display:none
Privacy Policy: Collecting and Managing Personal Information

Privacy Policy: Collecting and Managing Personal Information

Privacy Policy: Collecting and Managing Personal Information

Privacy Policy: Collecting and managing personal information

As a business owner, how many times a day do people give you their personal information? Do you think about protecting it, or do you just assume that the systems you have in place will do that? 

Or maybe you don’t think about it at all. 

Does a small business need a privacy policy?

You must comply with Australian privacy laws unless you run a small business with $3 million or less annual turnover. However, you will still be bound by privacy law if your small business does any one of the following:

  • are a credit reporting body (e.g. Equifax, Illion) or
  • are a contracted service provider under a contract with the federal government; or
  • provide a health service or otherwise hold health information (e.g. health practitioners, life coaches, personal trainers, childcare centres); or
  • collect or disclose personal information for a benefit, service or advantage (e.g. operating a lead generation website where you sell the leads).

If you have any customers or suppliers overseas and you collect their personal information, you may now also have to comply with what are called ‘extra-territorial’ provisions of laws from overseas. For example, if you have customers in the European Union, you are required to comply with the General Data Protection Regulation (GDPR), regardless of the size of business. If you have a medium enterprise with customers in California, you now must consider the California Consumer Privacy Act (CCPA).

Some other countries with privacy laws that have an extraterritorial scope include New Zealand, Brazil, Thailand, the Philippines, and Canada.

 

From a practical perspective, can not having a privacy policy really make a difference?

Apart from the legal obligations, there are practical consequences of not having a privacy policy too.

If you want to advertise on social media, or through Google Ads or other platforms, you are required to provide a link to a privacy policy before your advertising can go live.

A lot of international service providers include in their terms and conditions that you must comply with privacy laws to use their services, and they have the right to end your ability to use their services if you don’t.

For example, if you use PayPal you agree with the following terms of the PayPal User Agreement:

You must comply with all your obligations under applicable Australian consumer law, including as a seller by publishing a refunds and returns policy as well as a privacy policy, where required by law.

… you must not: Infringe PayPal’s or any third party’s copyright, patent, trademark, trade secret or other intellectual property rights, or rights of publicity or privacy.

…To the extent that you (as a seller) process any personal data about a PayPal customer pursuant to this agreement, you agree to comply with the requirements of any applicable data protection laws. You have your own, independently determined privacy policy, notices and procedures for any such personal data that you hold as a data controller, including a record of your activities related to processing of personal data under this agreement.”

What difference would it make to your business if you couldn’t process payments through PayPal?

 

So, what is the point of a privacy policy?

One of your many obligations under Australian privacy laws is that every time you collect personal information from an individual, that person must be able to find out why you are collecting it, and what you are going to do with it.

Posting a privacy policy that you understand and know you can apply, on your website where it is easy to access, is by far the easiest way to share with people what you are doing with their personal information.

 

So, what is personal information?

Under the Privacy Act 1988, personal information means any information or opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

And what does that really mean?

Well, for a start, it doesn’t cover information about people who have died, which is interesting considering the legacy profiles some social media platforms are now making available for the families of the deceased, but that is not the topic for today.

It does cover information you collect about your employees and contractors. Many businesses only think about customer information and forget that you also have to protect the privacy of employees, contractors and suppliers.

But what about a practical example:

Imagine a gym where someone is leaving and their trainer turns to another trainer and says something like “She’s never going to lose weight, you should see her mum, she just has fat genes”.

The comment is verbal, it’s an opinion, it refers to a person who can be identified visually, and whose name and other details could be found by looking at the trainer’s schedule. That makes it personal information.

Is there a risk of violating privacy law – Yes. Is it likely to be a big risk to your business? – No. Why not? – Because it probably wasn’t recorded and is therefore difficult to prove, but if another patron overheard it, or the trainer repeated it to someone else, it does start a chain of infringement.

Imagine the same gym has list of all their trainers with their phone numbers on a clip board, and that clipboard gets left on the front reception desk, where anyone coming in could take a quick photo with their phone.

Is there a risk of violating privacy law – Yes. Is it likely to be a big risk to your business? – Possibly. Why? – Because once that information is recorded in a different form, like a photo, your business has disclosed personal information without permission.

