Australia has a uniform over-arching privacy law legislated by the federal government, which is laid down in Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP) made pursuant to the statute. If a business in anyway collects, uses or discloses personal information of its customers or people engaged with its business, then it is always recommended that the business have a privacy policy. The aim of Australian Privacy Principles is to foster transparent information handling practices and business accountability around data handling.
A privacy policy in essence informs the discloser about how the business collects, secures, uses and discloses personal information. Privacy policies among other things, are required to inform the discloser about:
Australian Privacy Principles provides businesses with the flexibility to tailor their personal information handling practices to their diverse needs and business models. The Australian Privacy Principles are also technology neutral, applying equally to paper-based and digital environments. Following are the kinds of businesses in Australia which are required to comply with Australian Privacy Principles:
Notwithstanding the different applicable legal thresholds mentioned above, it is an accepted fact that when a business has a privacy policy, it instills a lot of trust and confidence in its customers. This notion of trust is extremely important in today’s context, when we consider the extensive misuse of personal information by various businesses, including those whose business model is about providing a service where they utilise that very service to collect intricate personal information from its customers. This method of collection creates a huge reservoir of data ranging from basic information like names, addresses, email ID’s, phone numbers, etc to sophisticated stuff like online browsing patterns of people, likes and dislikes of individuals, etc. So in order to keep up with the current trends of technology and not to lose the trust reposed by people, it is imperative for businesses to have a privacy policy for their customers on their website and offline when engaging with them. When a Privacy Policy is created for a business, the Australian Privacy Principles should be carefully observed, including the specific requirements laid down in each of the principles below: APP1: Open and transparent management of personal information APP2: Anonymity and pseudonymity APP3: Collection of solicited personal information APP4: Dealing with unsolicited personal information APP5: Notification of the collection of personal information APP6: Use or disclosure of personal information APP7: Direct marketing APP8: Cross-border disclosure of personal information APP9: Adoption, use or disclosure of government related identifiers APP10: Quality of personal information APP11: Security of personal information APP12: Access to personal information APP13: Correction of personal information APP's overseas applicability Any personal information of Australians which is sent overseas to be stored on servers or data centres will also need to comply with Australian Privacy Principles. APP may also apply to businesses conducted on a world-wide basis, which are not Australian based but target various countries including people in Australia by collecting their personal information. Also, there are additional factors which need to be considered before concluding whether Australian Privacy Principles applies to an overseas business. Reporting Breaches From 22nd February 2018 onwards, any breaches caused to the personal information stored by an APP entity, will need to be reported to the Office of the Australian Information Commissioner (OAIC). Under the current law, government agencies and businesses covered by the Privacy Act are required to notify as soon as practicable any individuals affected by a data breach that is likely to result in serious harm. The OAIC must also be notified of such data breaches. Failure to report eligible data breaches will be considered to be an interference with the privacy of an individual affected by the breach and will result in civil penalties of up to AUD $2.1 million for serious or repeated interferences. Complying with Overseas Privacy Laws Australian businesses who collect personal information from customers, clients or end-users located in other countries, will need to comply with the privacy laws of all those countries. The recent European Union’s General Data Protection Regulation (GDPR) which came into effect on 25th May 2018 is an example of the far reaching consequences of privacy laws on Australian businesses. The GDPR applies to businesses that:
The details of the applicability and compliance of the EU GDPR will be dealt in another article. The best way to ensure your business is in compliance with applicable privacy laws is to contact AJR Lawyers for bespoke advice and services regarding your business.
0 Comments
|
AuthorAJ has vast experience and knowledge in corporate and commercial laws and these are his views and opinions on issues commented upon here. ArchivesCategories
All
|