If your business is registered in Australia or you plan to expand your website or app to the Australian market, you must comply with the Privacy Act of 1988.

Even the possibility of doing business in Australia requires that you are familiar with this act. If your e-commerce store offers international shipping, including to Australia, implementing the privacy guidelines from this act will prove helpful.

This review discusses the original act and the 2014 updates. Here's how you can comply with the privacy principles of this act and protect your company from liability and customer mistrust.

Evolution of the Privacy Act

The Privacy Act was originally enacted in 1988 due to concerns about the availability of records to unauthorized individuals. It underwent changes in 2000 and 2014 with the latest changes addressing privacy concerns in online transactions.

This is how the act evolved.

Original 1988 version

The original version of the Privacy Act was limited to state agencies or companies that contracted with government offices. It expanded to include private companies in 2000 and its principles applied to them despite their government contract status.

The Privacy Act defines personal information as facts or opinions about an individual that made the identity of that individual apparent or reasonably ascertainable.

Generally, this would include names, addresses, numerical identifiers, birth dates, bank account details, telephone numbers, email addresses, and even rumors or gossip about a person's private life.

Ethnic identity, sexual orientation, gender, trade information, education, and other personal facts are considered sensitive information that falls under similar protection.

The 1988 version of the Privacy Act was the beginning of enacting privacy principles. Before, there was no guarantee of privacy in Australia.

Called the "Information Privacy Principles or IPPs", there were 11 guidelines for handling information. They addressed the following topics:

  • Manner and purpose of collecting personal information;
  • Solicitation for personal information from the individual concerned;
  • Solicitation for personal information generally;
  • Storage and security of personal information;
  • Information regarding records;
  • Access to records;
  • Altering records;
  • Record keeper duties to check accuracy of information before use;
  • Relevant purposes for personal information;
  • Limits on using personal information; and
  • Limits on personal information disclosure.

In 1988, the focus was on paper records since there were no cloud drives or massive data exchange that year as there is now. Needless to say, the digital revolution required privacy reforms.

2014 updates

The first change in these updates was covered organizations. While the updates in 2000 changed the law so it applied to private companies, the latest developments expanded that net further.

Covered entities now include any company of any size with a gross income of AUD $3M.

Companies may fall under the duties of the Act even if they do not meet the revenue standard. These exceptions include:

  • Personal information disclosed for benefit, service or advantage.
  • Personal information collected in order to provide a benefit, service or advantage.
  • Mobile applications that require an email address for account activation.
  • Special organizations, like health care providers, who handle a large amount of sensitive data.

The other change to the law included expanding the 11 IPPs to 13 Australian Privacy Principles or APPs. These prove handy for guiding your entity to compliance. While the 13 new principles are similar to the original 11, they do a better job of taking the digital age into account.

The Australian Privacy Principles

If your business or organization implemented a Privacy by Design approach, you are already ahead with meeting these 13 principles.

However, if you are still considering making internal changes compatible with Privacy by Design, carefully review these principles if any part of your business occurs in Australia.

1 - Be open and transparent

You are required to open and transparent with your users about the information you collect and how you use it. Explain clearly how you collect information, the purpose of collection, how you use it, how your user can correct any information, and any possible overseas disclosures.

Terms can be present in a Privacy Policy and that will likely meet your requirements.

However, entities that handle immense amounts of personal information also offer a privacy FAQ.

St. George Bank no doubt handles personal information as it is one of the largest banks in Australia. If you visit its page on privacy, it lays out all these terms very clearly in an easy-to-read FAQ format:

St George Bank Privacy Policy FAQ Table of Contents

When you click on the question on kinds of information they collect and hold, you find a very clear answer using layperson terms:

St George Bank Privacy Policy FAQ Expanded

However, while the FAQ is put together well and contains all the terms, the actual long-form Privacy Policy is also available in HTML page.

It starts out plainly stating that it is bound by the Privacy Act of 1988:

St George Bank Privacy Policy bound to Privacy Act of 1988

Its section in the Privacy Policy is also very clear to any user who reads it:

St George Bank Privacy Policy: What kinds of personal information

St. George meets the open and transparent requirement with its clear communication. The Privacy Policy is clear and the FAQ expands on that information. Any user who visits the St. George page knows exactly what to expect.

