Privacy Policies & Australian Law

6/1/2019

Privacy + CyberSecurity Law

Privacy Policies & Australian Law

This article provides a summary of an original article entitled “Privacy Policies & Australian Law” written by James D. Ford, GAICD which was published in late 2018 + is hosted on iubenda's website. ‍ By way of full disclosure: Blue Ocean Law Group is iubenda's Legal Network Partner in Australia, New Zealand + California, USA.

James D. Ford Esq.

Founder & [iC]℠ a.k.a Outside General Counsel

Contents

Privacy Policies & Australian Law

Foreign laws may apply to your Australian website/app

Legal Background ➲ Australian Privacy Act 1988 (Comm.)

Does your Business/NFP need to comply with the Privacy Act?

What is considered Personal Information?

What does “trade in personal information” mean?

Consequences of non-compliance

How our strategic alliance partner iubenda can help?

Warning: a Privacy Policy is not a set and forget document!

Other Australian Privacy Legislation

Privacy Policies & Australian Law

Privacy policies are legally required under most countries’ legislation including Australia (subject to some exceptions which we will discuss below).

Foreign laws may apply to your Australian website/app

Where is your website hosted? Do you target overseas users/clients? etc.

Firstly, your law(s) of reference determine which rules you’re subject to.

Simply put, the laws of a particular region [for example, the EU GDPR] can apply to you in addition to local Australian law even if you don’t live, or run your business or charity (also known as a not-for-profit or NFP) there.

In general, the laws of a particular region can apply if your business or NFP:

➲ Base your operations there; or

➲ Use processing services or servers based in the region; or

➲ Service targets users from that region (example: accepting payment in Euros).

So to be clear, this basically means that regional regulations may apply to you and/or your business or charity whether you’re located in the region or not.

Be on the safe side, ensure you comply with the strictest regulations

For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.

You can read more about which privacy laws apply to you here.

Another point in favour of having a comprehensive privacy policy in place is that it’s simply good business to have a Privacy Policy.

Regardless of whether legal obligations apply, all customers/clients today fully expect their personal data will be respected + protected.

Any breach, aside from potentially leading to legal consequences, will directly impact your business reputation, and ultimately could cause your business or charity to shut down due to public loss of confidence.

Legal Background ➲ Australian Privacy Act 1988 (Comm.)

The Privacy Act and Australian Privacy Principles (‘APPs’) govern the collection, storage, use and disclosure of Personal Information.

Australian businesses/NFP's are bound by the Privacy Act if they:

➲ “Opt-in” or publicly volunteer to be regulated;

➲ Handle Personal Information (defined below) + have $3 million or more in annual turnover; or

➲ Are captured by the second set of criteria set out in the Act.

Caution: The additional “second set” of criteria means that every business or charity regardless of turnover may be caught if they sell or purchase Personal Information or handle specific categories of Personal Information, such as TFN (Tax File Numbers, Health + Medical Data, etc.)

Small business/NFP operators generally are exempt from the Privacy Act unless one of the above-mentioned points applies.

Does your business/NFP need to comply with the privacy act?

Click the below link to access the online guide:

Does my Business/NFP need to comply with the Privacy Act?

If you are still unsure you should take the cautious approach and put relevant privacy measures in place as well as seek Independent Legal Advice.

What is considered Personal Information?

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

➲ Whether the information or opinion is true or not; and

➲ Whether the information or opinion is recorded in a material form or not.

The above definition of Personal Information is quite broad and can include Internet Protocol (IP) addresses, Unique Device Identifiers (UDIDs) such as for a mobile phone or tablet, and other unique identifiers in specific circumstances.

Location information may also be covered because it can reveal user activity patterns and habits.

If you are unsure whether you are using Personal Information please refer to this guide issued by the OAIC, and if still unsure please seek independent Legal Advice.

Important: If you trade or use Personal Information to sell advertising, including via an app, you’ll likely fall under the Privacy Act.

What does “trade in personal information” mean?

