In 2014, the Enhancing Privacy Protection Act (Privacy Act) marked substantial changes to the existing privacy laws in Australia.
If your business is operating from Australia, learn the best practices that you need to implement for your Privacy Policy.
Privacy Act of Australia
The Privacy Act incorporates 13 Privacy Principles that dictates how personal information must be handled by covered organizations.
What is a covered organization as defined by Australia Privacy Act? A covered organization is any company, of any size, with an annual gross income of more than $3,000,000.
These kind of companies are subject to the Privacy Act and its regulations. However, businesses whose income is less than that might still be covered by one of the exceptions outlined in the Act:
- A business that discloses personal information about another individual to anyone else for benefit, service or advantage is covered.
- A business that provides a benefit, service or advantage so that they may collect other individuals' personal information is covered.
- A mobile application that does not gross more than $3,000,000/year, but requires an email address for activation of an account or use of mobile app is not covered.
However, if a mobile app developer decides to start selling the email addresses that his application has been collecting to advertisers, then the Privacy Act would cover them.
- Additionally, certain kinds of special organizations, such as health care providers and so on, are covered by the Privacy Act.
As a business, you can still choose to opt-in and be covered by the Act. If any business would otherwise not be covered, the business can petition to be covered to assure users that the business is committed to privacy.
Many small businesses (including general website owners and independent mobile app developers) will not be covered by the Australia Privacy Act, but still, might find some benefit in voluntarily choosing to be covered.
Even if you are or not covered by Act, you must consider implementing Privacy by Design techniques to have better privacy practices and maintain high standards of compliance with the Act's Privacy Principles.
Your Privacy Policy should be available to users regardless if your business must comply with the Privacy Act or not.
Through the "Privacy by Design" technique, you should strive to build the protection of collected personal information right within your systems, from the start, in order to comply with current data protection principles.
This could be achieved by improving the practices at any steps you're collecting personal data: collection, use (including data matching, targeted advertising, and analytics), disclosure to third parties, storage, and destruction. Use this information when drafting your legal agreement.
This is important. As mobile apps and Internet of Things apps (IoT) continue to increase in usage, regulation and scrutiny over data protection will also increase.
By implementing better technique and paying attention to what personal information you're collecting and how your business will be able to remain compliant.
Principles from the Privacy Act
If a business is covered by the Privacy Act and must adhere to the Australian Privacy Principles, they are considered a "covered entity" for the purposes of the law.
Each Principle covers a different aspect of privacy protection, some being more critical than others.
Privacy Principle 1
Principle 1 wants to ensure that entities (businesses, developers, etc.) managing any kind of collected personal information are doing it in an open and transparent manner.
This requires that the business takes all reasonable steps to ensure its compliance with the Australian Privacy Principles.
The very first step to do this is having a clearly expressed and up-to-date Privacy Policy.
It must contain specific information including the kinds of personal information are collected, how the information is collected, how the information is used, how an individual may complain about a breach of a Privacy Principle, and information regarding disclosure of private information overseas (outside Australia.)
And it must be available in an appropriate form and free to the user to read and find.
Campaign Monitor, a business based in Australia, has a clear and up-to-date Privacy Policy that informs users (clients using Campaign Monitor) about what personal information is being collected, how and why:
Privacy Principle 2
Principle 2 states that covered entities must provide an anonymity or pseudo-anonymity option to individuals in interactions that would involve disclosure of personal information.
However, exceptions exist to this.
If you're developing a website or mobile app where users can create content, consider providing an anonymity and pseudo-anonymity option.
Privacy Principle 3
Principle 3 details how covered entities interact with personal information.
For example, the covered entity must only collect personal information when it's reasonably necessary or it's directly related to the entity's business.
If the information is deemed to be sensitive, the covered entity must obtain meaningful consent first.
You may only collect personal information by lawful and fair means.
Pin Payments, based in Australia, details in their Privacy Policy that they are not selling or renting customers' personal information to marketers or third parties.
It reads:
Southern Payment Systems does not sell or rent you or your customers personal information to marketers or third parties.
Privacy Principle 4
Principle 4 lays out how entities must deal with unsolicited personal information.
Any information received, which was not solicited, must be dealt with according to certain guidelines.
Within a reasonable amount of time, the covered entity must determine if the unsolicited personal information they've received could have been collected under the Privacy Principle 3.
If the information couldn't have been collected as outlined in Principle 3, the entity should destroy or de-identify the personal information within a reasonable amount of time.
Privacy Principle 5
Principle 5 covers the notion of notification of collection of personal information.
A covered entity must take reasonable steps to notify users of certain aspects of the information that are being used and collected.
Do this through an up-to-date Privacy Policy and always make sure the links to your legal agreements are visible:
Pinterest provides notification that their Privacy Policy would be updated through a visible notification bar on their website:
Privacy Principle 6
Principle 6 provides guidelines for using or disclosing personal information on behalf of the covered entity.
For example, private information that has been collected shouldn't be shared unless the individual has meaningfully consented or certain exceptions apply.
Similar to Privacy Principle 5, make sure your Privacy Policy is up-to-date: notify users if certain types of personal information collected from them are shared with third parties.