2 - Provide an anonymous or pseudo-anonymous option

Individuals may wish to use a service under an alias or anonymous identity.

As an online service (website or mobile app), you are required to provide this option unless it is impractical for you.

Obviously, a banking or insurance service cannot cater to anonymous or pseudo anonymous identities. For some services, this is less essential.

While it does not appear any of them are based in Australia or actively pursuing business there, anonymous social media apps are popular. Users can post rants with unpopular opinions, share lustful fantasies, and even discuss their deepest secrets.

If you are looking at developing one of these apps, you may wish for personal information for targeted marketing or account maintenance. However, it may not necessarily be impractical if you bypass collecting it. In these cases, you likely want to provide the option for a user to remain anonymous or offer a pseudonym.

3 - Know how to handle personal information

This principle addresses the collection and sharing of information. While you may have already been open and transparent about your policies, this addresses what you're allowed to do as opposed to how you communicate it.

If you have the consent of the user to collect personal or sensitive information, that is always authorized. That's why if you are in doubt of whether you can collect information, you should attempt to secure consent first.

Path iOS app: Turn on Location Services

However, there are circumstances where you can collect information automatically.

First, be aware that you can only solicit information that's necessary for the transaction.

For example, asking a user about sexual orientation is not relevant when you are securing car insurance for them. However, date of birth, name, where they live, and types of cars they own is necessary information for an insurance policy.

Second, the transparency requirement in the first principle also applies to this one.

IAG, Ltd is a large insurance company in Australia that sells its policies online as well as in its branch offices. In its Privacy Policy page, it lists the following methods of collecting personal information directly:

IAG Privacy Policy: How we collect information

It also includes any information collected from third parties, including their identities:

IAG Privacy policy: Entities with whom we share information

This becomes necessary since insurance companies frequently have to confirm information given to them. However, as this is explained to users before they get involved with IAG, once again, they know what to expect with their personal information being handled.

4 - Design an unsolicited personal information policy

Sometimes, a security breach or user error results in personal information you do not need to be disclosed to you. You did not ask for it or solicit it but there are still responsibilities when you face this outcome. That is why you need an in-house process that deals with unsolicited personal information.

Your first step is to determine if receiving the information was appropriate under Australian Privacy Principle 3. If that is the case, you can retain it.

However, if it is not appropriate for you to keep this information, then determine if it could be found in a commonwealth record. Arrest records and pending civil lawsuits, for example, are public record so you could conceivably find those facts in them if you looked. That would also be a lawful collection under the Australian Privacy Principle 3.

If the information does not fall under either of these considerations, then you need to destroy it or unlink the individual's identity from it. You will not be permitted to retain it.

5 - Keep users informed

Under this principle, you must take reasonable steps to notify users of certain matters. This include:

  • Your company identity and contact details
  • Any changes to information collection methods
  • Legal changes that affects your information collection methods
  • Changes in the purposes of information collection
  • New information needed for your service and how it affects the functioning of new features
  • Changes to your disclosures
  • Privacy Policy updates

As expected, this mainly affects you when you change your Privacy Policy or when a new feature in your service requires additional personal information. These notifications must be reasonable meaning they can be email updates or pop-up updates on your websites.

Twitter used a banner notification when it changed its Privacy Policy. While this was primarily aimed at a U.S. audience, this would meet the Australian requirements:

Twitter Privacy Policy page: Changes to this policy

This email notification from Medium would also satisfy Australian Privacy Principle 5:

Medium Legal Team email: Changes to Terms of Service and Privacy Policy

If you already implemented these practices as to your Privacy Policy, you are already prepared to meet this requirement.

6 - Address how to use or disclose personal information

The act allows for the disclosure and use of personal information if that will satisfy the primary purpose for its collection.

You are not allowed to disclose or use information for curiosity sake or for other purposes not connect to your business goals.

If there is a secondary purpose for use or disclosure, you must meet one of the exceptions. Most are connected to civil lawsuits or criminal activity and since you will normally receive a court order in these instances, you will likely understand your need to disclose.

