The Australia Privacy Act 1988 is a privacy law that was enacted to protect the personal information and privacy rights of Australians online. This law requires certain websites to have a Privacy Policy that makes specific disclosures and provides Australians with privacy rights that website operators must respect. In this Compliance Guide, we will discuss the following as it relates to this Australian privacy law:
- Who this privacy law applies to;
- How it defines personal information;
- The rights that this law provides to consumers;
- What a Privacy Policy needs to include to be compliant; and
- The penalties for non-compliance.
Table of Contents
Who does the Australia Privacy Act 1988 apply to?
Most privacy laws are very broad in the sense that they apply to businesses outside of the state or country in which they were enacted, and the Australia Privacy Act 1988 is no exception to the rule. This privacy law applies to Australian organizations with an annual turnover of more than AUD $3,000,000. The law defines “organization” as:
- An individual, including a sole trader (acting in a commercial capacity);
- A body corporate;
- A partnership;
- Any other unincorporated association; or
- A trust.
While this privacy law primarily applies to medium and large businesses due to the revenue requirement, it is important to note that there are a few exceptions which would require small businesses to comply as well. The following small businesses with an annual turnover of AUD $3,000,000 need to comply with this privacy law:
- A private-sector health care provider – an organization that provides a health service and includes:
- A traditional health care provider (hospital, medical practitioner, or pharmacy);
- A complimentary therapist, such as a naturopath or a chiropractor;
- A gym or weight loss clinic;
- A childcare center, a private school, and a tertiary educational institution.
- A business that sells or purchases personal information;
- A credit reporting body;
- A contracted service provider for an Australian Government contract;
- An employee association registered or recognized under the Fair Work (Registered Organisations) Act 2009;
- A business that has opted-in to the Privacy Act 1988;
- A business that is related to a business that is covered by this privacy law;
- A business prescribed by the Privacy Regulation 2013.
In addition, organizations formed outside of Australia may need to comply with this law, regardless of revenue, if they have an Australian link. Your organization has an Australian link if it carries on business in Australia and collects and holds personal information in Australia. In assessing whether an entity carries on business in Australia, the following factors need to be considered:
- The entity has a place of business in Australia;
- People who undertake business acts for the entity are located in Australia;
- The entity has a website that offers goods or services to Australian consumers;
- Australia is one of the countries on the drop-down menu appearing on the entity’s website;
- Web content that forms part of carrying on the business was uploaded by or on behalf of the entity, in Australia;
- Business or purchase orders are assessed or acted upon in Australia; or
- The entity is the registered proprietor of trademarks in Australia.
The Australia privacy law requires the above businesses to have a Privacy Policy on their website that makes very specific disclosures on how the business collects, uses and shares personal information.
How does this law define personal information?
The Australia Privacy Act 1988 states that the definition of personal information includes a broad range of information that could be used to identify someone. The law provides the following examples of personal information:
- An individual’s name, signature, address, phone number or date of birth;
- Sensitive information such as racial or ethnic origin, political opinions and associations, religious or philosophical beliefs or criminal record;
- Credit information;
- Employee record information;
- Photographs;
- Internet protocol (IP) addresses;
- Voice print and facial recognition biometrics;
- Location information from a mobile device.
If you are collecting any of the personal information stated above, and this privacy law applies to you, you need to honor the privacy rights given to consumers under this law.
The consumer rights provided under the Australia Privacy Act 1988
Privacy laws often provide consumers with certain rights when it comes to the collection, use and disclosure of their personal information by businesses. This privacy law provides the following privacy rights to Australians:
- Know why their personal information is being collected, how it will be used and who it will be disclosed to;
- Have the option of not identifying oneself, or of using a pseudonym in certain circumstances;
- Ask for access to their personal information;
- Stop receiving unwanted direct marketing;
- Ask for their personal information that is incorrect to be corrected;
- Make a complaint about an organization or agency the Privacy Act covers, if the consumer thinks that the organization or agency mishandled the consumer’s personal information.
In order to properly respect these rights, websites need to make sure their Privacy Policies contain the appropriate disclosures.
Privacy Policy requirements
The Australia Privacy Act 1988 requires that an organization’s Privacy Policy include the following disclosures:
- Your name and details;
- What kinds of personal information you collect and store;
- How you collect the personal information and where it is stored;
- The reasons why you need to collect the personal information;
- How you will use and disclose the personal information;
- How a consumer can access their personal information or ask for a correction;
- How to lodge a complaint if a consumer believes that their personal information has been mishandled and how you will handle that complaint;
- If you are likely to disclose the consumer’s personal information outside of Australia and, if practical, which countries you are likely to disclose it to.
You also need to periodically review your Privacy Policy to ensure that it is accurate and update your Privacy Policy when your practices change.
Penalties for non-compliance
The Australia Privacy Act 1988 can impose penalties of up to AUD $2,100,000 for serious or repeated breaches of privacy.
The Australia Privacy Act 1988 protects the privacy rights of Australians by requiring certain websites to have Privacy Policies that make certain disclosures. Use Termageddon’s Privacy Policy generator to get your Australia privacy law ready Privacy Policy today. Curious about what other privacy laws apply to your website? Check out our blog post on what laws require websites to have a Privacy Policy.