Before you use that free privacy policy template for your website, please read this article. The regulatory fines and legal costs associated with failing to properly consider privacy law in Australia can be huge, but mostly they are just a massive time suck.
I am not saying that templates and privacy policy website plugins don’t work, most of them do a great job. The issue is that a failure to address the specifics of your business could find you in a tribunal or conciliation trying to defend a complaint on the basis that you “just copied and pasted a policy that looked good on the internet.” It will not end well.
But first the basics.
Privacy Law in Australia
Privacy law in Australia is an odd beast. On the one hand we have a long history of common law denying any ‘right to privacy’ and refusing to award damages for an ‘invasion of privacy’. On the other we have the one High Court decision in 2001 with ABC v Lenah Game Meats saying that maybe privacy is actually a thing a person could breach resulting in damages, but it wasn’t relevant to consider in that case and didn’t form part of the “ratio” or binding reasoning.
In response to this vague and undecided common law position the parliaments of Australia have at various stages enacted laws intending to clear things up and establish rights and obligations. It has worked about as well as everything else politicians try to do besides spending taxes.
The regulators either have no money or power to enforce the legislation. This was by design and instead shifted the burden onto a member of the public seeking to complain about their privacy being breached. To balance this, it was made an incredibly low-cost exercise to make a complaint and take it to semi-judicial hearings.
The drafting of the legislation was so broad and “purpose-driven, principles-focused” that no one can offer clarity and the hierarchy of federal laws over state laws doesn’t function as you might expect. This is indicative of a belief that it isn’t a ‘big deal’ and no one really cares about their privacy.
Until both of your major Telcos, a major private health insurer and one of the two largest retailers suffer notifiable breaches in the space of one month that is.
The major issue is that you can fall in and out of being regulated under the different Acts at different times in your business, especially if you have government contracts.
Are Private Companies Regulated by the Privacy Act?
Yes, any entity that is not a federal government agency or state government body is regulated by the Privacy Act 1988 if they meet the definition of organisation in that Act. The big exclusion from that definition is being classified as a small business operator (i.e. under $3million annual turnover).
However, even if you are under the $3million threshold you can still be an APP Entity if you are a health service provider (HSP). HSPs are not just doctors, they include things as bizarre as:
Gyms;
Childcare;
Crystal healers; and
Any organisation that performs an act and claims (or implies) the purpose is to improve, treat or manage an individual’s health, including psychological health.
This may mean any service that provides first aid, diet advice, mindset training, hypnotherapy, sports supplements… it is so broad personal coaches or relationship therapists might be caught by this definition. Marie Kondo’s joy-based emotionally-severing wardrobe decluttering service might actually fit this definition.
Remember when the New South Wales Government issued a Public Health Order requiring all employers in certain zones to collect health information in order to prevent their staff getting COVID-19 from other infected employees? That was going to make every one of those businesses regulated by the Privacy Act regardless of turn over.
You can also be regulated if you trade in personal information as a primary business function. To me, this appears to be grounds for capturing every Real Estate Agent in the country as their core function is not the sale of a property, but the provision of buyers’ identities. The vendor and conveyancers/solicitors do the selling. Internet marketers? You guys are captured under this one too.
This area of law bears very close attention, the current reforms tabled in Bill to Parliament 26 October 2022 by the Attorney General, the Hon Mark Dreyfus KC MP, proposes fines for corporations up to 30% of a company’s revenue or $50 million, whichever is higher. Individuals and sole traders will also get hit with $2.5 million fines. The second round of reforms to be tabled in 2023 include a reduction of the Small Business Operator turnover exemption from $3 million to just $500,000.00 annually.
You can also at times be regulated by state legislation if you have state or local government clients. Please read our article on Privacy Law with Government Clients, it is a disturbing read for anyone in the professional service, not-for-profit, or any form of communications sectors.
One incredibly widespread problem is with service providers and marketing firms. Their privacy policies always relate to their client’s information and rarely cover any of the relevant information for the clients’ customers. Personal Information is being collected from both so you better have a policy that refers to how you handle both collection and use channels.
Does your free privacy policy template cover any of that?
It is not my dream as a lawyer to draft your privacy policy. Believe me, I have had to do a behemoth privacy management plan or two in my time and it is about as far from an episode of Suits as you can get.
I do love privacy law though, and can review your templates, policies, contracts, and collection notices, and show you where to fix things up without breaking the bank. Or if you feel like exchanging my exposure to sunlight in the coming months for knowing your privacy issues are sorted, we can discuss a comprehensive drafting service.
Contact our office today and book a time to discuss your privacy compliance concerns, especially if you have government clients or think you might perform a health service under that broad drafting.
This article is not legal advice, and the views and comments are of a general nature only. This article is not to be relied upon in substitution for detailed legal advice.
Comments