Issue, from Australia, mentions in their Privacy Policy that personal information from registered users may be shared with third-parties that would like to advertise to them:
It reads:
We may disclose personally identifiable information to third parties whose practices are not covered by this privacy statement (e.g., other marketers, magazine publishers, retailers, participatory databases, and non-profit organizations) that want to market products or services to you. If a Issue Network site shares personally identifiable information, it will provide you with an opportunity to opt out or block such uses either at the point of submission of your personally identifiable information or prior to any such disclosure.
Privacy Principle 7
Principle 7 describes that personal information should not be disclosed for the purpose of direct marketing (subject to certain exceptions.)
This Principle spells out the subtle nuances of when and how personal information may be shared for direct marketing.
You should read thoroughly before you attempt to use personal information for ads or targeted marketing.
Privacy Principle 8
Principle 8 wants to ensure that when a covered entity is dealing in a cross-border (outside Australia) disclosure of personal information, that they take all steps reasonable under the circumstances to not breach the Principles and the provisions of the Privacy Act.
Privacy Principle 9
Principle 9 outlines the adoption, use, and disclosure of government related identifiers.
Privacy Principle 10
Principle 10 simply states that the quality of personal information must be up to date.
Specifically, the covered entity must take reasonable steps to ensure that the information collected is accurate, thorough and up to date.
Liquid State (based in Australia) wants to ensure users that users' privacy is important in their Privacy Policy:
Privacy Principle 11
Principle 11 details the security precautions that covered entities must adhere to in order to remain in compliance.
Personal information must be protected from misuse, interference, loss, and unauthorized access, use and disclosure.
When the personal information is no longer needed for the purpose it was collected for, that information must be destroyed in a reasonable manner.
Privacy Principle 12
Principle 12 states that if a covered entity has private information about an individual, then if requested, the entity must give the individual access to the information.
Specific exceptions to this are laid out.
Privacy Principle 13
Finally, Principle 13 covers the correction of personal information.
If a user notifies the covered entity that the information they have stored from that user is incorrect or the covered entity discovers an error through some other reasonable means, then the covered entity must take corrective action.
If a user asks to update their personal information (if they can't do this themselves,) you must update that information.
Breaching these 13 Privacy Principles could have consequences, such as: redesigning the functions of your website or mobile application to better protect personal information, having to financially compensate affected users and possible civil penalties, updating your Privacy Policy and/or privacy practices and so on.
Online businesses operating from Australia must be very certain that they are complying with the Australian Privacy Act.
How to comply
It's important to maintain your compliance with Australia's Privacy Act.
Here's a quick checklist that might help you:
- Delegate a person to maintain and review your privacy protection safeguards and keep these practices up-to-date.
That delegated person should develop and implement privacy practices and procedures that adhere to the Australia's Privacy Act and Principles and enable enquiries to be dealt with in a timely fashion.
- Ensure third party compliance: contracts should be used when dealing with other companies and parties in regards to users' personal information that you're collecting.
- Be open and transparent. Your Privacy Policy should inform users what your website/mobile app collects and does with their personal information.
- The Privacy Policy should be easily visible by users.
- Meaningful consent should be obtained at the appropriate time and in an acceptable manner.
- Have a system in place to overcome the small screen challenge, if your business also operates a mobile app (iOS, Android, Windows)
- Provide notice and get consent at the point of download, in the case of apps.
If you've published your mobile app in an App Store, such as Apple App Store or Google Play, make sure you link your Privacy Policy:
- Explain users how their private information is being handled and used at multiple steps in your website/mobile app to ensure that their consent is significant.
- Only collect what's actually needed for your website/mobile app to operate.
- Don't mine for data or collect information that might be useful at some future point, but it's currently not.
- Allow users to opt-out of their personal information being collected, if possible.
- Secure the information you get from users.
- Delete data when it's no longer needed for its purpose.
- Establish appropriate safeguards that will protect the collected personal information.
- Use encryption when storing or transferring any data.
As mentioned at Privacy Principle 1, if a business is covered by the Privacy Act then the business must have an acceptable "Privacy Policy" agreement.
Don't copy the words of the Principles from the Act, but have a Privacy Policy that is specific to your business.
But what is personal information as defined by Australia's Privacy Act?
By law, it's any information about an identified individual or an individual who is reasonably identifiable regardless whether the information is true or false or if it's recorded.
Examples:
- a person's name
- signature
- address
- phone number
- medical records
- employment information
- bank account information
- IP addresses
- etc.
Mobile applications also provide another list of examples:
- photographs
- unique identifiers
- contact lists
- location information (geolocation)
- any facial or voice recognition
- biometrics data
All these examples could be used to reasonably identify a person.
Drafting a good Privacy Policy could be viewed in 3 stages - regardless if it's a website, mobile app, desktop app or any other.
- First stage: Collection of information.
In your agreement, you should detail the following: what personal information you collect, and how they do that, the reasons for which you maintain that information, and whether that information is disclosed to parties outside Australia.
This information is key to fulfilling certain Australian Privacy Principles such as #1, #12 and #13.
- Second stage: What's important to a user.
