SIMPLE PRIVACY HELP

Help and FAQ

  • What is personal information and why is the type of personal information being collected important?
  • What is your annual turnover?
  • Do you disclose personal information to a third party? Why do you do this?
  • Who do you pass personal information to?
  • How long do you keep personal information?
  • Where do website users access and update their information?
  • Who is the Privacy contact person for your organization?
  • What sorts of business do you engage in?
  • What type of business are you?
  • What email address should the policy be sent to?
  • Please provide a link to a page for the privacy contact for your organization.
  • What types of personal information do you collect?
  • If you do NOT collect personal information you can SKIP the following questions.
  • How is the information secured?
  • Please provide a link to a page where people can change or delete their information.
  • Do you pass or sell information to other organizations (other than required by law)?
  • Please provide a link to a page showing whom the information is passed to.

What is personal information and why is the type of personal information being collected important?

Personal information means any information, including an opinion, which will identify an individual person. It may be that several pieces of information are needed to identify an individual so that while a person’s mobile phone number may not identify that person on its own, it may identify that person if linked with their email address or home address. The type of information is important because there are different rules contained in the Privacy Act 1988 (th) about how certain types of personal information can be collected. There are more controls around the collection of personal information that relates to your health, finances, and your tax file number, for example, than there are around collecting personal information such as your name and contact details.

What is your annual turnover?

The reason we need to know the answer to this question is that businesses that earn less than $3 million per annum are exempted from the operation of the Privacy Act and do not have to comply with the Australian Privacy Principles contained in it, unless you are a health services provider or you trade in personal information. This exemption does not mean that you cannot have a privacy policy but it does mean that you cannot say in it that you are bound by the Privacy Act. Even though you are exempted from compliance with the Act (with the exception of any tax file numbers you may collect), you may choose to opt in to be bound by the Act. To do so, you need to complete the opt-in form on the website of the Australian Information Commissioner at http://www.oaic.gov.au/privacy/applying-privacy-law/privacy-registers/opt-in-register.

Do you disclose personal information to a third party? Why do you do this?

You must tell users of your website whether you disclose the personal information you have collected to other parties. The reasons why you disclose information to others can vary. You may disclose it only for the purpose of sending purchased goods to a user by giving the contact details to Australia Post or to whoever delivers the goods you are selling. Or, you may pass the information onto an advertising group for marketing purposes.

Who do you pass personal information to?

You need to let individuals know who you pass their information to. You must provide the names and web addresses of these third parties, whether they are located in Australia or overseas.

How long do you keep personal information?

Under the Privacy Act, organisations should only keep personal information for limited periods, related to the purpose for which the information was collected. Some organisations will keep the personal information only while the individual is a customer of their website or business. When the individual ceases to be a customer, then their personal information is deleted or de-identified. Other organisations allow the website user to delete their own personal information when they decide to stop using the site. Some organisations do not have a policy relating to when they delete or de-identify personal information and individuals need to be advised of this. There are some legal requirements that certain personal information, such as tax file numbers and tax income returns, must be kept for set period of time, say, seven years.

Where do website users access and update their information?

The Privacy Act requires that all individuals are able to find out what personal information about them is held by an organisation. The Act also requires organisations to correct personal information which they hold when reasonably requested by an individual or where, for any other reason, it becomes aware that the information is inaccurate, out of date, incomplete or irrelevant. Your privacy policy should advise individuals how to access and correct incorrect information.

Who is the Privacy contact person for your organisation?

You are required to provide the contact details of the person in your organisation who handles privacy matters. Ideally, you should provide a person’s name and email address, although it is acceptable to have a generic contact such as ‘privacy@email address’.

What sorts of business do you engage in?

It is important to identify the business you are running because, while small businesses are generally excluded from the Privacy Act, some are specifically included in its operation. For example, a small business that is providing health services or is buying and selling personal information must comply with the Act even if their annual turnover is $3 million or less. Your business activity may indicate the catetories of personal information you collect. Online Sales and Services: You are selling goods and services through your site, or you are providing a service to other web users or subscribers, such as a newsletter, weather forecasts, price comparisons and so on. You may be collecting financial information as well as names and contact details. Health Services Provider: A private sector health service provider is bound by the Privacy Act, regardless of its annual turnover. This is because the business will be collecting sensitive health information about individuals. Buying and Selling Personal Information: Businesses that trade in personal information are bound by the Privacy Act, regardless of their annual turnover. Social Networking Service: Social networking sites usually involve individuals disclosing personal information about themselves, or their friends and families. While the Privacy Act does not apply to the activities of individuals, the Act does apply to businesses that collect and use the personal information disclosed by users of their site. Other: Your online business may not fall into one of the above categories of business. In that case, tick this box to move forward.

