what are my privacy policy obligations as a business owner in Australia?

Following the major data breach at Optus in October 2022 as well as the rise in scams and cyber-attacks against businesses, it is now more important than ever to ensure you understand exactly how businesses are required to handle your personal information. Also, how you are obligated under Australian law to protect your consumers’ personal information should it be something you regularly acquire in the course of business.

Read about how the Optus Data Breach of 2022 happened. The penalties against Optus were severe– much less than the monetary cost and reputation damage cost of maintaining data security would have been.

Under the current circumstances, it is crucial to consider the importance of a privacy policy, and whether you, as a business might need one.

The Privacy Act 1988 (Privacy Act) sets out the regulations imposed on business’ concerning the way an individual’s personal information is stored and shared. Therefore, your business must meet the obligation of having a privacy policy in place. A privacy policy is simply a statement that outlines exactly how an organisation or business handles your personal information.

Rights of Individuals Under the Privacy Act

The rights of individuals under the Privacy Act are outlined by the Office of the Australian Information Commissioner (OAIC), the national regulator for privacy and freedom of information.

These rights include:
– know why your personal information is being collected, how it will be used and who it will be disclosed to;
– have the option of not identifying yourself or of using a pseudonym in certain circumstances;
– ask for access to your personal information (including your health information);
– stop receiving unwanted direct marketing;
– ask for your personal information that is incorrect to be corrected; and
– make a complaint about an organisation or agency the Privacy Act covers, if you think they have mishandled your personal information.

Call Now Enquire Now

Does My Business Need a Privacy Policy?

Businesses with an annual turnover of 3 million dollars must have a privacy policy. Additionally, certain small businesses and other organisations are required to have a privacy policy and have responsibilities under the Privacy Act if they collect and store personal or sensitive information about individuals. Other organisations may include an individual (including sole traders), a body corporate, a partnership or a trust.

The Privacy Act also covers specified persons handling certain information. This information may include but is not limited to:
– Tax file numbers;
– Consumer credit reporting information;
– Personal information contained on the Personal Property Securities Register;
– Sensitive information.

Australian Privacy Principles

In accordance with the Privacy Act, the Office of the Australian Information Commissioner may set out guidelines to help businesses avoid ‘acts or practices that may or might be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals’ These guidelines are referred to as the Australian Privacy Principles (APPs). Bodies covered by the APPs are referred to as APP entities, which include agencies and organisations (defined above).

The 13 APPs are set out by the Office of the Australian Information Commissioner which concern:
– The collection, use and disclosure of personal information;
– An organisation or agency’s governance and accountability;
– Integrity and correction of personal information; and
– The rights of individuals to access their personal information.

What goes into a Privacy Policy?

In addition, the APPs outline that a ‘collection statement’ must be provided to an individual when a business is to collect their personal information. This statement will outline the information a business will collect, what the information will be used for and whom it will be shared with. This collection of personal information is referred to as a ‘collection event’. A collection statement must be provided to an individual before, during or shortly after a collection event and a copy of the business’ privacy policy should be provided upon request.

Therefore, it is in the interests of best practice to have a privacy policy if an entity collects any information about individuals, as anyone can be the victim of unauthorised access by a third party.

Consequences of Not Having a Privacy Policy

If you or your entity engages in business without a privacy policy or adequate protections in place and you are subject to a breach, you will potentially be exposed to extremely serious civil penalties.

Individuals who are found to have contravened the APPs may face fines of up to $340,000 per breach, while businesses and corporations may be fined up to 2.22 million dollars per breach (including for serious or repeated breaches of privacy). The maximum penalty amount varies depending on whether the entity is subject to penalty provisions for breaches under the Health Records Act 2001, My Health Records Act 2012 and the Competition and Consumer Act 2010. Regardless, it is vital that you consider whether your business needs to implement a privacy policy and if so, ensure that it is done right.

Benefits of Having a Privacy Policy

Having a modern and up to date Privacy Policy shows individuals and the public engaging with your business (or who may wish to engage with your business) that you have the right procedures in place to handle their personal and sensitive information with care. This is a significant factor in improving the credibility and reputation of your business.

Who Should I Contact For Assistance With Privacy Policies?

At Lord Commercial Lawyers, we have the skill and expertise to walk you through all elements of privacy policies. For information on privacy policies, including whether you are required to have one, help drafting one or assistance if you believe your personal information has been unlawfully handled, please contact Patrick Iafrate at patrick.iafrate@lordlaw.com.au or phone (03) 9600 0162.

About us

Lord Commercial Lawyers is a commercial and business-focused law firm based in the Melbourne CBD. We work with businesses and individuals to help them achieve their legal and commercial goals.

For further information about privacy policies please visit our page on Intellectual Property.
Share Article
Alternative Text

By Andrew Lord

Andrew heads Lord Commercial Lawyers as Director and has been in the Legal Industry for over 40 years.

Updated on May 17, 2024


What our clients say

I had the pleasure of working with Andrew and Patrick from Lord Lawyers on a share-sale deal, and I must say, their expertise and efficiency truly impressed me. They handled the transaction with precision and delivered results promptly. If you're in need of top-notch legal services, especially in the realm of commercial law, I highly recommend Andrew and Patrick at Lord Lawyers. They certainly have my vote of confidence.

Anthony Maluccio

Fantastic experience with the team at Lord Commercial Lawyers. They pay attention to detail, are very timely with communication and are pleasant people to deal with. They were always happy to answer any questions that we had regarding our matter and their advice was greatly appreciated. Thank you particularly to Andrew and Sue who were our main contacts. We would definitely recommend the services of Lord Commercial Lawyers and would happily engage them again for other legal matters.

Anoushka Perera

    Make an Enquiry

    contact Lord Commercial Lawyers using the handy contact form


    By submitting this form, you agree to receive legal updates from Lord Commercial Lawyers. You can unsubscribe at any time.