The changes to the Privacy Act 1988 (Cth) come into effect in just over six months. So many privacy policies to review, so little time.

The amended Privacy Act requires you to have a Privacy Policy if your annual turnover is more than $3 million. The requirements have changed, and you need to make sure yours complies before 12 March 2014. Here’s a summary of what it needs to do:

The Content

Your Privacy Policy must contain the following information:

  1. the kinds of personal information that you collect and hold;
  2. how you collect and hold personal information;
  3. the purposes for which you collect, hold, use and disclose personal information;
  4. how an individual may access personal information you hold and seek correction of that information;
  5. how an individual may complain about a breach of the Australian Privacy Principles (APPs), and how you will deal with a complaint; and
  6. whether you are likely to disclose personal information to overseas recipients and, if so (and if practicable), the countries in which they are likely to be located.

Availability of the Policy

You must take reasonable steps to make your Privacy Policy available free of charge and in an appropriate form.

Usually, the best place to make your policy available is your website. If someone requests a copy of the Privacy Policy in a particular form, you’ve got to take reasonable steps to provide the policy in that form. Mind you, if they ask you to make it into a hat, we don’t think you have to.