Can you see why it is important to understand what you are doing in the process of collecting personal information?

 

When are you ‘collecting’ personal information?

You collect personal information in your business all of the time.

Any time you confirm someone’s name over the phone, whether or not you write it down.  Every time someone fills in a contact form on your website. Every time you add someone’s details to a database. Every time you prepare a proposal for someone or take payment details. Every testimonial. These are all examples of collecting personal information.

This is a broad concept.

It includes getting personal information from any source and by any means, such as the people themselves, social media profiles, other businesses, or even surveillance cameras. In practice, all personal information that you hold will generally be considered information that was collected by you.

Bear in mind that if you generate personal information from some other data you hold, collection may also take place. For example, if you generate a sub-set of information from your database for promotional purposes, you’re effectively collecting that information again. And the practical consequence? – Your privacy policy and procedures should be broad enough to include that kind of activity in what you do with personal information.

How should you manage personal information?

This is where a lot of people get lost and think that having a privacy policy by itself is a cure for all ills. It isn’t.

You are required to manage the personal information you collect in an open and transparent way. What this means is that you must take reasonable steps to establish and maintain internal practices, procedures and systems for your business to ensure its compliance with privacy laws.

Do you have any sort of privacy checklist for small business to help your team navigate what they can and can’t do with personal information? If not, that is a good place to start. What is considered as reasonable would depend on your business.

Think about what type of personal information your business holds, how much information you collect, how your customers might be affected if their personal information was not handled properly, the size of your business, and the time and cost involved in implementing appropriate procedures.

What you are required to do in Australia is comply with privacy law to a degree that is commercially proportionate to your business. So, if you run an online marketing agency with a team of four people, your procedures are not likely to be as complex as a business supplying services to the defence force.

Here are some examples what you could consider implementing:

  • understand what privacy obligations you have as a business;
  • work out when you collect personal information, and why (avoid collecting more than you need for your business);
  • work out what you will do if someone wants to be anonymous, and if you can still deliver products or services if you allow that;
  • work out where you store personal information, and how you use it (do you use a commercial database, or excel, or your phone contacts list?);
  • work out if you share personal information (eg. with a distributor or courier service);
  • decide whether the systems and procedures you use in your business protect, or put personal information at risk of being disclosed, lost or stolen (eg. leaving a mobile phone in an Uber);
  • check that you have faith in the online systems you use and there is limited risk of unintentional access by someone outside your business (eg. information on a white board visible when you are on Zoom, unintentional disclosure of a Google form);
  • work out what you will do if you get a complaint from a customer about the use of their personal information;
  • work out what you will do if someone asks you for a copy of their personal information, or a change to that personal information (eg. change of name or address);
  • include privacy training as part of your induction process for new staff; and
  • annually review and audit your business’s privacy practices, procedures and systems.

 

How do you write an effective privacy policy?

Your next step then is to write a clear and up-to-date Privacy Policy about how your business manages personal information, or get us to prepare it for you. At a minimum, it must contain the following:

  • the type of personal information that you collect and store (eg. contact details, educational qualifications);
  • how you collect and securely store personal information (eg. collect directly from your customer and their public social media accounts, then add to a CRM);
  • the purpose for collecting, keeping, using and disclosing personal information;
  • how your customers can access and correct any their personal information and who to contact in your business;
  • how your customers make a complaint about a breach of privacy laws, and what happens when they do; and
  • whether you are likely to disclose personal information to overseas recipients, and if yes, the likely countries.

Your Privacy Policy will be more comprehensive depending on the complexity of your business and should be tailored to match your internal systems and procedures. A well-written, easy-to-understand Privacy Policy can add to your credibility and help build rapport with your customers.

If your Privacy Policy is made available online, you can provide a condensed version to outline key information, but a direct link to the full policy must be provided.

 

What if you get it wrong?

Privacy law is regulated by the Office of the Australian Information Commissioner (OAIC). The Commissioner can require your business to put in place systems, procedures or training, pay compensation, or apply to the court for fines to be made against your business.

