Does your business have a compliant privacy policy? Are you aware of your obligations under the Privacy Act and the Australian Privacy Principles? Does your business have appropriate processes to manage the handling of personal information?

This week is Privacy Awareness Week. As a partner of the Office of the Australian Information Commissioner’s privacy awareness campaign, this week Cooper Grace Ward will publish a series of articles relating to:

Privacy policies

Under APP 1, your business must manage personal information in an open and transparent way. To comply with APP 1, your business must have a clearly expressed, up-to-date and accessible privacy policy.

What information must be included in your privacy policy?

To comply with APP 1, your privacy policy must detail:

  • the kinds of personal information you collect and hold;
  • how personal information is collected and held;
  • the purposes for which personal information is collected, held, used and disclosed;
  • how an individual may access their personal information and seek its correction;
  • how an individual may complain if you breach the APPs and how the complaint will be handled; and
  • whether you are likely to disclose personal information to overseas recipients, and, if so, the countries in which such recipients are likely to be located (if it is practicable to specify those countries in the privacy policy).

This list is not exhaustive. Essentially you should ensure that your privacy policy contains sufficient information to describe how you manage personal information. This might also require including information about any exemptions that might apply to your business or information about your data retention and destruction practices that might be relevant.

If your privacy policy was prepared before March 2014, it is unlikely to be compliant with the new legislation.

How can you make the privacy policy accessible?

You are required to take reasonable steps to make your privacy policy available free of charge, and in an appropriate form. This means that you are generally required to make the privacy policy available by publishing it on your website. It should be prominently displayed, accessible and easy to download.

However, online publication might not be appropriate where, for example, you don’t have an online presence. In these circumstances you should consider the following options:

  • displaying the privacy policy at any points of sale so that it can be seen by members of the public;
  • distributing a printout of the privacy policy on request;
  • including details about how to access the privacy policy in correspondence with individuals;
  • where the entity interacts with individuals by telephone, informing them during the telephone call of how the privacy policy may be accessed in a particular form.

General tips

The most clearly expressed and up-to-date privacy policies are:

  • easy to understand (for example, avoid using jargon, legalistic and in-house terms);
  • easy to navigate;
  • concise while still including all relevant information;
  • tailored for the different sections of the business (for example, if different sections collect, handle or disclose information in different ways, the section might have separate policies);
  • if available online, in a style and length that makes it suitable for web publication (for example, using a layered policy with a condensed version to outline key information with direct links to more detailed information in the full policy);
  • regularly reviewed and updated to ensure that the policy reflects current information handling practices.