A high-level guide to writing Terms and Conditions for your website.
Australian privacy principles (or Apps) share commonalities with the standard GDPR policy (EU General Data Protection Regulation) and crucial differences. Website and business owners need to understand these differences to benefit their customers. So, let’s dive in.
The Privacy Act 1988 was created to protect and promote citizens’ privacy and control how Australian Government organisations deal with personal information. The Privacy Act includes 13 Australian Privacy Principles (APPs).
These apply to most Australian Government agencies and some private sector institutions and were implemented to regulate how companies with an annual turnover of more than $3 million handle sensitive personal data. These establishments are collectively classified as ‘APP entities.
GDPR stands for General Data Protection Regulation. This European Union (EU) legislation came into effect on May 25, 2018. This policy solidifies and expounds on the EU’s current intelligence safeguarding structure. GDPR takes the place of the 1995 Data Protection Directive, and it’s a new list of rules meant to allow EU citizens greater control over their private information.
There are subtle differences between “personal data” and “personal information.”
The Australian Privacy Principles refer to “Personal Information,” whereas the GDPR refers to “Personal Data.”
As time has passed, new consumer rights have come into effect. The GDPR reflects more of these rights than the Australian Privacy does, namely:
In a sense, the GDPR is a more modern framework than the APPs.
The “Erasure Right” is a trumped-up version of the “right to be forgotten.”
Did you know that your client has the right to refuse to process their personal data at any time? With this, the Australian Privacy Principles are one step ahead of the GDPR. The GDPR requires the client to request the deletion of their personal data, but the APPs go a step further and state that:
A good tip is to store all personal information in an easy-to-extract format and set up automatic alerts where clients can inform you if they intend to withdraw their consent.
Your client has the right to request that you hold their personal information in a data processor, in a commonplace, plus in an organised and machine-readable format. Your client also has the right to dispatch their personal data to any other business or institution without interfering with the company they initially provided their data.
The Australian Privacy Principles require an individual to authorise, whether express or implied, the collection of their personal data. The GDPR does not refer to consent being either implied or expressed.
It states, however, that a data processor must be able to provide proof that a person has given consent for the collection of their personal data. If you decide to obtain your client’s approval via a written document, you must do so using precise, easy-to-understand terminology.
The two significant differences are:
A good tip to ensure compliance with GDPR requirements is to get the client to simply click a “tick to accept” box alongside the statement:
Although it is not essential in Australia, according to APP rules, that “tick to accept” box is imperative if you want to ensure GDPR compliance.
Regarding data breach notifications, Australian Privacy Principles have recently implemented new rules, which fall under the Notifiable Data Breaches Scheme. Under the new scheme, APP entities are required to inform the Australian Information Commissioner of all eligible data breaches.
Any breach likely to result in grievous harm to the person to whom the information relates is regarded as an eligible breach.
If a breach is likely to put the rights and freedom of individuals in jeopardy, the business must notify:
A data breach is a severe offence and can have serious repercussions. A good tip is ensuring stringent security measures to prevent data breaches.
Also, prepare a “Data Breach Plan” like a fire-drill plan so that your business is ready to spring into action if a breach occurs.
That way, you can limit the damage and far-reaching effects of the breach, containing the problem.
Here is a summary listing only the critical differences between the APPs and the GDPR Policies.
There’s a lot more to business than just launching a website. There are compliance issues to consider, and you may need to create cookie policies, privacy policies, disclaimer policies, and more for your website.
As a business owner, you should consider these laws to avoid legal repercussions and whether you must comply with Australian privacy principles and the standard GDPR policy.
At GetTerms, we know compliance is a headache but we aim to make it simple. If you need a quick and affordable way to generate privacy policies for your website, our Comprehensive Policy Pack is the way to go.