Written by Sebastian Marcu, Alyce Evans and Principal, Jennifer Tutty
Only some small businesses in Australia are covered by national privacy laws and required to have a privacy policy.
A question that every Australian small business owner should ask themselves is: does my business need a privacy policy? In this blog, we help you find the answer to that question.
For those small businesses that do require a privacy policy, we also outline the key things to include in your policy.
What laws apply to privacy in Australia?
In Australia, the Privacy Act 1988 (Cth) (Privacy Act) regulates the collection of personal information by certain Australian businesses, organisations and agencies.
Not all small businesses will be covered by the Privacy Act. It is therefore important for small business owners to determine whether their business is covered by the Privacy Act.
The definition of a ‘small business’ is defined in section 6D of the Privacy Act. A business is a small business at a time in a financial year if its annual turnover for the previous financial year is $3,000,000 or less.
What is personal information?
Personal information includes a wide scope of information that could be used to identify an individual.
Whether information is classified as ‘personal information’ depends on the circumstances and whether a person can be identified (or could reasonably be identified) from that information. Information may be personal information regardless of whether it is true or not, and whether it is recorded in a material form or not.
Personal information includes (but is not limited to):
– Information about a person’s private life: This includes a person’s name, address, date of birth, phone number, bank account details, and signature.
– Sensitive information: This includes a person’s racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union memberships, sexual orientation, criminal records, health or genetic information and some biometric information.
– Credit information: This is relevant to applications for consumer credit, where a person provides information, relating to their finances and other private matters, to a credit provider (such as a bank).
– Employee record information: This is subject to the employee record exemption.
– Tax file number information: The Privacy Act and associated rules regulate the collection, storage, use, disclosure, security and disposal of an individual’s tax file number information.
– Telecommunications metadata: This includes information about communications and subscriber and account details for telecommunications services and devices.
Australian Privacy Principles
The Privacy Act includes a set of ‘Australian Privacy Principles’ (APPs) that apply to any organisation or agency covered by the Privacy Act. There are 13 principles, which govern standards, rights and obligations around the collection, use and disclosure of personal information, the rights of individuals to access their personal information and the integrity and correction of personal information. APP 1 requires organisations and agencies covered by the Privacy Act to have a clearly expressed and up to date APP privacy policy.
You can find further information about the Australian Privacy Principles on the Office of the Australian Information Commissioner’s Website here.
What is a privacy policy?
A privacy policy is a written document that explains how an organisation handles personal information. Businesses commonly publish their privacy policy on their website for all to see. A business may also send the document to its clients, customers, suppliers or patients.
Does your small business need a privacy policy?
The Privacy Act requires certain small businesses to comply with the APPs and have a privacy policy.
When assessing whether your small business needs a privacy policy, the first key question to ask is whether your small business handles personal information (see above for more information about what personal information is). If you are unsure whether or not your business handles personal information, we recommend seeking advice from a lawyer.
If your business does not handle personal information, you do not need to comply with the Privacy Act and the APPs and do not need a privacy policy.
However, if your business does handle personal information and you answer ‘yes’ to one or more of the questions below, it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
Has your small business had an annual turnover of more than AUD $3,000,000 in any financial year since 2002?
Annual turnover (for the purposes of the Privacy Act) includes income from all sources. It does not include assets held, capital gains or proceeds of capital sales. If your small business has not yet operated for an entire financial year, you will need to make a projection of a full year annual turnover, based on the income of your business during that period.
If the answer to this question is yes and your business handles personal information, it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
Does your small business trade in personal information without the consent of the individual and without being required or authorised by law?
A business is considered to ‘trade’ in personal information if it:
– Provides a benefit, service or advantage to collect personal information; or
– Discloses personal information for a benefit, service or advantage.
What is a ‘benefit, service or advantage’?
A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service. For example, where a small business sells its customer list to a marketing company or gives its own list in return for another list.
When thinking about this question and ‘consent’, we note that consent can be either express or implied.
If the answer to this question is yes, it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
Is your small business a health service provider?
