Privacy law is still something of a mystery to many, writes David Kelly. He writes that he’s constantly amazed when asking new clients what their privacy practices are, that they haven’t got a clue.
Privacy law governs the collection, storage, use and disclosure of personal information. This is supplemented by spam laws, which specifically govern the use of personal information in commercial electronic messages.
It must meet the requirements of the Australian Privacy Principles (APPs). This means it must (amongst other things) include the following information: who’s collecting the information, why it’s collected, how it will be used, when and how it will be disclosed, security measures taken to protect it, whether it will be sent overseas, whether you can provide information anonymously, who to contact about privacy, and how you can access and update your information.
When can you use personal information for marketing?
You can use personal information for direct marketing if you have collected it directly from the individual concerned, and that they have a reasonable expectation that you would use their information for direct marketing.
But it’s important to remember that spam laws apply, regardless of turnover, if you are direct marketing via eDM, SMS etc. If you want to use personal information to market in this way, there are three golden rules which you must follow:
- you must have consent to send electronic messages,
- each message must clearly identify the sender (full legal name, address and contact number), and
- each message must include a functional unsubscribe facility so that recipients can unsubscribe at any time.
What if your servers are located overseas?
APP eight deals with cross-border disclosures of personal information. The gist of it is that if you are sending personal information overseas, you (as the disclosor) must be satisfied that the recipient (eg. the hosting company for your servers) will treat that information in the same way you are required to. If the overseas recipient breaches the law, it’s you that will pay the price.
Information collection statement: what is it and when do you have to use it?
My team reviews a lot of marketing collateral for clients across a range of industries. Here’s a list of things we often see, all of which are breaches of privacy law:
- Collecting information you don’t need. Why are you asking for someone’s date of birth for a newsletter sign-up? If the information is not needed for the purpose it’s collected, you can’t collect it.
- Not using an information collection statement. If you’re collecting information, and your turnover is greater than $3 million, then you must provide an information collection statement at the point you collect the information.
- Not including a functional unsubscribe facility in an eDM. You have to do this!
Privacy really isn’t that hard to get your head around, and you really should do it. The fines for non-compliance are significant, and the PR damage could be even worse. Setting up a policy and training staff is a worthwhile investment, so you’ll know exactly what information you’re collecting, and what you can legally do with it.
David Kelly is founder of KHQApproved.com.au, a division of Kelly Hazell Quill Lawyers.