Privacy Policy small business

Privacy Law for small businesses

It would be best if you have a Privacy Policy on your website when you operate a business that collects stores uses or discloses personal information. Your Privacy Policy must be compliant with Australian privacy laws and European Union rules if some of your customers reside there.

What should you include in your Privacy Policy?

That will depend on several factors. These factors include the type of entity you operate, the type of industry you are in, your business’s gross annual turnover, the location of your customers, the kind of information you collect, and how you propose to manage and use that information.

NSW privacy laws only apply to the NSW Government, local governments, healthcare providers, and universities. They protect personal information held by those agencies from inappropriate disclosure.

Commonwealth laws about privacy and protection of personal information are not particularly burdensome for businesses with less than $3m annual turnover, which do not fall into the other, fairly restricted categories subject to the Commonwealth Privacy Act 1988.

Nevertheless, businesses not strictly required to comply with the Australian Privacy Principles appended to the Privacy Act should consider using at least some of them as a guideline for their handling of personal information, particularly if they provide goods and services to a lot of different customers. At the very least, businesses should have a look at Principle 11, covering security of information from hacking or leaking, and Principle 7, covering the use of personal data for direct marketing. (See the Australian Privacy Principles summarised below). Nothing upsets customers like their personal information being stolen or sold or given to other businesses, so there is a distinct business benefit in being careful with personal information.

Does your small business need to comply with the Australian Privacy Principles?

The Commonwealth Privacy Act 1988 only applies to businesses which:

  • Have an annual turnover greater than $3m, or
  • Trade in personal information, or
  • Provide healthcare, or
    Perform service contracts for the Commonwealth Government, or
  • Provide credit reports, or
  • Provide telecommunications, or
  • Maintain tenancy databases, or
  • Are covered by money-laundering laws.

What is the Australian law on privacy?

Businesses that are covered by the Act must comply with the thirteen Australian Privacy Principles. In summary, these are:

  • Having a Privacy Policy and handling personal information transparently,
  • Allowing people to use a pseudonym or remain anonymous,
  • Collecting solicited personal information in accordance with procedures outlined,
  • Collecting unsolicited personal information in accordance with procedures outlined,
  • Notifying people in certain transactions that their information will be collected and held,
  • Using or disclosing personal information only in accordance with procedures outlined,
  • Using personal information for direct marketing only in accordance with procedures outlined,
  • Disclosing personal information overseas only in accordance with procedures outlined,
  • Recording, using, and disclosing government-issued identifiers (e.g., driver’s licence numbers) only where necessary and in accordance with procedures outlined,
  • Ensuring personal information held is accurate, complete, and up to date,
  • Securing personal information against hacking or leaking, and destroying or de-identifying it in accordance with procedures outlined,
  • Correcting personal information where necessary.

Metadata retention obligations for some providers of Internet or telephone services

The Australian Telecommunications Act 1997 and the Telecommunications Interception and Access Act 1979 (TIA) applies additional privacy obligations on suppliers of telecommunications services. Certain exceptions under the TIA allow government agencies to access the customer’s telecommunications metadata. Metadata is the activity log of the who when how and where the telecommunications service was accessed. Some telecommunications service providers are also required by the TIA to oversee metadata retention for at least two years.

Is an Australian-based business offering goods or services to people in Europe required to have a data protection policy?

If you offer to supply goods or services to individuals in the European Union, you will need to take measures to comply with the privacy protections for EU individuals under the EU General Data Protection Regulation (GDPR), in addition to measures to comply with Australian privacy laws. The privacy policy for your Australian-based business should reflect those requirements.

For confidential advice on your Privacy Policy and information-handling practices, please contact us.