Health service providers provide services in relation to physical, emotional, psychological and mental health. They include traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals, as well as complementary therapists, child care centres, private schools and private tertiary educational institutions.
If your business is a health service provider, it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
Is your small business related to a larger business that is subject to the Privacy Act?
If your business handles personal information and is related to a larger body corporate who is covered by the Privacy Act, it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
To work out whether your small business is related to a larger body corporate, you should refer to the definition of ‘related body corporate’ under section 50 of the Corporations Act 2001 (Cth)
Is your small business a Commonwealth contracted service provider?
A business is a Commonwealth contracted service provider if it provides services to, or on behalf of, Australian or Norfolk Island government agencies under a Commonwealth contract or subcontract.
The provisions do not apply to businesses that receive funding from Commonwealth agencies for services that are not a function of the agency.
If your business is a Commonwealth contracted service provider, it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
Are you a reporting entity or authorised agent of a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) or its Regulations or Rules?
If your business is a reporting entity (or an authorised agent of a reporting entity) under Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
What is a ‘reporting entity’?
Under the AML/CTF Act, a reporting entity is a ‘person’ who provides a ‘designated service’. In this context, a ‘person’ includes an individual, company, trust, partnership, corporation sole or a body politic. A table of ‘designated services’ can be found here.
Further information
More information about theAML/CTF Act is available on the AUSTRAC website.
Does your small business operate a residential tenancy database?
A residential tenancy database is a database that:
– Stores personal information about individuals occupying residential premises as tenants; and
– Is accessible by a person other than the operator of the database or a person acting for the operator.
If your business operates a residential tenancy database, it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
Is your small business an employer or employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009 (Cth)?
To determine whether this applies to your business, you can visit the following Fair Work Commission’s page on Registered organisations here.
If your business is an employee association (registered or recognised under the above legislation), it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
Is your small business a protected action ballot agent for a protected action ballot conducted under Part 3-3 of the Fair Work Act 2009 (Cth)?
Generally, a protected action ballot agent will be the Australian Electoral Commission. However, the Fair Work Commission can overrule this and specify in the protected action ballot order that another person is the protected action ballot agent.
If your business is a protected ballot agent under the Fair Work Act 2009 (Cth) (Fair Work Act), it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
Is your small business a service provider that is required to comply with the data retention provisions in Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (Cth)?
If your business is also service provider that is required to comply with these data retention provisions, it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
Has your small business voluntarily opted into the Privacy Act?
The Privacy Act provides a mechanism to allow an organisation that is a small business operator to opt in to the Act. If your business opts into the Privacy Act, it is likely that your small business needs to comply with the Privacy Act and the APPs and have a privacy policy.
What should be included in a privacy policy?
When drafting your privacy policy, you must include the following things (this is not an exhaustive list):
– Who: The name and contact details of your business.
– What: The types of personal information your business is collecting and storing.
– Where: Where your business is storing personal information.
– Why: The reasons why your business needs to collect personal information.
– How: How your business is collecting personal information.
– Access: How a person can access their personal information.
– Correction: How a person can ask a business to correct their personal information.
– Complaints: How a person can lodge a complaint with the business regarding the handling of their personal information. We recommend providing contact details of the person or team within your business who handles these matters. You must also include information about how your business handles such complaints.
– Disclosure: Whether you are likely to disclose personal information outside Australia and, if so, to which countries.
We recommend small businesses who need to comply with the Privacy Act, seek the support of a lawyer to prepare a privacy policy that complies with the APPs.
Written by Sebastian Marcu, Alyce Evans and Principal, Jennifer Tutty
Published 1 June 2022
Further Information
If you would like legal advice on privacy law, whether your business needs a privacy policy or assistance with drafting a privacy policy, please contact us through our online form or at hello@studiolegal.com.au.
Photo by AbsolutVision on Unsplash.
DISCLAIMER
The information in this article is of a general nature. It does not constitute formal legal advice, and should not be relied on as such. Please see the full disclaimer in our website terms. Please contact Studio Legal if you are seeking advice about a specific legal matter.