Your Obligations for Customers' Personal Information

Share this article:

As a business, you may have obligations under the Privacy Act regarding how you handle your customers’ and employees’ information.

Here’s your guide to understanding your obligations on managing a customer’s personal information.

Which businesses have responsibilities under the Privacy Act?

The Office of the Australian Information Commissioner (OAIC) details which type of businesses the act covers. It refers to ‘organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions’.

Even if you are a small business with an annual turnover of $3m you may still have obligations under the Privacy act, such as if you:

Buy or sell personal information

Are a contracted service provider for an Australian Government contract

Are a private health service provider including traditional or complementary health, gym, weight-loss clinic, child-care centre, and private education

Are a residential tenancy database operator

Are a credit provider or credit reporting body

Are a business accredited under the Consumer Data Right System

Are a business that has opted into the Privacy Act

Are a business related to one covered by the Privacy Act

Are a business prescribed by the Privacy Regulation 2013.

What constitutes personal information?

Under the Privacy Act, personal information can be relatively broad and depend on whether a person can be identified or reasonably identified in a scenario. The act does not apply to the personal data of people who have died.

The OAIC says personal information can include:

Someone’s name, address, phone number, date of birth, or signature

Sensitive information

Credit information

Photographs

Employee record information

Internet protocol address

Voice print and facial recognition biometrics

Geographical location information from a mobile device.

The Federal Attorney-General’s department has been reviewing the Privacy Act 1988. It’s looking to broaden the definition of personal information to include identifiers, location data, online identifiers, and other technical details typically used in digital advertising programs. Fines and enforcement powers are also expected to increase, with the maximum penalty to hit $10 million.

Check this official website for updates on the review. You might also be interested in this government website about digital identity for business owners.

How to protect customer PI

If you’re a business to which the Privacy Act applies, here’s how to protect your customers’ information, according to the OAIC. (It’s also good practice to follow even if the act doesn’t apply to you).

Review your company’s internal privacy policies, processes, and procedures (including responding to a breach) to ensure they’re fit for purpose and the data is held securely

Assign a senior manager to have overall accountability for how your business handles privacy. They’ll need to deal with access and correction requests and inquiries about your practice

Build privacy considerations into project planning, mainly if it involves new or changed personal information handling practices (here’s a guide to doing a privacy impact assessment)

Collect only the personal information you need now, not for later. Legally it would help if you let people interact anonymously with your business in most cases

Use and disclose personal information (internally or externally) only for the primary purpose under which it was given unless the individual has consented otherwise, if reasonable to do otherwise or legal to do so

Get savvy about disclosing personal information overseas – recipients of the data must comply with the Australian Privacy Principles.

If the personal information your business holds is breached – accessed, lost, or disclosed without authorisation – you’ll need to report those (if eligible) to the Privacy Commissioner and affected individuals. Find out more about notifiable data breaches here.