– by James D. Ford, GAICD of Blue Ocean Law Group (iubenda Legal Network partner in Australia + New Zealand), Sydney, Australia.
Privacy policies are legally required under most countries’ legislations including Australia (subject to some exceptions which we will discuss below).
Firstly, your law(s) of reference determine which rules you’re subject to. Simply put, the laws of a particular region [for example, the EU GDPR] can apply to you in addition to local Australian law even if you don’t live, or run your business there.
In general, the laws of a particular region can apply if:
So to be clear, this basically means that regional regulations may apply to you and/or your business whether you’re located in the region or not.
Be on the safe side, ensure you comply with the strictest regulations.
For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind. You can read more about which privacy laws apply to you here.
Regardless of whether legal obligations apply, all customers/clients today fully expect their personal data will be respected and protected. Any breach, aside from potentially leading to legal consequences, will directly impact business reputation, and ultimately could cause a small business to shut-down due to public loss of confidence.
The Act and Australian Privacy Principles (‘APPs’) govern the collection, storage, use and disclosure of Personal Information.
Australian businesses are bound by the Privacy Act 1988 if:
The additional “second set” of criteria mean that every business regardless of turnover may be caught if they sell or purchase Personal Information or handle specific categories of Personal Information, such as TFN (Tax File Numbers, Health + Medical Data, etc.)
Small business operators generally are exempt from the act unless one of the above-mentioned points apply. If you are unsure here is a checklist provided by the OAIC: Does my Small Business need to comply with the Privacy Act?
If you are still unsure you should take the cautious approach and put relevant privacy measures in place as well as seek Independent Legal Advice.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
The above definition of Personal Information is quite broad, and can include Internet Protocol (IP) addresses, Unique Device Identifiers (UDIDs) such as for a mobile phone or tablet, and other unique identifiers in specific circumstances.
Location information, may also be covered because it can reveal user activity patterns and habits.
If you are unsure whether you are using Personal Information please refer to this guide issued by the OAIC, and if still unsure please seek independent Legal Advice.
If you trade in, or use Personal Information to sell advertising, including via an app, you’ll likely fall under the Privacy Act.
A business is ‘trading’ in Personal Information if it collects from or discloses to someone else, an individual’s Personal Information for a benefit, service or advantage.
A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service. For example, buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial (monetary or otherwise) gain.
If you trade in Personal Information you will have to comply with the Australian Privacy Principles in the Privacy Act. Complying with the Privacy Act does not prevent you from collecting Personal Information for your business needs, but it does mean you must follow the rules about how to handle that information.
If you are unsure whether you are using Personal Information to sell advertising, you should seek Independent Legal Advice.
There are significant potential penalties that can be imposed for non-compliance, and for repeat breaches, including enforceable undertakings and fines of up to $1.7 million per violation.
iubenda provides an easy to use, comprehensive and self-updating solution from the EU where the legal privacy framework is even more stringent than that of Australia.
The following table lists the relevant APP (Australian Privacy Principle) requirements, the related iubenda feature and comments on how it applies courtesy of the Australia-based Blue Ocean Law Group.
Also consider how long you need to hold information and if you can de-identify or destroy the information you no longer need.
Relevant clauses are extracted below.
The rights of Users Users may exercise certain rights regarding their Data processed by the Owner. In particular, Users have the right to do the following:
How to exercise these rights? Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.
Relevant clauses are extracted below…
The rights of Users Users may exercise certain rights regarding their Data processed by the Owner.
In particular, Users have the right to Lodge a complaint:
One way to do this is by using the International or Australian Standard in the management of complaints [ISO 10002:2014 or AS/NZS 10002:2014], or by adding in the relevant contact information for complaints to be lodged initially directly with the company.
If choosing to customize in this way, please be sure to mention that:
All businesses should disclose if an overseas transfer of data will occur.
As Australia moves towards the standards set by the EU, including potentially larger fines, regular audits and legal reviews will become even more important.
This is where the iubenda solution truly shines as all legal documents generated with iubenda are hosted by iubenda and regularly updated to meet the latest legal requirements. You can read more about the benefits of this here.
While iubenda’s solutions make compliance easy for many aspects of the law, full business compliance requires a holistic approach which includes regularly auditing your internal processes to see where other obligations may apply.
The following is a (non-exhaustive) list of additional compliance obligations imposed by Australian Law which may apply to you:
This post was written by James D. Ford, GAICD of Blue Ocean Law Group, Sydney, Australia. Blue Ocean Law Group is the Legal Network Partner of iubenda in Australia + New Zealand and can be contacted via firstname.lastname@example.org or toll-free 1800-0-Adapt. Blue Ocean Law Group also collaborates with iubenda to present regular free webinars entitled “How to make your website/app easily compliant with Australian Law?”