If your business collects personal information from clients and customers for any specific purpose on your website or through your services, it is likely that you’ll need a privacy collection notice. This is a collection notice provided in the form of a statement and should be communicated to an individual before collecting their personal information or as soon as possible after collection begins. This statement should clearly outline the reasons for collecting their information and how your business will use, handle and store such information collected. Read this Legal Kitz blog to find out more about privacy collection notices.
What should I do as a business owner?
If your business is an APP entity, then you must comply with the Privacy Act. This means you should have drafted privacy policy and complied with privacy collection notices which are communicated to clients, customers, users or anyone else you choose to collect personal data from. Giving notice is extremely important to uphold Australia’s privacy principles, as it promotes transparency and ensures that individuals are aware of their rights and obligations in relation to providing their personal information. This is a key issue to consider in the midst of the breach of the personal information collected by Optus.
What is an APP entity and what is personal information?
Both these terms are defined by Section 6(1) of the Privacy Act 1988 (Cth). An APP entity is an agency or organisation that handles personal information. If your business has an annual turnover of $3 million, it will be considered an APP entity. It is deliberately broad definition and covers most companies, in order to protect individuals. If you are an organisation that does not comply with APP entity regulation, you may face regulatory action such as fines.
Personal information means “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.”
When considering if your agency or organisation collects information which is personal, you should consider whether that information is about the individual and if so, whether that person is identifiable from that information.
Wait, so is a privacy policy the same as a privacy collection notice?
The short answer is no. Even though both documents contain information about how a company will manage personal information, a privacy policy is much more expansive and covers the entire operations of the business. A collection notice, on the other hand, only speaks for the information-handling practices of a specific activity. A company may provide more than one collection notice for activities such as information about browsing activity on the website or information from a feedback response quiz if you place an order. That same company should only keep one privacy policy governing all these collection activities, as well as outlining their commitments to information management in general.
What should a privacy collection notice contain?
If an entity collects personal information about an individual, it should take reasonable steps to notify the individual of:
- The kinds of personal information collected and held by that company;
- Their companies identity and contact information;
- The circumstances for why and how the collection occurs;
- How an individual may access personal information about themselves that is held by the company;
- Whether the collection is required or authorised by law;
- The purpose of the collection;
- The consequences if personal information is not collected;
- How the entity usually discloses any personal information particular to the kind they are notifying you about collecting;
- The companies APP Privacy Policy;
- How a complaint about the collection of personal information can be communicated and handled; and
- Whether any information will reach overseas recipients and specifically which ones.
Where might I find a collection notice?
Where you find a notice will depend on whether the information is collected in person, online or in a less clear way. In whatever circumstance, it is your company’s obligation to ensure every individual is aware of any collection practices undertaken by the business. That means that as a business owner, you will need to make necessary documents, brochures, posters, signs, forms, pop-ups and additional links so that an individual can read through this information.
Where appropriate, a company may also layer its collection notice to provide you with the main points and refer to a more extensive document that an individual can access. However you choose to communicate this notice, it must be clear and specific to the specific collection practice it arises from. A generic collection notice for all information collected through one link will not be sufficient.
Legal advice
If you require assistance drafting a privacy collection notice or need guidance around the APP principles, you should seek legal advice. Legal Kitz can help make sure your company is complying with its privacy collection obligations! Click here to book a FREE consultation with one of our highly experienced solicitors today, or contact us at [email protected] or by calling 1300 988 954.