Privacy Policy for Website or Mobile Application

What is a Privacy Policy?

A Privacy Policy is a document that is published by the owner of a website or mobile application, explaining what sort of information they collect from users and how they collect it, as well as how they use, store and share that information.

Is it mandatory to have a Privacy Policy?

In Australia, any APP entities must have a Privacy Policy. An APP entity is defined under the Australian Privacy Principles and includes:

• Businesses that generate more than $3 million in turnover annually.
• Businesses that generate less than $3 million in turnover annually, but satisfy some of the other qualifications under the Australian Privacy Principles such as by buying or selling personal information, providing a health service and holding health information, or being a contracted service provider for a Commonwealth contract.

The Australian public is becoming more concerned about online privacy. A Privacy Policy can help to address some of those concerns. Therefore, it is best practice for all businesses in Australia to have a Privacy Policy, even if they think they might not be obliged to have one.

What is the difference between a Privacy Policy for Website or Mobile Application and a GDPR Privacy Policy?

These documents are quite similar.

The GDPR refers to the European Union's General Data Protection Regulation. This is a comprehensive set of privacy law which contains some strict data protection requirements. While it is European law rather than Australian law, Australian businesses (regardless of size) may need to comply with the GDPR if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. There are a lot of similarities between Australian privacy law and the GDPR, but the GDPR is stricter than Australian privacy law in a number of ways.

A Privacy Policy for Website or Mobile Application only addresses Australian law, so it is designed for businesses that do not need to comply with the GDPR. The GDPR Privacy Policy is for Australian businesses that may also need to comply with the GDPR.

What is personal information?

Personal information is information or an opinon about an identified individual, or an individual who is reasonably identifiable. This could include:

• Name
• Contact details
• Payment details
• Photographs
• Location data
• Browsing data

What can be the duration of a Privacy Policy?

A Privacy Policy can stay in place indefinitely. However, business owners should regularly review their Privacy Policy to make sure that they are up to date with current privacy laws and that they accurately reflect how the business handles privacy matters.

If the business changes the way it collects, stores, shares or uses personal information, then the business owner should make sure to update their Privacy Policy.

What has to be done once a Privacy Policy is ready?

Once the Privacy Policy has been completed, it can be published on the website or mobile application, in a location that is easy for users to find. For example, many websites include a link to their Privacy Policy in their website footer.

A Privacy Policy does not need to be signed.

What must a Privacy Policy contain?

A Privacy Policy should outline:

• the name and contact details of the owner of the website/mobile application.
• which personal information is being collected and stored.
• how the information will be collected.
• where the information will be stored.
• the reasons why the information is being collected.
• how the information will be used.
• how the information will be disclosed.
• how visitors can access their personal information or ask for a correction.
• how visitors can lodge a complaint if they think the information has been mishandled.
• how the business will handle the complaint.
• if the information is likely to be disclosed outside Australia and if practical, which countries the information may be disclosed to.

A Privacy Policy may also outline:

• the fact that data transmitted via the internet may not be secure, and that the website owner disclaims liability in this regard.
  
• how to unsubscribe from email lists.
• if the site/application may be used by children, what information will be collected, and how parental controls work.
• how to update personal information and preferences.
• how third party advertisements may be used.
• what information may go to third parties.

Some industries have additional privacy rules. These are discussed below.

Which laws are applicable to a Privacy Policy?

The primary legislation in relation to privacy law in Australia is the Commonwealth Privacy Act 1988. This has been amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 also sets out a set of Australian Privacy Principles which apply to Australian organisations and provide guidance as to what should be included in a Privacy Policy. Further information about the Australian Privacy Principles is available via the Office of the Australian Information Commissioner.

Other relevant laws include the Privacy Regulation 2013, and the Privacy (Credit Reporting) Code 2014. A number of industries also have additional privacy rules. For example, specific laws may impose additional privacy requirements in relation to:

• email marketing
• telemarketing
• surveillance
• telecommunications
• criminal records
• data matching
• anti-money laundering
• health records, Medicare, the pharmaceutical benefits scheme, or the eHealth system
• biometric information
• the Personal Property Securities Register
• credit reporting
• financial services
• children
• tax file numbers
• information relating to racial or ethnic origin
• information relating to political opinions
• membership of a political association, professional or trade association or trade union
• religious beliefs or affiliations
• philosophical beliefs
• sexual orientation or practices

This privacy policy satisfies basic requirements of the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012 but does not contemplate the full range of specific privacy matters that may apply in some situations (including those additional matters that may arise under the other privacy laws listed above).

The European Union General Data Protection Regulation (GDPR) contains data protection requirements that may also apply to Australian businesses.

Australian businesses (regardless of size) may need to comply with the GDPR if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

This privacy policy does not deal with the GDPR. It is only designed for compliance under Australian law. Businesses that deal with the EU should consider our GDPR Privacy Policy.

Further information about how the GDPR may affect Australian businesses is available through the Office of the Australian Information Commissioner.

How to modify the template?

You fill out a form. The document is created before your eyes as you respond to the questions.

At the end, you receive it in Word and PDF formats. You can modify it and reuse it.