Documentation

Table of Contents

Privacy Policies and Australian Law

– by James D. Ford, GAICD of Blue Ocean Law Group (iubenda Legal Network partner in Australia + New Zealand), Sydney, Australia.


Privacy policies are legally required under most countries’ legislations including Australia (subject to some exceptions which we will discuss below).

Overseas laws may apply to your Australian website/app

Firstly, your law(s) of reference determine which rules you’re subject to. Simply put, the laws of a particular region [for example, the EU GDPR] can apply to you in addition to local Australian law even if you don’t live, or run your business there.

In general, the laws of a particular region can apply if:

  • you base your operations there; or
  • you use processing services or servers based in the region; or
  • your service targets users from that region (example: accepting payment in Euros).

So to be clear, this basically means that regional regulations may apply to you and/or your business whether you’re located in the region or not.

Be on the safe side, ensure you comply with the strictest regulations.

For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind. You can read more about which privacy laws apply to you here.

Another point in favour of having a comprehensive privacy policy in place is that it’s simply good business to have a Privacy Policy:

Regardless of whether legal obligations apply, all customers/clients today fully expect their personal data will be respected and protected. Any breach, aside from potentially leading to legal consequences, will directly impact business reputation, and ultimately could cause a small business to shut-down due to public loss of confidence.

Legal Background – Australian Privacy Act 1988 (Comm.)

The Act and Australian Privacy Principles (‘APPs’) govern the collection, storage, use and disclosure of Personal Information.

Australian businesses are bound by the Privacy Act 1988 if:

Caution

The additional “second set” of criteria mean that every business regardless of turnover may be caught if they sell or purchase Personal Information or handle specific categories of Personal Information, such as TFN (Tax File Numbers, Health + Medical Data, etc.)

Small business operators generally are exempt from the act unless one of the above-mentioned points apply. If you are unsure here is a checklist provided by the OAIC: Does my Small Business need to comply with the Privacy Act?

If you are still unsure you should take the cautious approach and put relevant privacy measures in place as well as seek Independent Legal Advice.

What is considered Personal Information?

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

The above definition of Personal Information is quite broad, and can include Internet Protocol (IP) addresses, Unique Device Identifiers (UDIDs) such as for a mobile phone or tablet, and other unique identifiers in specific circumstances.

Location information, may also be covered because it can reveal user activity patterns and habits.

If you are unsure whether you are using Personal Information please refer to this guide issued by the OAIC, and if still unsure please seek independent Legal Advice.

Important

If you trade in, or use Personal Information to sell advertising, including via an app, you’ll likely fall under the Privacy Act.

What does ‘trading in personal information’ mean?

A business is ‘trading’ in Personal Information if it collects from or discloses to someone else, an individual’s Personal Information for a benefit, service or advantage.

A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service. For example, buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial (monetary or otherwise) gain.

If you trade in Personal Information you will have to comply with the Australian Privacy Principles in the Privacy Act. Complying with the Privacy Act does not prevent you from collecting Personal Information for your business needs, but it does mean you must follow the rules about how to handle that information.

If you are unsure whether you are using Personal Information to sell advertising, you should seek Independent Legal Advice.

Exemptions may apply where “consent” has been obtained for small businesses with turnover of $3 million or less that are not considered an APP entity for any other reason (refer to the second set of criteria discussed above). However even in this case, your should have an easy-to-read Privacy Policy so that you can ensure that you obtain clear informed consent as required.

In order to avoid any question regarding whether valid “consent” has been obtained in accordance with the requirements of the Privacy Act, it is recommended that you be as clear and transparent as possible in your Privacy Policy about what Personal Information you are collecting, what you are doing with it, and the reasons why.

It’s also highly recommended you request that the user actively indicate consent by having them take an affirmative action such as ticking a checkbox or clicking a button. This can be facilitated by adding a checkbox with a link to the privacy policy to your data collection forms, and by using something like a site banner to alert and collect your users’ consent to tracking technologies such as cookies.

Iubenda’s Cookie Solution makes setting up a site banner and linking to the Privacy Policy pretty easy. You can read more about the Cookie Solution here as well as how to customize your site banner here.

Consequences of non-compliance

There are significant potential penalties that can be imposed for non-compliance, and for repeat breaches, including enforceable undertakings and fines of up to $1.7 million per violation.

How iubenda can help

iubenda offers a convenient solution for ensuring best practice and a regularly updated Privacy Policy.

iubenda provides an easy to use, comprehensive and self-updating solution from the EU where the legal privacy framework is even more stringent than that of Australia.  

So, how does the iubenda Privacy Policy solution help you to comply with the specifics of Australian Law?

The following table lists the relevant APP (Australian Privacy Principle) requirements, the related iubenda feature and comments on how it applies courtesy of the Australia-based Blue Ocean Law Group.

Requirement Source Does the iubenda Privacy Policy comply with APP requirements? Comments for Australians reading a privacy policy
An entity must have a clearly expressed and up to date privacy policy. APP 1.3 Yes, compliant.

Privacy policy notes the date that it was last updated on all documents. As these documents are regularly updated remotely, the solution easily meets this requirement.

