The Most Important Things to Include in Your Privacy Policy

What is a privacy policy?

A privacy policy is essentially a disclaimer that states in clear terms how your company handles the personal information of your customers. If your business is covered by the Privacy Act 1988 (Cth), you must have a stated privacy policy. Some eCommerce platforms and search engines also require businesses to have a privacy policy available to their customers.

Generally, the Privacy Act covers organisations operating in Australia and having an annual turnover of more than $3 million.

You can print your privacy policy on paper, make it available to everyone on your website, or have it displayed on your customers' mobile device.

Author: Farrah Motley, an online business lawyer located in Australia.

What to Include in a Privacy Policy
What to Include in a Privacy Policy

Information Your Privacy Policy Should Provide

The Privacy Policy of your organisation must inform your customers of:

  • Your name

  • Your contact details

  • What personal information you are collecting and storing

  • How you are collecting the personal information

  • Where you are storing it

  • The reasons for collecting such personal information

  • How you will use and disclose such information

  • How your customers can access their personal information

  • How they can ask for a correction

  • How your customers can complain if they feel that their information is being mishandled

  • How you can handle customer complaint

  • In case you have to disclose customer information outside of Australia, then which countries you are more likely to disclose such information to

If your organisations' privacy policy states that you are likely to send the personal information of your customers overseas, and if something goes awry, you might be held legally responsible for it.

What to Include in a Privacy Policy
What to Include in a Privacy Policy

Things Your Privacy Policy Should Include

There are a set of things that you must include in your privacy policy to avoid legal complications. For instance, your privacy policy should include information like the duration for which you are going to keep the personal information of your customers with you and whether it will be scanned. For your convenience, we have put together a list containing the most important things that you should include in your privacy policy:

Opening Statement

In the opening statement of your privacy policy, you must mention your organization’s commitment to maintaining the confidentiality of the information that you are going to collect. You should also include the necessary documents that show your compliance with the Privacy Act, the Australian Privacy Principles, and other privacy obligations that are relevant to your business, like the Privacy (Credit Reporting) Code 2014.

Collection and Use of Personal Information

In this section, you must mention in detail:

  • What is personal information

[This is information that can render an individual reasonably identifiable.]

  • What type of personal information your business is collecting

[This information can include name, phone number, email address, social media profile, employment history, etc.] You should provide the details of the information that is collected through apps and websites, such as date and time of website access, IP addresses, location information, and cookies.

  • How your business has collected that information

[Here, you can inform your customers that you can collect their information directly from them, a third-party provider, any publicly available source, or cookies.]

  • Why have you collected that information

[Explain if such information is helping you in improving your products and services, or expanding your marketing scope, or designing personalisation, etc.]

Collection and Use of Sensitive Information

In this part of the Privacy Policy, you must define the term ‘sensitive information’. This is usually information related to an individual’s ethnic or racial origin, religious beliefs, political opinion and/or association, sexual orientation, professional association, membership of a trade, health information, criminal records, etc.

While explaining this point, you must mention that such sensitive information is collected only when the individual consents to providing them. You should also clarify that this information is going to be used for the original purpose of collection only.

Disclosure of Personal and Sensitive Information

In this segment, you need to describe when, why and to whom you might disclose the personal information of your customers. For instance, you might have to share it with your contractors and marketers.

You might need to provide their information for data analysis to apps like Google Analytics or present them to authorities and/or courts as required by law. You also need to mention if the information is likely to be disclosed overseas, and if so, what will be the impact of that on data protection.

Storage/Security of Personal Information

Here, you have to state how you are storing and protecting your customers' personal information through encryption. You should also mention how long you are going to keep the information. This means that you have to explain if you are combining the personal information of individuals in a file or storing them separately.

Access to and Correction of Personal Information

It is very important to include in your Privacy Policy that every individual has the right to access their personal information held by your business. They can also request to change, update, or correct that information if required.

Enquiries and Complaints

You must describe in detail an enquiry and complaint process in your Privacy Policy. You should also elucidate the additional steps that the other parties can take if they are unsatisfied with the result of an enquiry or complaint. For example, you can guide them first to an external dispute resolution scheme and then to the Office of the Australian Information Commissioner.

You must also provide a generic phone number and an email address for your customers to get in touch with you. These contact details should not change, irrespective of the staff member in charge.

Review of Privacy Policy

In the end, you must incorporate in your Privacy Policy a statement about your business’ commitment towards keeping your privacy policy up to date and publishing every change that you make to the privacy policy on all the mediums.

What to Include in a Privacy Policy
What to Include in a Privacy Policy

Privacy Policies in Summary

While creating your Privacy Policy, you need to elaborate everything carefully to avoid legal complications. Also, you must update your privacy policy if your information handling practices change. You can either publish your updated privacy policy on your website or send them to your customers through email or post a hard copy to their physical address.

Want to read more? Check out our article which answers the question what does 'without prejudice' mean?

Author: Farrah Motley | Legal Principal

PROSPER LAW - A Commercial Law Firm for Businesses

M: 0422 721 121