Website Privacy Policy, What is it?

A website privacy policy details how an entity manages personal information. It sets out what personal information is collected, how it is handled, used and stored, and the circumstances in which it will be disclosed to third parties.

Privacy Policy is governed by the Privacy Act 1988 (Cth) (‘Privacy Act’), with the Australian Privacy Principles (APPs) contained in Schedule 1. The object of the APPs is to ensure APP entities are managing personal information in an open and transparent way.[1]

Personal information is defined as ‘information or opinion that identifies or could reasonably identify an individual, whether it is true or not, and in material form or not’.[2] For instance, a customer’s name, address, telephone number, date of birth, medical records, bank details and opinions would be classified as personal information.

It is prohibited that an APP collects sensitive information about an individual.[3] However, some exceptions to this is if the individual consents or if it is required under an Australian Law or by a Court or Tribunal Order.[4]

Sensitive information is defined as information or an opinion about an individual’s[5]:

  • Racial or ethnic origin;
  • Political opinions;
  • Membership of a political association;
  • Religious beliefs or affiliations,
  • Philosophical beliefs;
  • Membership of a professional or trade association or trade union; and
  • Membership of a trade.

Who needs a Website Privacy Policy?

Businesses and not-for-profit organisations with an annual turnover of $3 million or more will be subject to the Privacy Act.[6] Additionally, there are certain types of businesses and not-for-profits organisations with an annual turnover of $3 million or less that may be covered by the Act as well.[7] Even if your business is not covered by the Privacy Act, it is recommended that a Privacy Policy be considered to ensure transparency to your audience.

Requirements for a Website Privacy Policy

Pursuant to APP 1.4,[8] a Privacy Policy must contain the following information:

  • The type of personal information collected and stored;
  • Method in which information collected and stored;
  • The purposes for collecting, storing and using information;
  • How to access or correct personal information being held;
  • Process of submitting a complaint in relation to a breach of the APPs and how it is handled; and
  • Disclosure of personal information to third parties overseas detailing their location (if any).

What to consider when implementing a Privacy Policy?

In order to make the Privacy Policy informative and enforceable, the following should be considered:

  • Identification of all procedures and functions in the business that collects, stores and uses personal information;
  • Tailoring the policy to reflect operation of business and targeted audiences;
  • Plain and simple language should be used so targeted audiences can clearly understand;
  • Making it easily accessible to audiences, and provided in various forms; and
  • Conducting regulating reviews of the policy to keep it relevant, particularly when practices of handling information changes.[9]

If you want to find out more about Privacy Policy or are planning to implement one, feel free to contact one of our lawyers. They will be happy to help you with your Website Privacy Policy tailored to your business.

[1] Privacy Act 1988 (Cth) sch 1, pt 1, s 1.1.

[2] Ibid s 6.

[3] Ibid sch 1, pt 1, s 3.3.

[4] Ibid sch 1, pt 1, s 3.3(a) and 3.4(a).

[5] Ibid s 6.

[6] Ibid s 6D(4).

[7] (July 2015) Office of the Australian Information Commissioner 

[8] Privacy Act 1988 (Cth) sch 1, pt 1, s 1.4.

[9] Ibid sch 1, pt 1, s 1.3.