Articles > Small Business

Does My Website Need A Privacy Policy?

April 19, 2020   Ezra SarajinskyPhilip Evangelou

Nestled at the bottom of many websites, amongst the copyright symbol and other very small text, is where you will typically find a privacy policy. You may be wondering whether they have any real meaning, and if your website needs a privacy policy. 

Since 2014, various Australian organisations have been required to consider the kind of information they collect and to formulate a written Privacy Policy. While there is no mandate to have this policy published on an organisation’s website, it is required to be accessible to the public free of charge, and a website is the easiest way to achieve this.

All businesses and not-for-profits who have an annual turnover exceeding $3 mil are subject to these requirements. However organisations with a turnover under $3 mil will also need to have a privacy policy if they are:

  • Private health service providers (this includes a very broad range of businesses such as gyms, weight loss clinics, childcare centres etc
  • Employee associations under the Fair Work (Registered Organisations) Act 2009
  • Service providers contracted for a Commonwealth contract
  • Businesses that buy or sell personal information
  • Credit reporting bodies
  • Businesses related to another business subject to the Privacy Act (eg a subsidiary of a company covered by the Privacy Act)
  • Any other types of business prescribed by regulations

So if your business or not-for-profit is turning over $3mil or is one of the organisations listed above, then you are required to comply with Australian Privacy Principles – starting off with having a privacy policy. And even if your organisation is not an entity subject to the Australian Privacy Principles, it is still worthwhile to publicly disclose to consumers how their information will be handled. 

The purpose of the Privacy Policy is to explain how your organisation manages personal information. Your business or not-for-profit should explain:

  • The kind of information that your business collects and holds
  • How personal information is collected and held
  • The purposes for which personal information is collected, held, and disclosed
  • How someone can access the personal information held, and potentially correct
  • How someone can complain about a breach of the Australian Privacy Principles, and how your organisation would deal with that kind of complaint
  • Whether your organisation is likely to share data with overseas entities

There isn’t a specific template that has to be followed when writing a privacy policy. The emphasis is on addressing the list of concerns above. In general it should be written in language that will be easily understood by consumers and members of the general public. 

When formulating a Privacy Policy you need to carefully consider all the ways that information is collected, held and disclosed by your organisation. It is not only about information collected via the website. “Personal Information” is any information about an identifiable individual (or an individual who’s identity could be ascertained), whether that information is true or not, and whether recorded in material form or not. The policy needs to be exhaustive, including anything to do with the collection of personal information.

When it comes to the way that your digital ecosystem collects user information, there are a broad array of things to consider. For example, a typical website may be collecting a lot of metadata. This data can reveal information about the end user. A simple website may collect session times, user location, IP address, device and browser information, a list of all pages visited, other websites visited (via cookies). Using third party tools like Facebook share widgets, FB tracking pixels, Google Analytics opens that data (and much more) to those corporations. Hosting the website through a hosting provider located overseas raises additional issues. These companies will have their own policies on data collection and management, are subject to the privacy laws of other jurisdictions, and may have data centres spread out over multiple countries.

OpenLegal can help you formulate a Privacy Policy, and can advise whether the way your businesses practises data handling complies with Australian Privacy laws. Just call us on 1300 337 997 or complete the contact form.

About Ezra Sarajinsky

Ezra SarajinskyEzra is a founder of OpenLegal. Having spent the last decade working with startups, small businesses and corporates, Ezra is evolving a client-centric experience that tightly integrates digital technology with project managed services. His legal focus is employment, corporate and migration law.

About Philip Evangelou

phillipPhil is a director at OpenLegal. He has over 16 years experience working in private practice and in-house counsel in Sydney and London, giving him expertise in employment law, IP, finance, leases, dispute resolution, insurance and contracts.