Privacy Policy small business

Privacy Law for small businesses & Things included in a Privacy Policy

It would be best to have a Privacy Policy on your website when you operate a business that collects, stores, or discloses personal information. Your Privacy Policy must comply with Australian privacy laws and European Union rules if some of your customers reside there.

What should you include in your Privacy Policy?

That will depend on several factors. These factors include the type of entity you operate, the kind of industry you are in, your business’s gross annual turnover, the location of your customers, the kind of information you collect, and how you propose to manage and use that information.

NSW privacy laws only apply to the NSW Government, local governments, healthcare providers, and universities. They protect personal information held by those agencies from inappropriate disclosure.

Commonwealth laws about privacy and protection of personal information are not particularly burdensome for businesses with less than $3m annual turnover, which do not fall into the other, reasonably restricted categories subject to the Commonwealth Privacy Act 1988.

Nevertheless, businesses not strictly required to comply with the Australian Privacy Principles appended to the Privacy Act should consider using at least some of them as a guideline for their handling of personal information, mainly if they provide goods and services to many different customers. At the very least, businesses should look at Principle 11, covering security of information from hacking or leaking, and Principle 7, surrounding the use of personal data for direct marketing. (See the Australian Privacy Principles summarised below). Nothing upsets customers like their personal information being stolen or sold or given to other businesses, so there is a distinct business benefit in being careful with personal information.

Does your small business need to comply with the Australian Privacy Principles?

The Commonwealth Privacy Act 1988 only applies to businesses which:

  • Have an annual turnover greater than $3m, or
  • Trade in personal information, or
  • Provide healthcare, or
    Perform service contracts for the Commonwealth Government, or
  • Provide credit reports, or
  • Provide telecommunications, or
  • Maintain tenancy databases, or
  • Money-laundering laws cover them.

What is the Australian law on privacy?

Businesses covered by the Act must comply with the thirteen Australian Privacy Principles. In summary, these are:

  • Having a Privacy Policy and handling personal information transparently,
  • Allowing people to use a pseudonym or remain anonymous,
  • Collecting solicited personal information following procedures outlined,
  • Collecting unsolicited personal information under procedures outlined,
  • Notifying people in certain transactions that their information will be collected and held,
  • Using or disclosing personal information only following policies outlined,
  • Using personal data for direct marketing only following procedures outlined,
  • Disclosing personal information overseas only in accordance with procedures outlined,
  • Recording, using, and disclosing government-issued identifiers (e.g., driver’s licence numbers) only where necessary and per procedures outlined,
  • Ensuring personal information held is accurate, complete, and up to date,
  • Securing personal information against hacking or leaking, and destroying or de-identifying it following procedures outlined,
  • Rectifying inaccurate personal information where necessary.

Metadata retention obligations for some providers of Internet or telephone services

The Australian Telecommunications Act 1997 and the Telecommunications Interception and Access Act 1979 (TIA) applies additional privacy obligations on suppliers of telecommunications services. Certain exceptions under the TIA allow government agencies to access the customer’s telecommunications metadata. Metadata is the activity log of the who, when, how and where someone accessed the telecommunications service. The TIA also requires some telecommunications service providers to oversee metadata retention for two years.

Is an Australian-based business offering goods or services to people in Europe required to have a data protection policy?

Suppose you offer to supply goods or services to individuals in the European Union. In that case, you will need to take measures to comply with the privacy protections for EU individuals under the EU General Data Protection Regulation (GDPR), in addition to efforts to comply with Australian privacy laws. The privacy policy for your Australian-based business should reflect those requirements.

For confidential advice on your Privacy Policy and information-handling practices, don’t hesitate to get in touch with us.