessary for your business’ activities.
Caution should however be taken when collecting sensitive information. Sensitive information includes:
- Health information
- Racial or ethnic origin
- Sexual orientation
- Criminal record
- Political opinion
- Religious beliefs
When collecting sensitive information, it is important to ensure that the individual consents to providing that information.
APP 4: Dealing With Unsolicited Personal Information
Unsolicited personal information is where you receive or collect an individual’s personal information without having taken any action to receive that information.
For example, you could receive a forwarded email chain containing somebody other than your client’s personal information.
When you receive unsolicited personal information, you have two options:
- Determine if the information could have been collected as ‘solicited personal information’ under APP 3, or if the information is in the Commonwealth Record
- Destroy or de-identify the personal information as soon as practically possible, if it is lawful and reasonable to do so
- In the above example, this could be done by removing the email chain from your email servers
APP 5: Notification of the Collection of Personal Information
When your business collects an individual’s personal information, you must take reasonable steps to let that individual know about a few things.
- Your business’ details, including contact details
- Why you have collected their personal information
- Whether the individual’s personal information is likely to be disclosed to overseas recipients
APP 6: Use or Disclosure of Personal Information
When your business collects personal information, it is expected that you only use that personal information in ways that the individuals would expect.
When personal information is collected, it is usually collected for a ‘primary purpose’ (or a particular purpose) — for example, collecting a client’s financial details for a particular transaction.
Your business can only use or disclose personal information for another purpose, also known as a ‘secondary purpose’, if an exception applies
- The individual consented to secondary use or disclosure
- The individual would reasonably expect secondary use or disclosure
- Secondary use or disclosure is required or authorised under law
APP 7: Direct Marketing
Direct marketing is where your business uses an individual’s personal information to directly promote goods and services.
Generally, your business cannot use personal information for the purpose of direct marketing.
However, an exception does apply:
- If the individual, when providing their personal information, would expect their personal information to be used for direct marketing purposes.
Even if the above exception applies to your business, it is important to be aware of the following:
- You must allow an individual to ‘opt out’ or ‘unsubscribe’ from your business’ direct marketing communication and
- You must comply with that individual’s request to opt out or unsubscribe.
APP 8: Cross-Border Disclosure of Personal Information
If your business engages with overseas businesses or overseas contractors, it is vital that you take all reasonable steps to ensure that an overseas recipient of personal information does not breach the APPs.
For example, if you engage an overseas business to run your marketing campaigns, it is your responsibility to ensure that they comply with APP 7.
In the instance that an overseas recipient of personal information breaches the APPs, your business will be held accountable for the breach.
APP 9: Adoption, Use or Disclosure of Government Related Identifiers
APP 9 restricts the adoption use and disclosure of government related identifiers, unless exceptions apply.
Examples of a government related identifier include a:
- Passport number
- Medicare number
- Drivers license number
- Centrelink reference number.
- If utilising a government related identifier for an individual is necessary to identify the person for your business’ activities or functions or
- If adopting a government related identifier of an individual is required or authorised under Australian Law
APP 10: Quality of Personal Information
Your business must take all necessary steps to ensure that the personal information it collects is accurate, up-to-date and complete.
Ensuring that all personal information your business collects and holds is accurate, up-to-date and complete will secure customers’ trust and confidence in your business.
Here’s some reasonable steps your business can take to ensure the personal information you’re holding is accurate, up-to-date and complete:
- Remind individuals to update their personal information each time they engage with your business
- Contact individuals to ensure their personal information is up-to-date
- Consistently monitor and update existing records to reflect accurate, up-to-date and complete personal information
APP 11: Security of Personal Information
It is your business’ responsibility to take responsible steps to ensure the protection of personal information that it holds. This means making sure that the personal information your business collects is not misused, interfered with or lost.
Your business must actively destroy personal information when it is no longer required (except if you’re required by law to retain personal information).
Taking reasonable steps to ensure that the personal information your business holds is secure include:
- Updating both your physical and technological security
- Monitoring for data breaches
- Ensuring up-to-date practices, procedures and systems
- Implementing and ensuring effective training, culture and governance
- Maintaining high security standards in all business activities
APP 12: Access to Personal Information
If your business holds personal information about an individual and that individual requests that information, you are generally required to provide them with access to their personal information.
When granting access to an individual, you must verify the identity of the individual requesting access. You must ensure that access is being granted to the individual concerned in the information or by an authorised person, such as a legal guardian.
There are, however, a few situations in which you can refuse an individual’s access to personal information. This includes cases where:
- Giving access would unreasonably impact another individual’s privacy
- Giving access would be unlawful
- You reasonably believe that providing access would pose a serious threat to the health and safety of public or any individual
APP 13: Correction of Personal Information
Your business is required to correct personal information to ensure that it is accurate, up-to-date, complete, relevant and not misleading.
This may occur when:
- Your business actively takes initiative to correct personal information that it holds
- An individual requests that a correction be made to their personal information
It is important that you take all reasonable steps to ensure that the personal information held by your business is accurate, up-to-date, complete, relevant and not misleading.
Need More Help?
The APPs can seem like a lot to get your head around. But it’s vital that your business complies with them.
The above guide is a great start to understanding your business’ obligations under the APPs. However, if you are concerned about your business’ relationship with the APPs, it may be a good idea to speak with a lawyer.
If you need anymore help, reach out to our team for a free, no-obligations chat at firstname.lastname@example.org or 1800 730 617.
Have a question?
Get your FREE quote now.
We'll get back to you within 1 business day.