• CMI Legal

Privacy Policy & Data Collection

A privacy policy is a legal document detailing how your company collects, stores and uses the personal information of customers.

According to the Privacy Act 1988 (Cth), “personal information” means the information or opinion about an identified individual or an individual who is reasonably identifiable. It includes name, date of birth, telephone number, address, bank account details and any opinion about a person. Personal information does not include sensitive information, which is information regarding a person’s racial or ethnic origin, political opinions, religious beliefs or affiliations, etc.

If you are an Australian government agency, business or non-profit organisation with an annual turnover of more than $3 million, private health service provider, or contractor for an Australian government agency, you are regulated by the Privacy Act and must comply with the Australian Privacy Principles (APP). And the first of the APP mandates the above organisations to have a privacy policy that is easily accessible and understood by the public. Even if your company does not fall in the above categories, it can be best practice to incorporate a privacy policy to safeguard your rights and ensure that your customers understand your obligations relating to data collection.

Data Collection and Personal Information

Your privacy policy must state the purpose and objective of collecting customers’ personal information including sensitive information, and you must not collect any information other than that reasonably necessary for or directly related to you company’s functions or activities. It is important to note that when collecting sensitive information, consent is required.

In your disclosure statement, you must include:

  • The purposes for which your company collects the personal information;

  • Any other organisation, entity, body or person to which your company usually discloses personal information of the kind collected;

  • How customers may access the personal information of themselves that is held by your company and how to seek the correction of such information;

  • How customers may complain about a breach of the Australian Privacy Principles and how your company will deal with such complaints;

  • Whether your company is likely to disclose the personal information to overseas recipients.

In addition to having a privacy policy, regulated organisations are required to have a data/personal information collection notice, this is often in the form of a pop-up. It is not mandatory to have a pop-up in Australia unless you are collecting the information of customers based in the EU, in that case you are subject to the EU ePrivacy Directive and the General Data Protection Regulations (GDPR). Nonetheless, it is recommended to include a pop-up, especially for companies collecting sensitive information and hence requiring user consent.

Key Points to Note

  1. Regulated organisations must include a data/personal information collection notice in addition of their privacy policy documents, this is usually in the form of a pop-up;

  2. If the information you are collecting includes sensitive information, consent from customers is required;

  3. A privacy policy may be and is generally included in the Terms & Conditions, but it is not a collection notice nor does it give rise to consent for collecting sensitive information;