Your Privacy Policy should also be focused on areas of private information that users might be more inclined to have concerns over, may be unaware of, or wouldn't reasonably expect.
Include descriptions about how the information is disclosed and if it's disclosed overseas (outside Australia.)
Also include a section regarding each individual's rights, particularly how individuals may access or correct their personal information and make complaints or ask questions.
Consider these tips as well:
- The page where your agreement will be posted should including headings to help facilitate finding any information more easily.
- Consider how your audience will be accessing the page.
If your users are more likely to view the agreement on their mobile device, implement ways for users to be able to download your Privacy Policy or have it emailed to them or navigate through a privacy section dashboard.
Apple gives users the option to receive Apple's Privacy Policy via email:
- Only information that's related to personal information should be included in a Privacy Policy.
Agreements not related to personal information should have their own separate pages, e.g. Terms and Conditions, Cookies Policy.
- Third stage: Make your Privacy Policy available.
You're required to have this agreement freely available and in an appropriate form (such as on the mobile application itself.)
An additional requirement is that the agreement should be reasonably available in whatever form it's requested. For users who might have disabilities, and if your website or mobile app has users with disabilities, take this into account.
The agreement should be regularly reviewed and updated appropriately to correspond with the nature of your business and how your business model evolves.
Examples of Australia Privacy Policy
The Privacy Act 1988 and 13 Privacy Principles may seem complicated to stay compliant with, but by making sure your business follows each of the Principles in practice, and by creating a Privacy Policy that lets users know how your business is handling the privacy of their personal information, you'll be compliant quickly and easily.
Here are a few examples of different AU business websites and their Privacy Policies that demonstrate Privacy Act 1988 compliance of both the website and business practices.
KPMG
The Privacy Policy of KPMG makes mention in the very first sentence that KPMG is committed to treating personal information they collect in accordance with the Privacy Principles and the Privacy Act 1988.
This is a very common way that businesses in Australia start their introduction into their Privacy Policies in a way that lets a reader know that the business is compliant with the Privacy Act or the 13 Principles.
Energy Australia Privacy Policy
The Privacy Policy of Energy Australia has as their second sentence a notice that they're committed to respecting privacy and protecting personal information in accordance with the Privacy Act 1988.
This embodies the idea of the Privacy Act and Principles - that personal information needs to be collected only in certain ways and then must be stored and protected to a high standard.
Computershare Australia
The Computershare Australia website has nine different Privacy Policies that cover a range of different areas of the company.
Its Australian Web Privacy Policy page is where Australian law is referenced and addressed.
Computershare states that they are "required to comply with the Australian Privacy Principles contained in the Privacy Act 1988." This is different from the way that the previous two examples phrased this in that it explicitly mentions that the business is "required to comply" with the Act.
National Diabetes Service Scheme of Australia
The National Diabetes Service Scheme of Australia takes an approach with their introduction that's somewhere in the middle of the previous examples.
NDSS states in the first sentence of its Privacy Policy page that "Diabetes Australia is covered by the Privacy Act 1988." The second paragraph in this introduction section defines for readers what "personal information" is, which is very helpful and useful for readers.
Many Privacy Policy agreements include a navigable table of contents or list of sections so users can click on a specific section and be taken directly there. This is also a good way to allow users to scan headings to see what topics are covered.
Dividing sections of this kind of legal agreement into sections that match up with requirements of the 13 Privacy Principles is an easy way to organize your agreements and make sure you stay compliant.
The KPMG's Privacy Policy mentioned above has a navigable list of sections at the top. Note that a lot of the sections match up with different Principles:
Computershare Australia takes the approach of combining multiple sections into one. Their first section after the introduction - Information Collection, Use and Disclosure - deals with all three topics. Users can find information here on what information is collected, how this information is used, and in what circumstances and how this information is disclosed to third parties.
Both approaches work fine, so long as the required information is there for users to access.
The NDSS website takes a third approach and divides each topic up into smaller sections. There's a separate section for Security of your information, Use of your information, and Disclosure of your information. This breakdown of topics makes it easy for a user to find a specific section and information quickly and easily.
As you've noticed, using paragraphs is a common way to construct a Privacy Policy. However, don't disregard the effectiveness of concise bullet-points when it comes to conveying information.
Penguin Australia
The Privacy Policy of Penguin Australia uses bullet points to list out the information required by the Privacy Act and Principles, including how personal information is used, and how it is disclosed.
As long as your Privacy Policy agreement touches on all of the required components of the Privacy Act 1988 and the 13 Privacy Principles, the format isn't so important. Focus on readability and accessibility.
Energy Australia puts its main privacy points into question format and makes sure to cover all bases of being compliant, including how a user can correct and access personal information, as seen below.
There's flexibility in the format of your legal pages.
However, if you're required to have one under the Privacy Act 1988, and must comply with the 13 Privacy Principles, there's certain information that you must include in your Privacy Policy.
Make sure your Privacy Policy addresses all of the points you must convey to your users and is a clear and accurate reflection of the way you collect, store, handle, protect, use and disclose personal information of your users.
The other guides: for United States, for Europe or for Canada
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.