In other cases, you need the consent of the user or at least set up a reasonable expectation that their information would be disclosed in this matter. Health situations, like sharing records between doctors, would be an example of the latter.

St. George, the bank discussed earlier, explains this clearly in its Privacy Policy. It also makes a note that it only shares with other entities that must also comply with the Privacy Act:

St George Bank Privacy Policy: Who do we disclose information to

Notice that the policy also mentions the secondary purposes, such as disclosure for public duty or law enforcement reasons. Not only is this a transparent policy within the Privacy Policy but also a reasonable expectation with any user who signs up for online services with St. George.

7 - Do not disclose for direct marketing purposes

Disclosure of information for direct marketing is generally not allowed. You can do so if you have consent through an opt-in procedure. However, you also need to offer users a choice to opt out.

Lowes Menswear discussing direct marketing in its Privacy Policy page. It brings up direct marketing when it discusses disclosure of personal information:

Lowes Menswear Privacy Policy: Direct Marketing reference

Notice that while it is clear that data will be disclosed, it also provides the opt-out procedure. A user also can email them and request removal from these lists. Under Australian Privacy Principle 7, Lowes must comply with that request in a timely manner.

8 - Follow principles always, even when dealing outside Australia

Overseas disclosures become tricky because the Privacy Act will no longer comply. While other countries have their own privacy laws, many Australian citizens will not be reassured by them. Therefore, you must follow the principles even as you disclose information to your overseas partners.

Part of this also includes informing users that this could happen. This does not have to be a particularly long part of the Privacy Policy.

Officeworks contains this short paragraph in its Privacy Policy page and includes the countries of its partners:

Officeworks Privacy Policy: Transfer of information overseas

Lowe's also embraces this step but does not name in particular partner countries:

Lowes Menswear Privacy Policy: Disclosure of information overseas

Be aware if you disclose information overseas, your company will be responsible for any privacy breaches by your partner company.

You want to choose your foreign partners and vendors very carefully if you plan to disclose user personal information to them.

This is not an Australian Privacy Principle that will come up frequently.

The Australian Privacy Principle 9 restricts the use of government identifiers and includes a number, letter, symbol or any combination of those things to identify an individual. These are assigned by an agency, state or territorial authority, or contracted service provider of an agency or authority.

Since users are unlikely to be aware of or disclose these to you, there is only a small chance you will come across this situation.

10 - Keep personal information up to date

Since personal information can include opinions, it's important that you keep it updated and if notified of errors, correct it. You should take precautions to only collect accurate information in the first place but also take the additional step of allowing users to correct their personal information.

IAG mentions in its Privacy Policy that it strives to collect accurate information but also depends on customers to keep it updated. It also reassures them that if will update information when corrected:

IAG Privacy Policy: Keeping information accurate

Officeworks takes a more detailed approach. It offers contact information for users who want to view the personal information they hold as well as make corrections:

Officeworks Privacy Policy: Access and Correction to personal information

If you make decisions based on inaccurate information you can face liability. You want to assure accuracy when it is within your control but also make corrections quickly when you are notified of errors.

11 - Maintain security precautions

The Privacy by Design trend plays an important role with this Australian Privacy Principle. Not only do you need to have clear policies regarding personal information but you must take precautions with it.

Privacy by Design dictates that you consider privacy at the beginning of development and remain aware of it as you provide your product or service. Australian Privacy Principle 11 advances that mindset indirectly by requiring that you take steps to protect data from interference, loss, and misuse.

Authentication, meaning a login screen with a username and password, is one way to control access. If you are dealing with very sensitive information, like providing banking notices to customers, you may wish to use encryption.

In most cases, providing a login and authentication is sufficient.

You can find these methods employed frequently with banks and retail outlets. Lowe's Menswear, for example, has a quick login for frequent customers who wish to keep their information protected:

Lowe

12 - Allow individuals access to their own information

Unless you have a compelling reason, you must allow users to access their own personal information.

The only exceptions to this rule include government secrets and protected documents. Since as a website or app you are unlikely to trade in this type of information, you can assume that requests submitted by users to see their own personal data are valid.

13 - Maintain a process for correcting personal information

This is similar to Australian Privacy Principle 10 which requires that the personal information you collect on users is accurate and up to date.

