Who needs a privacy policy?

Who needs a privacy policy?

Privacy Policies. They sound like a pain – and if you've ever tried to read (or decode) one, you'll know that they can be pretty arduous to make sense of.

But for many small companies, they are essential – especially if you're start-up is an app or an online service that handles personal information. Under the Australian Privacy Principles, if you are an APP Entity, you need to have a Privacy Policy.

APP Entities include:

  • Businesses with an annual turnover of more than $3million (not including assets held, capital gains or proceeds of capital sales)  
  • Small businesses with a turnover of less than $3 million are not considered APP Entities. However, it will still need a privacy policy if:
    • Your business collects and trade personal information without the consent of the individual
    • Your small business is a health service provider
    • Your small business is required to comply with the data retention provisions under Part 5-1A of the Telecommunications (Interception and Access) Act 1979

No matter which category you fall into, it is still a good idea to have a Privacy Policy in place. It increases consumer trust in your business and how it handles and protects personal information.

Similarly, if you your business uses external services, you may be required to have a privacy policy under their terms. For example, section 7 of Google Analytics' terms of service requires that you have a privacy policy in place.

What is a privacy policy, exactly?

A privacy policy is a document that outlines how your company collects and uses personal information. There are topics that it needs to cover under Australian privacy laws, and should be easily accessible to anyone – the idea is that you show how you manage personal information in a transparent way.

On that note, it's not a document that should be drafted to mitigate risk in heavy legalese. It's something that should build trust between the company and people whose information you are collecting. It should be easy to read and reflect the company and its values.

Topics that a Privacy Policy must cover include:

  1. The kinds of information you collect and hold
  2. How you collect personal information
  3. How you hold personal information
  4. The purposes for which you collect, hold, use and disclose personal information
  5. How an individual may access and correct their personal information
  6. How an individual can complain if you, or a contractor, breaches the apps or a binding registered app code
  7. Whether you are likely to disclose information to an overseas recipient

The best way to present this information is in layers. Use headings such as "scope", "collection of personal information" and "disclosure" to make it easier to understand for the user.

Personal Information

So what is personal information? It's a very broad term, and captures any information (or opinion) about a person who is reasonably identifiable, or is identified.

Examples include:

  • Name
  • Address
  • Phone number
  • Bank account details
  • Opinions

What happens if I don't have a Privacy Policy?

If you don't comply with the Privacy Act 1988 as required by law, an individual can make a complaint about your company to the OAIC. They have the power to investigate, conciliate and make determinations based on the complaint.

Breaches of the Australian Privacy Principles can result in civil penalties, and repeated breaches of the law in large fines. This can be $360,000 for individuals and up to $1.8 million for corporations.

So even though it might take a little time or initial cost to produce a great privacy policy, it's clear that the effort is well worth it. It's not just about avoiding penalties, but making your company trusted and transparent in it's information dealings.