Website Privacy Policies

Who, What, Where, When & How

Amendments to Australian Privacy Legislation take effect from the 12th March 2014. The changes require private-sector organisations and Australian Government agencies covered by the laws to be more transparent about how they handle your personal information. Consumers will be able to read an entity’s privacy policy and find out how they handle personal information, whether it is likely to be sent overseas and how to complain about a possible privacy breach.

The way in which your personal information can be used for direct marketing will also change. For the first time, you will have the right to ask a private-sector organisation to tell you where they got your personal information. A private-sector organisation will also have to give you an easy way to opt-out of receiving direct marketing communications.

Five new kinds of credit-related personal information including the repayment history on your home or car loan and your credit card will be able to be collected by credit reporting bodies and passed onto lenders. It is also important to remember that you can request a copy of your credit report from a credit reporting body for free in most circumstances. The new privacy laws will also give the Commissioner new powers to resolve privacy complaints and investigations, including the ability to impose a penalty of up to $1.7 million.

The easiest way for businesses to communicate their Privacy Policy is via their website. Australian Privacy legislation states that if you collect or access any personal information including email addresses, telephone numbers, mailing addresses, etc. you are required to post a Privacy Policy. Even if you do not collect any personal information, your website will look more professional by posting a Privacy Policy. It provides comfort to your website visitors that you are aware of the legal requirements and that you are a legitimate online business.

What should be in your Privacy Policy?

  • What website visitor or customer information you collect.
  • How this information is used within your organisation.
  • How personal information is stored, and
  • How do you ensure this information is kept secure.

Additional to these basic requirements, the following information should also be included where applicable:

  • Email updates - Details of whether you send product advertisements or updates via email including details of options for customers to easily unsubscribe (and ensure emails sent provide links for recipients to unsubscribe and an email address where customers can ask for their details to be updated or deleted).
  • Credit card details - Most website plug-ins and shopping cart services do not retain customer credit card details but you need to double-check this is the case. You can then reassure your customers that you don’t store credit card details by stating it in the Privacy Policy, but If you do, you must state this in your Privacy Policy.
  • Selling contact information - If you sell email addresses, mailing addresses or telephone numbers you need to state this in your Privacy Policy. You also need to get agreement from your website visitors in order to do so. You cannot just advise your customers and sell their details without their consent.

Besides the Privacy Policy itself, you need to ensure you have a review system in place for personal information you have stored but no longer use. Ensure you arrange confidential destruction of personal information that is no longer required to operate your business.

How to create a Privacy Policy

In formulating your Privacy Policy, you need to consider your business’ privacy requirements. Different guidelines exist for different types of businesses. A good guide to a lot of these requirements may be found on the OAIC website. All items mentioned in the OAIC’s guide, in addition to the Privacy Act (1988), must be considered and included in a business’ Privacy Policy, which is why it’s advisable to have a lawyer create one or to use a customisable template from a legitimate provider. For the same reasons you shouldn’t copy another website’s Terms and Conditions, you should never copy another business’ Privacy Policy.

Apps need Privacy Policies too

Apps and App businesses are also subject to Australian privacy legislation. If you have developed an app that requires or accesses any personal information to run, then you’ll need a Privacy Policy.

With the growth of the internet and the introduction of punitive penalties with this latest legislation, more regulatory resources are being put on to ensure online businesses meet their privacy obligations. An updated Privacy Policy on your website will reduce your chances of being caught out under these new principles and fined.

Other articles in this edition:

IMPORTANT DISCLAIMER: This newsletter is issued as a guide to clients and for their private information. This newsletter does not constitute advice. Clients should not act solely on the basis of the material contained in this newsletter. Items herein are general comments only and do not convey advice per se. Also changes in legislation may occur quickly. We therefore recommend that our formal advice be sought before acting in any of these areas.