Contents
What Is A Privacy Collection Notice?
If your business collects information from clients or customers for a specific purpose, you may need a Privacy Collection Notice.
A Privacy Collection Notice is a notice given to individuals that provides a short summary of the data being collected and the purposes for which it is being collected.
It can sometimes be confusing to know when you need a Privacy Collection Notice, a Privacy Policy or both. So, we’ll break it down for you.
When Do You Need A Privacy Collection Notice?
Like a Privacy Policy, a Privacy Collection Notice is not strictly necessary for businesses with less than $3 million annual turnover or businesses that do not fall into one of the exceptions.
The exceptions include if you provide a health service and hold health information (other than in employee records), or if you ‘trade in personal information’ and run an organisation that discloses personal information about another individual for a benefit, service or advantage.
If you fall into one of exceptions, you are considered an APP Entity and the Australian Privacy Principles (APPs) apply to you. There are also some circumstances where businesses opt-in to the government’s privacy guidelines, so that they can call themselves a ‘privacy compliant’ organisation, and are therefore also required to comply with the APPs as an APP Entity.
Even if you are not strictly covered by the Privacy Act, it’s good practice for small businesses to have strong privacy practices to build trust and confidence with customers, and to ready themselves for future compliance if they grow beyond the $3 million revenue mark.
Why Do You Need A Privacy Collection Notice If You Have A Privacy Policy?
In order to comply with the APPs as an APP Entity, you’ll need a Privacy Policy. We’ve written more about Privacy Policies here and Health Service Provider Privacy Policies here.
A Privacy Policy is effectively an ongoing announcement stating that the business is collecting and using data, and details exactly how it is doing so.
The main difference between a Privacy Policy and a Privacy Collection Notice is that a Privacy Collection Notice outlines how an organisation handles personal information collected for a specific purpose, and is to be provided at the time of collection. A Privacy Policy on the other hand, sets out information about all of your organisation’s privacy practices.
As a result, you’ll often need to have a Privacy Policy and a Collection Notice for your organisation in order to be compliant with the Privacy Act.
For example, if you are a medical clinic collecting people’s health information via a form in order to conduct a test, you should include a Privacy Collection Notice on the form, at the time of collection. In addition, you may reference to your full Privacy Policy on the form, which sets out your overarching privacy management practices in respect of information you collect.
What’s In A Privacy Collection Notice?
If you’re wondering what sorts of information can be in a Privacy Collection Notice, here’s a breakdown of what’s usually included:
- The entity’s identity and contact details: This could include the details of a contact who handles enquiries and requests relating to the Privacy Act. In this case, you could also have a generic company email for handling privacy matters.
- Facts and circumstances of collection: This includes how, when and from where the personal information was collected. This is particularly important (and a requirement) when the information has been collected from a third party, like a marketing agency, for example.
- If collection is required or authorised by law: There are certain circumstances in which specific laws and regulations mandate the collection of information. If this is the case, then the relevant law should be stated.
- Purposes of collection: It is important to be transparent about your purpose for collecting information. Your Privacy Collection Notice should include the specific function or reason for which the personal information is being collected
- Consequences for individuals if personal information is not collected: This should disclose any significant consequences (that aren’t reasonably obvious) that could occur if you do not collect the information. An example of this would be an application for a licence or benefit, which you may not be able to fully grant if the customer doesn’t provide their personal information.
- Other APP entities, bodies or persons to which the personal information is usually disclosed: If you’re disclosing the information on a regular basis to another APP entity, the entity should be named.
- Information about access and correction in the APP entity’s APP Privacy Policy: This will disclose how individuals can access and seek correction of the personal information that’s being held.
- Likely cross-border disclosures of the personal information: This should disclose whether the information will be given to overseas recipients, and if so, in which countries they’d likely be located.
Once you have a Privacy Collection Notice, there is no specific place where it has to be displayed or delivered. You simply have to show that reasonable steps were taken to notify the individual or ensure their awareness of the Privacy Collection Notice.
Get In Touch
Navigating the APPs and your company’s compliance can be a difficult process. At Sprintlaw, we have a team of experienced lawyers that can assist you with drafting or reviewing Privacy Collection Notices.
Get in contact with one of our consultants for a free, no-obligations chat about how we can help with a Privacy Collection Notice and any other legal issues your business may have.
Get in touch now!
We'll get back to you within 1 business day.
Top 3 Legal Mistakes
Book in a free consultation with us to discuss your legal needs.