Introduction
It is important for anyone using the internet to know how privacy collection notices work. They are a key means in protecting individuals’ privacy. This guide will explain how privacy collection notices work by explaining a few things. First, we’ll look at the Privacy Act 1988 (Cth) (‘Privacy Act’). Then we’ll look at how the Act deals with the collection of information. Finally, we’ll explain where privacy collection notices fit within this framework, before summarising it all for you at the end.
Privacy Act
The Privacy Act is the key legislation covering privacy of information in Australia. It was created to help balance individuals’ privacy with the interests of businesses. We’re going to focus on this legislation and their Australian Privacy Principles (APPs) in this guide. However, be aware that other sources of privacy protection in Australia exist.
When do the APPs apply?
The Act and the APPs apply specifically to APP entities. Basically, most organisations in Australia are considered APP entities. For example, the APPs would apply to you whether you are a sole trader or a company. However, it doesn’t apply to you if you operate a small business. You are a small business operator if you make an annual turnover of less than $3,000,000 AUD.
What are the APPs?
There are 13 APPs found in Schedule 1 of the Privacy Act. Together, they regulate how personal and sensitive information is dealt with in Australia by APP entities. This includes things like collection, use, disclosure, and security of information. For example, APP 1 includes a requirement for APP entities to have privacy policies. APP 11 includes a requirement for APP entities to have security measures in place for information they collect. APPs 3-5 deal specifically with collection of information.
Collection of information
The way the APPs deal with collecting information underpins how privacy collection notices work. They separate information collection between personal and sensitive information. Personal information is information which is about an identifiable individual. The key point here is the ability to identify an individual. It does not matter whether the information is true or not. Sensitive information however is very specific personal information about an individual. This includes information about their race, political opinions, and sexual orientation. You can generally only collect either kind of information if it is reasonably necessary for your business activities. Additionally, you can only collect sensitive information with consent from the individual. Moreover, you have to notify an individual before you can collect their personal information.
Privacy collection notices
The way you notify individuals that you are collecting their personal information is through a privacy collection notice. Specifically, you have to take steps that are reasonable in the circumstances to notify individuals you are collecting their information. You should not confuse a privacy collection notice with a privacy policy. This is because you have to include different matters in a privacy policy compared to a collection notice. You can find the matters you have to include in collection notices in APP 5.2 of the Privacy Act. They include: the identity and contact details of the collecting organisation; the purpose for the collection; and specific references to the privacy policy. You only have to include these matters if it is reasonable in the circumstances. If you think you may need a privacy collection notice, consider getting legal advice for help in setting this up.
Conclusion
In conclusion, privacy protection for information in Australia is largely provided by the Privacy Act and the APPs. APPs 3-5 deal specifically with collecting both personal and sensitive information. Privacy collection notices are required under APP 5. These are essentially a way of notifying an individual that you are collecting their personal information.
