Understanding what ‘personal information’ means legally is crucial for any business whose operations include receiving, storing and utilising customer information. This is because the Privacy Act 1988 (Cth) places certain obligations on entities regarding their handling of personal information. This law applies to certain entities within Australia or with a sufficient Australian link.
What is Personal Information?
Definition
‘Personal Information’ is information about an identifiable individual, whether or not true and whether or not recorded in material form. Common types of identifiable information stated by law include;
- Sensitive Information – includes information about racial background, political stance, religion, sexual orientation and criminal record
- Health information – information about your health or disability
- Credit information – card details, information commonly shared with financial institutions
- Employee records – includes pay rates, performance, leave, employment terms and conditions
- Tax file number (TFN) information
- Metadata – provides information about internet activity
Personal information can take many forms, such as images, text, and sound recordings. This list is non-exhaustive, and personal information may extend to any information that is capable of reasonably identifying an individual. Overall, a person is identified when they are distinguished from others. Information that is not concerned with or capable of identifying an individual is not personal information.
Australian Privacy Principles (APPs)
The Privacy Act places obligations on specific entities to handle personal information in a responsible manner. These obligations are contained within 13 Australian Privacy Principles (APPs). The core focus of the APPs is the transparent, responsible and ethical handling of information capable of identifying individuals. For example, APP 1 requires entities to have a clearly expressed privacy policy. APP 7 places obligations on entities regarding direct marketing, and APP 11 concerns information security.
Concerned entities
Not all businesses are subject to these laws. The specific entities dealt with include government agencies and organisations with revenue turnover of more than $3 million annually. If your business has annual turnover below $3 million but deals with sensitive information or collects and uses information for commercial advantage, it is likely you are also subject to the above obligations. Businesses that do not meet these characteristics may also voluntarily submit to obligations as a matter of good practice.
Personal Information Online
If your online business collects data from European Union users, the General Data Protection Regulation (GDPR) may apply. The GDPR places additional responsibilities on businesses regarding the handling of customer information. In particular, the GDPR generally requires businesses to obtain informed, freely given and specific consent prior to the collection of customer data. A GDPR Privacy Policy may ensure compliance in the EU. To find out if you may be subject to this foreign law, contact a lawyer.
Considerations for your Privacy Policy
Even if your business does not fall within the scope of privacy legislation, responsible management of customer information is good business practice. Customers have an expectation that businesses will not exploit them for their provided information. Generally, they also expect their personal information will not be used for undisclosed purposes. Managing customer intentions with respect to information privacy has become even more important with the growth of e-commerce. A privacy policy from Lawpath informs customers how their personal information is collected, used, stored, and managed. Get your privacy policy here. If you are unsure whether laws regarding the handling of personal information apply to you or your business, visit the OAIC website for more information.