Why Does Your Organisation Need a Privacy Policy?

With the advancement of the digital age, many of us are conducting our personal affairs online. Things such as online shopping, social networking, official functions, job hunting have become part of our everyday life where we often need to provide our personal information.

Regulating privacy is becoming challenging day by day as people constantly fall into the trap of false pretences to websites that might look legitimate. To avoid all these consequences, customers look for the Privacy Policy of a company or organisation before providing all their personal details.

What is Privacy Policy

A Privacy Policy is a legalised statement that defines how your business handles the personal information it receives from customers or visitors. Privacy Policy works as a guided tool to the customers about how a company will collect, store, protect and utilise all the personal information such as

• Name
• Date of birth
• Contact number
• Location data
• Photograph
• Social insurance number
• Payment details

Why having a Privacy Policy is a must?

Privacy Policy is a fundamental right. If you have a business website, it is your liability to your users to show why you are trustworthy. You must mention how your company will work to protect an individual’s information from misuse, loss, theft and unauthorised access. You should take the hassle of writing your own Privacy Policy because:

• It is required by law.
• Some third-party apps or services you use may need it.
• It will help you to be transparent.
• Protecting privacy will enable you to gain more revenue.
• You will gain more customer and their trust.
• It is a safeguard for both you and your visitors.

Privacy Policy may vary from country to country. Many countries, by law, require to have a Privacy Policy on the website. For example, in Australia, the Australian Privacy Principles incorporates 13 principles that describe how personal information should be handled.

Australian Privacy Principles (APP)

The Australian Privacy Principles (APP) are the basis of the Australian Privacy Act. APP works as a privacy framework to protect the information of individuals and regulate how Australian government agencies and organisations handle the personal details of their users.

In 2014, substantial changes occurred to the existing privacy law in Australia. The Australian Privacy Principles (APP) replaced the National Privacy Principles and Privacy Act 2014, amending the Privacy Act 1988 with 13 APPs. But again, not all agencies and organisations are bound to have a Privacy Policy and follow all the 13 principles.

Who does APP apply to?

APP entity

An APP entity is either a government agency or an organisation whose annual business turnover is more than $3 million should comply with the privacy act. These APP entities are required to have a privacy policy and must follow the thirteen APPs.

However, there are some exceptions too, your business might have an annual turnover of less than $3 million, but you may still need to comply with the privacy act. You will be considered as an APP entity if you:

• Provide private health care services (hospital, pharmacy, gym or weight loss clinic, childcare centre etc.) and receive health information.
• Sell or purchase personal information.
• Provide constructed service for an Australian Government contract.
• Run a business that opted-in to Privacy Act.

As a business owner, you can always choose to opt-in and be covered by the Privacy Act.

13 Australian Privacy Principles

The following 13 principles work to govern the standards, rights and obligations of collecting or using personal information.

Principle 1: Open and transparent management of personal information

Entities must have a very clear and updated Privacy Policy. They have to raise all the specific details like what kind of information will be collected, why and how the information will be collected and used, how the users will bring up their complaints if they have some issues.

Principle 2: Anonymity and Pseudonymity

Business authority should give individuals anonymity and pseudonymity option as they cannot compel anyone to disclose their identity. But there can be some exceptions.

Principle 3: Collection of solicited personal information

It states how an entity will deal with an individual’s personal information. Entities can collect personal data only when it is necessary for the function and activities of their business. In terms of sensitive issues, entities need the full consent of their customer.

Principle 4: Dealing with unsolicited personal information

With the unsolicited personal information, entities have to decide whether that unsolicited information could be collected as outlined in principle three or to destroy or de-identify.

Principle 5: Notification of the collection of personal information

Businesses must notify users about the collection of personal use. If notice is not possible early notification of privacy rules must be given.

Principle 6: Use or disclosure of personal information

An entity must inform individuals for what purpose their personal information is collected, and it must disclose the information only the way an individual expects.

Principle 7: Direct marketing

With the proper consent of an individual, an entity can use that person’s personal information for direct marketing to promote services and goods.

Principle 8: Cross border disclosure of personal information

Organisations must take all necessary steps to protect personal information from being disclosed to any overseas recipient.

Principle 9: Adaptation, use or disclosure of government related identifiers

An entity cannot use any government related identifiers such as passport number, license number, tax file ID as their own until the organisation is authorised by law to do so.

Principle 10: Quality of personal information

The quality of individuals’ personal information should be accurate, updated and complete.

Principle 11: Security of personal information

It is the company’s responsibility to protect the collected personal data from loss, interference, unauthorised access.

Principle 12: Access to personal information

With the request of an individual, entities have to give the user access to his/her information.

Principle 13: Correction of personal information

Entities must collect accurate, complete, relevant, updated data. If an individual’s information is incorrect, it should be corrected to prevent misleading information.

Violation of these principles might result in regulatory actions, including penalties.

Plan to have a transparent Privacy Policy for your entity

If your organisation is an APP entity or you want to adopt the APP principles for your business, make a clear outline of an up to date Privacy Policy. To communicate with the customers, your entity may collect personal information. Make sure that your Privacy Policy clearly explains how your organisation will work for further references.

Here are some tips which you can consider to organise a transparent Privacy Policy.

Be specific about how and why you will collect personal information

Clearly explain how you are going to collect those personal details. Are you going to collect those directly from the customers via phone call or online forms? Or you will receive it through third parties? Also, mention whether you are going to use those data for primary or for a secondary purpose.

Think about the audiences

Don’t consider the privacy policy just as a legal document to avoid risks. Make it transparent in such a way as to build up trust among your visitors for your entity. Focus on what is important to them and clarify all the possible questions they might need to know via your Privacy Policy.

How you will deal with sensitive issues

Sometimes sensitive information such as financial data, political opinions, religious statement, criminal records, trade secrets or other information is being collected. Inform your customers how your entity will preserve those or, even due to some exceptions, ensure that proper consent will be taken from them before using.

Disclosure of personal information

To deliver the service, you might need to disclose the personal details of your customers. Describe all the disclosure and the conditions about those disclosures. There might be some involvement of a third party; if yes, then explain who and how you will deal with them. Explain how you will disclose the information to overseas entities, legal advisors, government or regulatory authorities, related companies for billing or other purposes.

Ensure security to your customers

Mention all the possible steps you will take to protect customer privacy from misuse, loss, modification, unauthorised access. You better destroy or de-identify any personal information whenever it is not needed.

Give your customer’s access to their personal information

Individuals have the right to get access to their personal details in the request. Give access to your customers to update or correct their own personal information. If there is an exception, mention that clearly on your Privacy Policy.

Company contact information for customers

You should provide customers with an email address and contact number. Make it available all the time so that if they have any questions about privacy or if there is a complaint or an error in their personal info, they can easily reach you.

Update your Privacy Policy regularly

You should regularly review and update your entity policies as policy keep changing.

Wrapping up

These are some issues you should focus on to organise your Privacy Policy template. Privacy matters to your customers as well as for your business growth. Before using your app or your website, customers will think about their privacy. Ultimately, to demonstrate trustworthiness to your customers and to show that their privacy matters to you, having a clear Privacy Policy is the best way.