Creating a Privacy Policy Aligned with Australian Privacy Principles

The Australian Privacy Principles (APPs) are the cornerstone of the privacy protection framework in the Privacy Act 1988 (Privacy Act). There are 13 APPs, and they govern how an Organisation is to collect, use, handle, store, access, and disclose Personal Information (Handling Practices).

APP 1 dictates that an organisation must provide on overview of its Handling Practices in a publicly available Privacy Policy.

Having a privacy policy will not make an organisation compliant with the Privacy Act. An Organisation must implement the necessary systems, processes, and procedures to ensure that its Handling Practices are compliant with the Privacy Act.

It is important that an organisation gives careful consideration about what it includes in its Privacy Policy when demonstrating compliance with the Privacy Act and the APPs. The last thing an organisation should do is make representations about its Handling Practices and not implement those practices. Doing this could amount to misleading and deceptive conduct and a potential breach of the Australian Consumer Law.

So let’s get started with what should be included in a good Privacy Policy (and ultimately implemented by your organisation).

While your organisation may aim to implement necessary systems and processes to improve compliance with the Privacy Act (especially using the de.iterate platform) your organisation should never stay anything like “we comply with the Privacy Act…..”. Unless your organisation has undertaken a detailed audited of all his privacy Handling Practices it is unlikely that it will be in a position to confidently state that it complies with the Privacy Act.

Your organisation’s privacy policy should always state the trading entity at the top, including its ABN or ACN so individuals know who is exactly collecting their personal information. It should also state the details your organisation’s relevant privacy officer (or who/how to contact your organisation in relation to a privacy request, dispute, or complaint).

Always include the latest date when the Privacy Policy was last published on your website. It is requirement of APP1.3 to ensure your organisation always has an up to date privacy policy.

It is always a good idea to include the definition of Personal Information (and Sensitive Information if applicable) so that clients or customers understand what type of information your organisation’s Privacy Policy relates to.

Detail the kinds of personal information your organisation collects and holds (for examples names, email addresses etc). If your organisation collects sensitive information this should be stated and made clear that this will only be collected from individuals directly. Also include methods of collection (such as website contact form etc), including methods of any indirect collection from third parties (such as purchasing email marketing lists) or collecting information from publicly available sources.

You may also want to include reference to the use of cookies on your website or other technologies although this is not a requirement to disclose under the Privacy Act.

Your organisation’s Privacy Policy should clearly state why it is collecting personal information. This should include both primary purposes and any secondary uses that might not be immediately obvious.

Explain how your organisation will store personal information, both electronically and physically (if applicable), including storing on computers and/or in cloud service providers. You should also state if your organisation destroys or de-identifies personal information that it no longer requires.

Outline how and when personal information may be disclosed, especially to third parties. This should cover both routine disclosures and exceptional circumstances and should include whether or not your organisation discloses personal information to recipients outside Australia. For example your organisation may disclose personal information to a contractor based overseas who performs activities on behalf of your organisation. If you do disclose to an overseas recipient then your organisation’s privacy policy should state the countries where those overseas recipients are likely to be located.

Inform individuals of their rights to access and correct their personal information. Provide a straightforward process for them to do so.

It is recommend that your organisation’s Privacy Policy include some form of consent provision up front. For example, in the introduction section of the Privacy Policy it might contain a statement to the effect of “By accessing or using our services, products or website you consent to the practices described in this Privacy Policy. Please read this policy carefully to understand out privacy practices.”

This help article does not purport to be legal advice and it is recommended that organisations seek independent legal advice to better understand their legal obligations under Privacy Act.