By Anna Johnston -
Snapshot
- Australian privacy law requires regulated organisations to have a privacy policy and collection notices.
- Businesses which follow the American model of drafting privacy statements will not be compliant with Australian privacy law.
- A privacy policy cannot be used in lieu of collection notices, and cannot be used to gain or infer consent.
As a lawyer, you might be asked by a client to draft their privacy policy, but don’t be tempted to treat this like a contract drafting exercise. While business practices imported from the United States treat privacy policies like a contract, complete with reams of fine print and legal jargon, that approach is contrary to the requirements of Australian privacy law.
This article will explain what Australian privacy law requires in terms of privacy policies, collection notices, and consent forms.
When is a privacy policy required by law?
Organisations regulated by the Privacy Act 1988 (Cth) include:
- Australian government agencies;
- Businesses and non-profits with an annual turnover of more than $3 million p.a.;
- Private sector health service providers; and
- Contracted service providers to Australian government agencies.
Each of these organisations must comply with 13 Australian Privacy Principles (‘APPs’) in the way they handle personal information. The APPs create obligations across the entire life cycle of personal information, from how, when and whether personal information can be collected, through restrictions on its use and disclosure, to its eventual disposal.
APP 1 is known as the Accountability principle, and it requires organisations to have a privacy policy, which must be ‘clearly expressed and up-to-date’. The expectation is that an organisation’s privacy policy will be easily available to the public, typically on its website.
