Complying with Australian Privacy Law

Many businesses believe that once they have a privacy policy in place, they are compliance with the Privacy Act and Australian Privacy Principles. This is not the case.

Who is bound by the Privacy Act 1988?

The first step in determining your obligations under the Privacy Act is to determine if you are required to comply.

Businesses that have had annual turnover of more than $3 million in any year since 2002 must comply with the Privacy Act. Annual turnover is calculated by including income from all sources but excludes assets held, capital gains, and the proceeds of capital sales. The Privacy Act also covers a number of business regardless of turnover where, for example, that business is a health services provider or trades in personal information.

What are your obligations under the Privacy Act?

if your business is required to comply with the Privacy Act, it must comply with the Australian Privacy Principles (APPs).

The APPs include various obligations setting out how you must collect, store, de-identify, use, and disclose personal information.

The concept of personal information is broad and it can be difficult to determine whether information is personal information. Personal information is defined in the Privacy Act to be information or an opinion about an identified individual, or individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.

Personal information is further categorised into sensitive information, health information, credit information, employee record information, and tax file number information. Additional obligations apply to each of these further subcategories.

Is a Privacy Policy All that is Needed?

A business that is required to comply with the Privacy Act must have a clearly expressed up-to-date privacy policy pursuant to APP 1.3. Our sister business Compliance Quarter has developed a tool that reviews privacy policies against the requirements set out in APP 1.4 giving you a report with recommendations in a matter of seconds. To access the privacy policy tool, click here.

Businesses obligations under the APPs do not end with the publication of a privacy policy. The business must ensure that it takes reasonable steps to implement practices, procedures and systems so as to comply with the APPs. In practice this means ensuring that you, for example,  must only collect personal information that you require and for the purposes disclosed, that you securely store personal information, that you destroy or de-identify personal information when it is no longer needed, and that you are careful about how you disclose personal information.

Who to Contact for More Information

Please get in touch if you have any questions on the above.