Australian Privacy Principle 13 takes this idea one step further and requires that you have a process for fixing errors when you are notified of them or discover them.

As shown in the examples under Australian Privacy Principle 10, Privacy Policies promise users accurate accounts and immediate correction when errors are discovered. You will need an in-house process for addressing these situations, especially when the error involves an opinion about another person.

Also, if you do business with other companies that must comply with the Privacy Act, you will need to inform them of the changes in the information.

Not only must you keep your own records accurate but any third parties that have access to the information must be informed of the changes.

Here's how Twitter notified its users of changes to the Terms of Service and Privacy Policy after the Privacy Shield updates:

Twitter Email Notice in Sep 2016 on Terms Service/Privacy Policy updates

Privacy Act of 1988 compliance best practices

The Australian Privacy Principles listed above create a checklist for your privacy protection procedures.

In addition to following them, there are best practices to follow as you navigate the Privacy Act of 1988 and assure your company's compliance with it.

Assess what you actually need

When you collect more personal information than necessary to run your website or app, you risk exposing yourself to unnecessary liability. This is based on the simple formula that the more private information you collect, the more difficult it is to keep it safe.

That is why when you design the app you need to realistically assess what is needed to help it operate. The same is true for an ecommerce site or another online service.

When you add features or upgrade, reassess the need for information.

If you require more data from users, you will need to update your agreements and policies. However, if your changes lead you to require less information, that will likely make your business practices legal.

Use layperson terms

When the personal information you collect or the service you provide deals with sensitive issues, consider posting a privacy FAQ in addition to your Privacy Policy. Also, write these documents in layperson terms and avoid legal vernacular.

Facebook, while a US-based company, does a good job at this in its Data Policy page:

Screenshot from Facebook Data Policy FAQ

St. George, the bank used as an example, did this very well. Its pages are easy to navigate and the language is clear. Any customer could visit this page and secure answers to their questions. If they could not find an answer, contact information was easily accessible too.

Taking a similar approach helps with transparency by making your policies regarding collection, creation, retention, and disclosure of personal data very clear.

Consent overrules many restrictions under the Privacy Act and the Privacy Principles.

If you feel a disclosure is necessary or wish to pursue a unique marketing campaign that uses personal information, ask the customer first.

While most of these efforts are covered by the principles, the area of Internet marketing is changing quickly with new options. That can make it difficult to determine whether a new practice is appropriate under the law. In those cases, ask first with a new opt-in/opt-out request.

iOS Notification On Allow Current Location

Set up in-house information assessment systems

Your company will have to assess information constantly. As mentioned, you'll need to determine if you are collecting just enough to provide your service. In addition, you also have to monitor it for accuracy and make corrections when errors come to your attention.

The best way to manage this system is to limit it to one department or employee whose main job is assessing information.

You always need to be aware of when your information needs change and keep up with those developments. That will help you remain compliant.

Be careful of your business partners

If you need to disclose personal information to third parties, only partner with those who are also held to the Privacy Act. When you reach out overseas, find companies that operate in jurisdictions with privacy laws.

The U.S., Canada, the U.K., and E.U. members are safe bets. If you have a new partner in an unfamiliar location, have your legal department assess the privacy laws first.

Display contact information prominently

Whether it is questions about your information practices or requests for corrections, you need to be accessible to your users.

Create separate email addresses if needed but provide a way for people to get a hold of you when they have questions.

Here's how the Bureau of Meteorology is displaying its contact information on its Privacy Notice page:

Bureau of Meteorology Privacy Notice: Contact Information

While many companies state that they are willing to assist users with questions, they do not always provide clear contact information. Support better goodwill and compliance by keeping contact information visible.

Perform data security audits

Checking your data protection measures frequently helps users trust you and keeps you in compliance with the principles. If you have specialists in this area, you can perform these audits in-house. However, it is often recommended that you hire an IT security consultant since they can often find shortcomings that you might miss.

The Privacy Act provides a good checklist with its principles. If you follow them plus apply these general good practices, you are likely to stay in compliance with the Privacy Act and reassure users that their personal data is safe with you.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy