Demystifying privacy law: what’s your privacy policy?

Privacy law is still something of a mystery to many, writes David Kelly. He writes that he’s constantly amazed when asking new clients what their privacy practices are, that they haven’t got a clue.  

David-KellyWhat’s privacy law all about?

Privacy law governs the collection, storage, use and disclosure of personal information. This is supplemented by spam laws, which specifically govern the use of personal information in commercial electronic messages.  

Do you need a privacy policy?

If your turnover is greater than $3 million a year, then you must have a published privacy policy. So this means that small businesses are not caught. Right? Not necessarily. If, as part of your business, you trade in personal information (such as giving a third party access to your customer list), or you are a health services provider, or you are service provider under a Commonwealth contract, then you must comply even if your turnover is less than $3 million.

Leaving the law aside, if you regularly collect and use personal information, it’s sensible business practice to have a published, legally compliant privacy policy. People are very privacy savvy these days, and they want to know what’s going to happen to their personal information. And if your business really takes off (which is what you want, isn’t it?), then you won’t have to madly scramble to get your privacy house in order when you pass the magic $3 million mark.

What should your privacy policy cover?

It must meet the requirements of the Australian Privacy Principles (APPs). This means it must (amongst other things) include the following information:  who’s collecting the information, why it’s collected, how it will be used, when and how it will be disclosed, security measures taken to protect it, whether it will be sent overseas, whether you can provide information anonymously, who to contact about privacy, and how you can access and update your information.

When can you use personal information for marketing?

You can use personal information for direct marketing if you have collected it directly from the individual concerned, and that they have a reasonable expectation that you would use their information for direct marketing.  

But it’s important to remember that spam laws apply, regardless of turnover, if you are direct marketing via eDM, SMS etc. If you want to use personal information to market in this way, there are three golden rules which you must follow:

  • you must have consent to send electronic messages,
  • each message must clearly identify the sender (full legal name, address and contact number), and
  • each message must include a functional unsubscribe facility so that recipients can unsubscribe at any time.

What if your servers are located overseas?

APP eight deals with cross-border disclosures of personal information. The gist of it is that if you are sending personal information overseas, you (as the disclosor) must be satisfied that the recipient (eg. the hosting company for your servers) will treat that information in the same way you are required to. If the overseas recipient breaches the law, it’s you that will pay the price.

Information collection statement: what is it and when do you have to use it?

If your turnover is greater than $3 million a year, you must publish an information collection statement at the point where you collect the information (eg. near the submit button for an online contact form, newsletter sign-up or order form). The statement must say who is collecting the information, why it is being collected, how it will be used, what happens if you don’t provide the information, whether it will be sent overseas and where to find your full privacy policy. Providing a link to your privacy policy is not enough. Even if your turnover is less than this, it’s just good practice to provide an information collection statement.

Common mistakes

My team reviews a lot of marketing collateral for clients across a range of industries.  Here’s a list of things we often see, all of which are breaches of privacy law:

  • Collecting information you don’t need. Why are you asking for someone’s date of birth for a newsletter sign-up? If the information is not needed for the purpose it’s collected, you can’t collect it.
  • Not using an information collection statement. If you’re collecting information, and your turnover is greater than $3 million, then you must provide an information collection statement at the point you collect the information.   
  • Not including a functional unsubscribe facility in an eDM.  You have to do this!

The wash-up

Privacy really isn’t that hard to get your head around, and you really should do it. The fines for non-compliance are significant, and the PR damage could be even worse. Setting up a policy and training staff is a worthwhile investment, so you’ll know exactly what information you’re collecting, and what you can legally do with it.  

David Kelly is founder of KHQApproved.com.au, a division of Kelly Hazell Quill Lawyers.