Don’t Let Your Data Privacy Compliance Be A Blunder From Down Under
As with many countries around the globe, Australia has a data privacy law that affects the way in which companies can collect data from its residents. In many ways, Australia has been ahead of the curve, as the foundation of Australia’s privacy protocols came into effect in 1988, before the modern Internet as we know it today existed. Australia’s Privacy Act (“APA”) and the Australian Privacy Principles (“APP”) within the APA are intended to provide a basis for privacy regulation, facilitate the free flow of information outside of Australia while ensuring that individual privacy is respected, provide a complaint mechanism, and impose obligations regarding the collection and use of personal information. The APA is similar to many of the requirements of GDPR, but there are differences in the regulations that companies need to know in order to manage data from Australian residents in a compliant way.
You call that a privacy act?
Though the APA originally dates back to 1988, it has been amended more than thirty times as technology has evolved and become more complex. The APA regulates all companies, organizations and websites who operate in Australia and creates a national standard for collecting, processing and sharing personal information. The APA created the APPs, which are a set of thirteen codes of conduct that must be followed in order to be compliant with the APA. The APA and APPs are enforced by the Office of the Australian Information Commissioner (“OAIC”), Australia’s version of the EU’s Data Protection Board (“EDPB”).
Similar to GDPR, the APPs make a distinction between personal information and sensitive personal information, compared below:
How is my website affected?
A principled approach
The APPs are thirteen codes of conduct created by the APA that websites, companies and organizations who operate in Australia must follow for compliance.
Small businesses may be exempt from APP and APA compliance, however if a small business discloses personal information for “a benefit, service or advantage” then they do fall under the APA/APPs; given how low a threshold this is, many small businesses need to comply.
The 13 APPs are:
1. open and transparent management of personal information
2. enabling user anonymity and pseudonymity
3. collection of solicited personal information
4. dealing with unsolicited personal information
5. notification of the collection of personal information
6. use or disclosure of personal information
7. direct marketing
8. cross border disclosure of personal information
9. adoption, use or disclosure of government related identifiers
10. quality of personal information
11. security of personal information
12. access to personal information
13. correction of personal information
All 13 principles are important, however we’ll go into further detail on those principles our customers ask about most.
• what types of personal information that your website collects, stores and shares;
• how your website collects personal information like cookies;
• why you collect, store and share personal information;
• how your users can access the personal information you’ve collected on them;
• how your users can correct their personal information if wrong;
• whether or not you send users’ personal information overseas; and
Collection of solicited personal information: This APP makes the distinction between personal information and sensitive personal information (as detailed above), and the compliance requirements for each.
Notification of the collection of personal information: Generally, at or before the time of collection – or as soon as possible after – your website must notify users that you are collecting personal information. While this may sound like you need a cookie consent tool (commonly referred to as a cookie banner, not to be confused with a cookie wall), your website isn’t legally required to have one unless you collect sensitive personal information. A best practice here is to include a cookie consent tool, however that choice is one for your business to make.
Quality of personal information: As a website owner, you must ensure that the personal information you collect is accurate, up-to-date and complete.
Security of personal information: As a website owner, you must protect the personal information you collect from misuse, interference and loss, unauthorized access, modification or disclosure. That means you’ll need to implement proper security protocols to comply.
Access to personal information: You must empower individuals to request access to the personal information you have collected on them, free of charge and in a reasonable period of time.
Correction to personal information: You must empower individuals to request corrections of the personal information you have collected on them. You are also required to notify third parties of such correction requests.
New amendments to the Privacy Act coming in 2020
The Australian government has announced that it will amend the APA to increase fines for data breaches, as well as creating a whole new privacy code to regulate the collection and processing of personal information on digital platforms. It has also announced that a broad review of the APA will take place in 2020 to assess whether it accurately protects users’ privacy and their personal information online.
How can I get my website compliant?
The APA is just one of many data privacy laws that exist today. Whether you need to comply with the APA, GDPR, CCPA, or any other data privacy out there, Clym can help. Book a demo with one of our specialists today to find out how you can get your website compliant quickly and easily for one low monthly fee.