Have you ever wondered if there is a legal requirement to have a privacy policy on your website? If you are using a payment gateway for transactions on your website then the bank may require the publication of some policies such as privacy, returns and warranty.

Reading through the details published by the OAIC and related government pages leads to the conclusion that…

…a privacy policy must be in place for businesses who turnover more than $3m or provide healthcare. It is not necessary that the policy be published on the website of a business though so long as they can provide it to a customer on request.

The following is a direct response from the Office of the Australian Information Commissioner in regards to our enquiry about the necessity or otherwise to publish a privacy policy.

The Office of the Australian Information Commissioner (the OAIC) regulates the Privacy Act 1988 (Cth) (the Act) which sets out the manner in which Australian, ACT and Norfolk Island government agencies, and many private sector organisations, are to handle personal information.

The 10 National Privacy Principles (NPPs) in the Act regulate the collection, security, use and disclosure of personal information handled by many private sector organisations.

The NPPs apply to all private sector organisations in Australia with an annual turnover of more than $3 million, and to all private health service providers irrespective of turnover. Further information on the coverage of, and exemptions from, the NPPs is available in our published Information Sheet 12.

If the organisation is covered by the Act, then it will need to comply with the NPPs in its handling of personal information.

Under NPP 5.1, an organisation covered by the Act must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it. This document could be in the form of making available a privacy statement or policy which may be published on the company’s website.

The NPPs are not prescriptive. This means that while they state general rules to which organisations need to adhere, they do not specify the practical steps an organisation must take to meet its obligations.

Further information, including tips for compliance, is available in our published Guidelines to the NPPs on our website.