What type of business are you?

The Privacy Act applies to Federal Government agencies, Australian Capital Territory government agencies, and the Private sector (including not for profit organisations). Different legislation applies to state and territory government agencies and, at the moment, we cannot provide privacy policies for such bodies. The Privacy Act also generally exempts small businesses with annual turnovers of $3 million or less so they do not have to comply with the Australian Privacy Principles contained in it, unless they are a health services provider or they trade in personal information. This exemption does not mean that you cannot have a privacy policy but it does mean that you cannot say in it that you are bound by the Privacy Act. Even though your business is exempted from compliance with the Act (with the exception of any tax file numbers you may collect), you may choose to opt in to be bound by the Act. To do so, you need to complete the opt-in form on the website of the Australian Information Commissioner at http://www.oaic.gov.au/privacy/applying-privacy-law/privacy-registers/opt-in-register.

What email address should the policy be sent to?

At the end of this process, we will provide you with a Simple Privacy logo and a block of code that you can incorporate into your own site. We will also send you this information as an e-mail. Please type your e-mail address carefully.

Please provide a link to a page for the privacy contact for your organisation.

You are required to provide a Web address showing the contact details of the person in your organisation who handles privacy matters. This might be a dedicated privacy officer, the legal officer for the business or the business owner. Ideally, that Web page should provide a person’s name and email address, although it is acceptable to have a generic contact such as ‘privacy@email address’. Please provide a valid Web address. We recommend cutting and pasting the address, so that you know it works.

What types of personal information do you collect?

The type of personal information you collect is a key element in determining the privacy level of your website. There are more controls around the collection of personal information that relates to your health, finances, and your tax file number, for example, than there are around collecting personal information such as your name and contact details. It is important to understand if the information that you collect is anonymous or is de-identified information. Anonymous Information: Anonymous Information has never contained any details that could identify an individual. De-Identified information: De-Identified information has had all direct or indirect identifiers linking the information to an individual removed or destroyed.

If you do NOT collect personal information you can SKIP the following questions.

If you do not collect any information, then we do not need to know any more. Even if you do not collect information, we require you to provide information about your privacy contact, as people may have queries about your privacy policy.

How is the information secured?

The Privacy Act states that an organisation must keep the personal information it collects reasonably secure so that it is free from unauthorised access, modification or disclosure, or other forms of loss, interference or misuse. The Act does not set down what reasonable security is to be used. However, banks, merchant providers and credit card providers to online websites require that an individual’s financial information must be encrypted if it has been collected. It is also recommended that medical information about an individual should be encrypted. At a minimum, you must keep personal information secured to use these policies. We recommend that all personal information collected should be encrypted. Please note that security and encryption will not protect your clients from unauthorised use by an authorised person (eg a staff member). Rules that govern what authorised people should and shouldn’t do with private information should be covered in your internal policies.

Please provide a link to a page where people can change or delete their information.

Please provide a Web page address where users can update or delete their information. This might be an individual’s log-in page; a page that shows what information you hold, with instructions on how to update it; a page that provides instructions to log into their section of the site; or a page with contact details for someone who can change their information for them. Please provide a valid Web address. We suggest cutting and pasting, so that you know it works.

Do you pass or sell information to other organisations (other than required by law)?

You must tell users of your website whether you disclose personal information you have collected to another party. The Privacy Act permits you to disclose the information to a third party if this disclosure is related to the primary purpose for collecting the information. So, if the information was collected to allow you to send them some goods they have purchased from you, then you are able to disclose the purchaser’s name and address to an organisation that will deliver the goods. You can also use or disclose this personal information for a secondary purpose related to the primary purpose. An example of a secondary purpose is when you place the purchaser‘s name on a mailing list to advise them when you receive new stock. If you disclose the information for any other purpose, you must obtain the individual’s consent first. Primary purpose of collection: “Primary purpose” is defined as the main purpose for which it was actually collected, such as providing your name and address to a delivery company, so that they can deliver some goods. Secondary purpose of collection: “Secondary purpose” is defined as something that is related to the primary purpose, and that an individual would reasonably expect to happen. For example, a business is going to change their address, so they e-mail all of their customers to inform them of the change. “Any purpose” is defined as anything that isn’t covered by primary or secondary purpose and specific consent for this use or disclosure must be obtained from the individual.

Please provide a link to a page showing whom the information is passed to.

You need to let individuals know who you pass their information to. You must provide the names and web addresses of these third parties, whether they are located in Australia or overseas.