Compensation is usually ordered where information has been disclosed, or where a person has requested access to their information, and it hasn’t been provided in a timely manner.

 

Protect your customers and your business

Having the right systems and procedures in place with a clear and comprehensive Privacy Policy is your opportunity to reassure your customers that you can be trusted, that you are aware of and care about their privacy and information security. In doing so, you are not only complying with your legal obligations but are also working towards building a reputable business. 

Mandatory Data Breach Notification Laws Australia – FAQs

Mandatory Data Breach Notification Laws Australia – FAQs

Mandatory Data Breach Notification Laws Australia – FAQs

Do mandatory data breach notifications apply to you?

 

If you are in Australia and collect personal information from clients, customers, suppliers, partners or anyone else for that matter, then maybe they do.  But a compliance perspective, these laws don’t affect you unless you are already required to comply with Australian Privacy law. Which means, you must comply if:

  • you operate a public, private or not for profit organisation with more than $3m turnover per year
  • you are a health service provider (not just doctors, this can include gyms, childcare centres, life coaches and schools), regardless of turnover
  • you are part of a federal government agency
  • you are part of a credit reporting agency
  • your business buys or sells personal information

What are mandatory data breach notifications about?

Data breach falls within Australian privacy laws and is all about cyber security.

The objective of the new law is to give individuals (those who care) confidence that their privacy is being protected. The laws apply regardless of technology, and encourage transparency and accountability.

What does it mean if you have an eligible data breach?

Mandatory data breach notifications only related to personal information. Personal information is defined in the Privacy Act as:

Personal information is –

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

– whether the information or opinion is true or not; and– whether the information or opinion is recorded in a material form or not.

So if your business is hacked and you lose commercial information, that is irrelevant to this law.

The key components of a data breach are:

  • it involves personal information
  • it does not have to be bulk data, personal information about one person may be enough
  • the data has been accessed or disclosed
  • the data has been lost in circumstances where it is likely to be accessed or disclosed (like when NASA employees left a laptop containing access codes to the space station in a cab…)
  • there is a likely risk of serious harm to the people who have had their personal information accessed, disclosed or lost

What does ‘Serious Harm’ mean for a data breach?

Serious harm is a broad concept including physical, psychological, emotional, economic, financial or reputational harm (like when Ashley Madison got hacked and all those people cheating on their partners risked being exposed…)

What is serious harm is likely to be different for each organisation and probably associated with the reason why data has been collected. Customers of a financial institution might risk economic loss, and customers of a medical clinic might risk psychological, emotional or reputation damage.

Think about what is important to your customers, or the people who’s personal information and data you collect.

What should you have in place to handle mandatory data breach notifications?

Not surprisingly, a large proportion of small businesses have adhoc systems in place and no real understanding of what they collect, or how they control their data. This is particularly the case when using third party systems that also store data, like Eventbrite.

IT, management and communications teams will need to work together for data breach notifications.

The top 10 things to consider are:

  1. Every organisation covered by these laws should have a clear understanding of how their data is collected, stored and used and the vulnerabilities of those systems.
  2. Identify ‘who’ in the organisation is responsible for managing data.
  3. Identify the likelihood and consequence of an eligible data breach.
  4. Put in place staff training and security measures to reduce the chance of an eligible data breach.
  5. Understand what ‘serious harm’ could arise if there was a breach.
  6. Work out what would need to happen to avoid ‘serious harm’ and how quickly that could be implemented if there was a breach.
  7. Put in place a recovery plan in case of a breach.
  8. Put in place a communications plan that includes (as a minimum) the communication to those affected, a press release to reduce reputational damage, and the notification to the Privacy Commissioner.
  9. Check the business cyber insurance to see that it covers data breaches and the consequences.
  10. Test a data breach scenario to ensure your business has the ability to manage an eligible data breach.

And lastly…

Remember that data breach laws are technology neutral.

Just because you still operate with a largely paper based system does not mean that this law will not apply.

As someone pointed out to me, most filing cabinets can be unlocked with a paperclip.

How can Onyx Legal help you?

If you need help identifying risks to disclosure of personal information in your business and procedures to manage those risks, or need support developing policies and procedures for managing personal information, then contact us to find out how we can help you.