The Privacy Policy follows best practice by being easy to read, using simple language + visual icons + showing a summary level, with the ability to drill down to display the entire Privacy Policy (as well as the Privacy Policies of external companies with which personal data is stored – showing a level of transparency we have not seen before).

The privacy policy must set out the kinds of personal information that the entity collects and holds. APP 1.4 (a) Yes, compliant. The privacy policy includes a section on the types of personal information collected. Businesses should consider all types of personal information collected, and whether any is sensitive, such that specific protection legislation applies (e.g.TFN, Health/Medical data, etc.).
The privacy policy must set out how the entity collects and holds personal information. APP 1.4 (b) Yes, compliant. The privacy policy includes a section on how personal information is collected and held. All businesses should conduct a comprehensive audit into the sources of personal information, how this comes to the business and is then stored. Then update the privacy policy to reflect the results of the review.

Also consider how long you need to hold information and if you can de-identify or destroy the information you no longer need.

The privacy policy must set out how an individual may access personal information held about them and seek correction. APP 10 + 1.4 (d) Yes, compliant. The privacy policy states in an easily accessible manner where the owner may be contacted and states the minimum rights of people in the EU (among them, the right to access and rectification). It is recommended that Non-European users of iubenda may elect to extend these rights to other individuals by using the setting provided for this purpose.

Relevant clauses are extracted below.

The rights of Users Users may exercise certain rights regarding their Data processed by the Owner. In particular, Users have the right to do the following:

  • Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
  • Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
  • Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

How to exercise these rights? Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.

The privacy policy must set out how an individual may complain about a breach of the APPs and how the entity will deal with a complaint. APP 1.4 (e) Yes, compliant. The privacy policy provides guidance on how to lodge complaints with public data protection authorities. However, additional descriptions about the handling of complaints may be added by copying the default wording and personalising it via the “add a Custom Service” feature.

Relevant clauses are extracted below…

The rights of Users Users may exercise certain rights regarding their Data processed by the Owner.

In particular, Users have the right to Lodge a complaint:

Users have the right to bring a claim before their competent data protection authority. Businesses can further fine-tune this by using the* “Add Custom Service” feature of the Privacy Policy Generator*.

One way to do this is by using the International or Australian Standard in the management of complaints [ISO 10002:2014 or AS/NZS 10002:2014], or by adding in the relevant contact information for complaints to be lodged initially directly with the company.

If choosing to customize in this way, please be sure to mention that:

  • a response will be obtained within 14 days; and that
  • if the user is still not satisfied, they have the right to bring a claim before the competent data protection authority. In Australia, this is the OAIC – Office of the Australian Information Commissioner. https://www.oaic.gov.au/
The privacy policy must set out if the entity is likely to disclose personal information to overseas recipients. APP 1.4 (f) Yes, compliant. The Privacy Policy makes reference to overseas disclosure.

All businesses should disclose if an overseas transfer of data will occur.

Most companies with existing Privacy Policies which have not been reviewed since this requirement was introduced in 2014 will find their existing Privacy Policies are not compliant. All businesses should review all contracts with external parties to ensure that they are contractually bound to comply with their Privacy Policy and standards, the Act and APPs.

Following on from the review they should update their Privacy Policy so that it complies with APP 1.4 (f) and APP 1.4 (g). Note APP 8: “8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

  1. who is not in Australia or an external Territory; and
  2. who is not the entity or the individual — The entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.”
If the entity is likely to disclose personal information to overseas recipients, it must list the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy. APP 1.4 (g) Yes, compliant. The Privacy Policy makes reference to overseas disclosure. One highly suggested customization here is to use the “add a Custom Service” feature to include a list of the relevant country/countries (where practical and applicable).

An entity must take such steps as are reasonable in the circumstances to make its APP privacy policy available:

  1. free of charge; and
  2. in such form as is appropriate.
APP 1.5 Yes, Compliant. The Privacy Policy is available online. Another highly suggested customization here is to use the “add a Custom Service” feature to include that individuals can request a copy of the policy via post.

Warning: A Privacy Policy is not a set and forget document.

As your business circumstances change, your Privacy Policy needs to be audited against your internal business processes (practices, procedures and documents – as well as what is actually done).

Your Privacy Policy needs to be regularly reviewed to ensure it is compliant with the latest changes to Australian law.  

As Australia moves towards the standards set by the EU, including potentially larger fines, regular audits and legal reviews will become even more important.

This is where the iubenda solution truly shines as all legal documents generated with iubenda are hosted by iubenda and regularly updated to meet the latest legal requirements. You can read more about the benefits of this here.

Other Australian Privacy Legislation

While iubenda’s solutions make compliance easy for many aspects of the law, full business compliance requires a holistic approach which includes regularly auditing your internal processes to see where other obligations may apply.

The following is a (non-exhaustive) list of additional compliance obligations imposed by Australian Law which may apply to you:


This post was written by James D. Ford, GAICD of Blue Ocean Law Group, Sydney, Australia. Blue Ocean Law Group is the Legal Network Partner of iubenda in Australia + New Zealand and can be contacted via ahoy@blueocean.law or toll-free 1800-0-Adapt. Blue Ocean Law Group also collaborates with iubenda to present regular free webinars entitled “How to make your website/app easily compliant with Australian Law?”

The latest recording can be found here.

Still have questions?

Visit our support forum Email us