Privacy is important.  But there are many situations in which it is necessary to share or collect personal information.  The nature of that information can vary, but most of it falls within the sphere of one statute: the Privacy Act.  The Privacy Act is a piece of federal legislation that governs the management of private information in Australia.  It is not the only legislative instrument that deals with privacy, but it is one of the most prominent.  The Privacy Act extends to businesses and governments alike, and it regulates things like information collection, information storage, information sharing, and data security.

As a consumer, you’ve probably seen privacy disclaimers on various commercial websites.  As a business owner, you’ve probably been asked by suppliers, clients, or customers to adhere to privacy laws.  In a lot of cases, commercial contracts even include privacy clauses.  Everything from online shopping platforms, to your local medical centre seems to have a privacy policy advertised somewhere on its main webpage.  You may have wondered why that is.  More importantly, though, you might have wondered if it means your business needs one too.  To answer the second question, we need to answer the first.  So, let’s take a look at what privacy policies achieve, and why they’re important in a commercial context.


What sort of information is regulated under the Privacy Act?


The Privacy Act has a limited scope.  That means it doesn’t apply to all the information you collect in a commercial context.  Instead, it only applies to personal information.  However, personal information is defined a certain way in the Act.  Essentially, according to the Act, personal information is information that identifies an individual.  That means personal information can include things that we wouldn’t ordinarily consider sensitive, such as a name or date of birth.  But it also means that highly sensitive information is included, like bank account information, photographs, and family information.  In fact, the Privacy Act has quite a broad definition of personal information.  According to the Act, personal information is information or opinions about an identified, or reasonably identifiable individual.  Even if the information or opinion is not true, it still classifies as personal information under the Act.


There are thirteen Australian privacy principles: here’s an overview


Given the broad scope of information that is covered by the Privacy Act, it’s easy to see why it affects almost all businesses.  Effectively, any business that collects data is likely to be affected.  The exact nature of your obligations under the Act can still vary, though.  Usually, your obligations will depend on the type of information you collect, and the reasons for which you collect it.  That is why the Act outlines thirteen privacy principles, to which all who possess personal information must adhere.  The principles are outlined in Schedule 1 of the Privacy Act, which you can reach by following the hyperlink.  Here’s an overview:

  1. Open and transparent management of personal information;


  1. Anonymity and pseudonymity;


  1. Collection of solicited personal information;


  1. Dealing with unsolicited personal information;


  1. Notification of the collection of personal information;


  1. Use or disclosure of personal information;


  1. Direct marketing;


  1. Cross-border disclosure of personal information;


  1. Adoption, use, or disclosure of government-issued identifiers;


  1. Quality of personal information;


  1. Security of personal information;


  1. Access to personal information; and


  1. Correction of personal information.


As you can see, the list covers the various ways in which we use and collect personal information.  It also covers the reasons for which we collect information in commercial contexts, as well as how we manage it once it’s been collected.  But there’s one principle in particular that can present some complex problems: security of personal information.  Here’s why.


Now that almost all data is stored digitally, privacy obligations are changing


Digital data storage has drastically changed not only how we store data, but also how much data we store.  As technological systems become more effective at storing and indexing vast quantities of data, we are able to gather more and more.  Even smaller businesses are starting to build significant databases that relate to customers, clients, and suppliers alike.  A lot of the information collected is personal information, as well.  That affects our compliance with the privacy principles in different ways.  But the security of personal information is one principle that is becoming harder to meet.

As technology advances, data storage systems quickly become obsolete if they’re not regularly updated.  And once they’re obsolete, they are at risk of being insecure.  However, regular software and hardware updates are expensive.  As a result, it’s easy to fall into a position where your data storage is susceptible to compromise.  Data breaches are becoming more common for that reason, and that is having an impact on our abilities to comply with the privacy principles.


Here’s how you can adhere to the Australian privacy principles


Adhering to the Australian Privacy Principles requires regular attention.  If your business is storing personal information, you need to ensure that your IT systems are maintained and updated regularly.  However, the Privacy Act does acknowledge that there’s a practical limit to the extent that businesses can protect the data they store.  If hackers are well-resourced enough, they can gain access even to well-protected digital information repositories.  That’s why the obligation to protect the data you collect demands that you take reasonable steps to maintain adequate data security.  But that’s not all; there are still twelve principles remaining.  To adhere to them, a great place to start is developing and publishing your company’s privacy policy.

Privacy policies can be built from a template, and the Office of the Australian Information Commissioner has some tips for doing so.  However, it’s important that your privacy policy takes into account your circumstances in particular.  For example, do you transfer or collect information internationally?  Do you use it for marketing purposes?  These are the sorts of questions that must be answered before your policy is drafted.  A privacy policy is not a coverall solution.  You also need to take practical steps to comply with your privacy obligations.  Some more examples include notifying affected individuals when you transfer personal information to other bodies covered under the Privacy Act.


Contact an experienced commercial lawyer to make sure your privacy policy is up to standard


Privacy Laws are complex, and this article only covers privacy laws under the federal Privacy Act.  It’s important to remember that there are state privacy laws as well, which impose different obligations again.  Then there are international privacy standards, which vary from country to country, and come into effect when you collect overseas data, or transfer data overseas.  So, before you develop your privacy policy, or collect personal information, it’s important to get legal advice.  Privacy breaches can have serious legal and commercial consequences, so you must remain aware of your obligations, and take frequent steps to meet them.



The information provided by Kafrouni Lawyers is intended to provide general information and is not legal advice or a substitute for it. Business people should always consult their own legal advisors to discuss their particular circumstances. Kafrouni Lawyers makes no warranties or representations regarding the information and exclude any liability which may arise as a result of the use of this information. This information is the copyright of Kafrouni Lawyers.

Liability limited by a scheme approved under professional standards legislation.