A business or NFP is “trading” in Personal Information if it collects from or discloses to someone else, an individual’s Personal Information for a benefit, service or advantage.

A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service.

For example, buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial (monetary or otherwise) gain.

If you trade in Personal Information you will have to comply with the Australian Privacy Principles in the Privacy Act.

Complying with the Privacy Act does not prevent you from collecting Personal Information for your business needs, but it does mean you must follow the rules about how to handle that information.

If you are unsure whether you are using Personal Information to sell advertising, you should seek Independent Legal Advice.

Exemptions may apply where “consent” has been obtained for small businesses with a turnover of $3 million or less that are not considered an APP entity for any other reason (refer to the second set of criteria discussed above).

However, even in this case, you should have an easy-to-read Privacy Policy to ensure you obtain clear informed consent as required.

In order to avoid any question regarding whether valid “consent” has been obtained in accordance with the requirements of the Privacy Act, it is recommended that you be as clear and transparent as possible in your Privacy Policy about what Personal Information you are collecting, what you are doing with it, and the reasons why.

It’s also highly recommended you request that the user actively indicate consent by having them take an affirmative action such as ticking a checkbox or clicking a button. This can be facilitated by adding a checkbox with a link to the privacy policy to your data collection forms, and by using something like a site banner to alert and collect your users’ consent to tracking technologies such as cookies.

iubenda’s Cookie Solution makes setting up a site banner and linking to the Privacy Policy pretty easy. You can read more about the Cookie Solution here as well as how to customize your site banner here.

Consequences of non-compliance

There are significant potential penalties that can be imposed for non-compliance, and for repeat breaches, including enforceable undertakings and fines of up to $1.7 million per violation.

How our strategic alliance partner iubenda can help?

iubenda offers a convenient solution for ensuring best practice and a regularly updated Privacy Policy.

iubenda provides an easy to use, comprehensive and self-updating solution from the EU where the legal privacy framework is even more stringent than that of Australia.

How does iubenda's Privacy Policy solution help you to comply with the specifics of Australian Law?

Click this link to access the original article on iubenda's website.

The original article includes a table created by Blue Ocean Law Group℠ listing the relevant APP (Australian Privacy Principle) requirements, the related iubenda feature and comments on how it applies.

Warning: a Privacy Policy is not a set and forget document!

As your business or NFP's circumstances change, your Privacy Policy needs to be audited against your internal business processes (practices, procedures and documents – as well as what is actually done).

Your Privacy Policy needs to be regularly reviewed to ensure it is compliant with the latest changes to Australian law.  

As Australia moves towards the standards set by the EU, including potentially larger fines, regular audits and legal reviews will become even more important.

This is where the iubenda solution truly shines.

All legal documents generated with iubenda are hosted by iubenda + regularly updated to meet the latest legal requirements.

You can read more about the benefits of this here.

Other Australian Privacy Legislation

While iubenda’s solutions make compliance easy for many aspects of the law, full business compliance requires a holistic approach which includes regularly auditing your internal processes to see where other obligations may apply.

The following is a (non-exhaustive) list of additional compliance obligations imposed by Australian Law which may apply to you:

➲ Non-privacy-policy related aspects of the Privacy Act 1998 – for example, APP8 – Direct Marketing; APP11 – Security of Personal Information. For more information, read this Guide to the APP’s;

Notifiable Data Breach Scheme; and

➲ The SPAM Act.

Credits:

This article was written by James D. Ford Esq., GAICD CIPP/US | Principal Solicitor, Blue Ocean Law Group℠.

Blue Ocean Law Group℠ also collaborates with iubenda to present regular free webinars entitled:

How to make your website/app easily compliant with Australian Law?
iubenda Certified Legal Partner

Cover Image:

Photo by Alex Iby on Unsplash

Important Notice:

This article is intended for general interest and information only. It is not legal advice and nor should it be relied upon or used as such. Always consult a lawyer for specialist advice specific to your needs and circumstances.