Small Biz & Privacy

Author: Youth 2 Youth.

This article provides some pointers about the Commonwealth privacy law for those small businesses that will need to comply with the Privacy Act 1988 that came into effect from 21 December 2002. This information is not 'the law' as such, so please check the legislation for more specific help. More information can be found at www.privacy.gov.au/business/small/index.html.

Do I need to comply?

A small business is one with an annual turnover of $3 million or less that is:

• trading in personal information (e.g. buying or selling a mailing list); or
• related to a larger business (a related body corporate); or
• a contractor that provides services under a Commonwealth contract.

If you could answer yes to any of these, your small business may need to comply with the Privacy Act. If you're not sure, check the Government's Privacy Checklist at www.privacy.gov.au/publications/checklist.doc.

About The Privacy Act

"The Privacy Act protects personal information about individuals handled by organisations (including small businesses and not for profit organisations) subject to the Privacy Act. The ten National Privacy Principles (NPPs) in the Privacy Act set the minimum standards for handling personal information, " (Source: www.privacy.gov.au).

If individuals think a business, including a small business subject to the Act, has not complied with the NPPs in handling personal information about them, then they can complain. The Privacy Commissioner can then investigate the complaint, though usually after the individual has first tried to resolve the complaint with the organisation in question. Remedies for a complaint might involve an apology, a change in practice or compensation.

A Privacy Plan

Go to www.privacy.gov.au and download the Guide to Privacy for Small Business. This includes a step-by-step plan about how to deal with privacy. Technically, your business should have been ready by 21 December 2002, but it is never to late and new businesses also need to prepare.

Useful Tips

Source: A Guide to Privacy for Small Business

• Know what personal information your small business collects and why. This includes information collected on forms, informal notes or opinions and images in photos or film; and collected directly from the individual or from someone else.
• Information collected from third parties is not always good quality. As far as possible collect personal information directly from the individual.
• Do not trick individuals into giving you information or collect more information than you actually need. For example, you may need to know an individual's income but you may not need copies of their bank statements.
• Do not collect any information at all if you don't need to.
• From time to time review your collection processes and staff understanding of collection and privacy.
• Get consent before sending your own direct marketing material. If you can't, give the individual the chance to opt-out when you do send the material and make sure they know how to contact you.
• Never use sensitive information for direct marketing.
• NO SURPRISES for the individual!
• You can ask an individual for consent to send them direct marketing material when you collect information.
• If individuals do opt-out when you send them direct marketing material, do not contact them again for this purpose.
• Do not disclose personal information to another organisation for them to send unrelated direct marketing without the individual's permission.
• You can disclose information at the individual's request, for example, to an accountant, lawyer or relative. Get clear, consent from the individual, in writing or other method that is robust enough to satisfy you of the person's identity.
• Put yourself in the individual's shoes and think about what could happen to the individual if the information is wrong. For example, poor quality information can cause serious or even life-threatening problems. Good quality information on the other hand could increase customer confidence in your business.
• Look at what you can do in your small business to check and update personal information at the time you are collecting, using and disclosing information.
• Wherever possible, collecting the information directly from the individual is best. It's a good quality check!
• Have secure computer passwords and lockable filing cabinets.
• Check an individual's identity when they ask for access to the personal information you hold about them.
• Keep personal information away from those who do not need to see it - staff as well as customers.
• Destroy information securely. Do not dump it in a street bin.
• Raise security awareness with your staff. Review procedures from time to time.
• Make sure you are using the health and safety, legal obligation or business needs exceptions correctly before you say no to a request for access.
• Check the identity of the individual asking for access to the personal information you hold about them.
• The principle doesn't prevent you making notes in your customer record, just be aware that your customer can have access to ALL the information you hold about them, even those 'off-the-cuff' notes about difficult customers.
• Access can be given in different ways, including photocopies, letting the person take notes and printouts or e-mails of electronic information.
• Correct poor quality information as soon as possible.
• If you are not sure that the country to which you are sending the personal information has similar privacy protection to Australia you may want to get legal advice.
• If in doubt, get consent to the transfer of personal information overseas at the time you collect information.

More Help

www.privacy.gov.au

Privacy Hotline 1300 363 992 (local call charge),
or mail GPO Box 5218, SYDNEY NSW 2000

'Copyright 2003 Youth 2 Youth'

Disclaimer: This article is for your information, but it may not apply to or be suitable for your situation, so seek professional advice. Youth 2 Youth cannot be held liable for anything resulting from how you use the information provided in this article.