EVERY DAY you would be collecting personal information from prospective purchasers and renters, including names, phone numbers and email addresses. Of course you want to use that information to benefit your business and your sellers. But is that legal? Ursula Hogben from LegalVision takes a look at how to make the most of the information you collect without breaking the law.
THERE WAS A HUGE overhaul of the Privacy Law in Australia in March this year. The Australian Privacy Principles now govern how you collect and use personal information, including for direct marketing. Do you need to comply? Yes: the ramifications of non-compliance include substantial fines of up to $1.7 million for companies – not to mention the negative publicity for your business.
What do you need to do to comply?
Our five key steps for small businesses are straightforward and easy to implement:
- Appoint a Privacy Officer Appoint someone in your organisation to be in charge of the steps listed. This can be any responsible person; they do not need to be a lawyer.
- Do a quick audit Review your business to identify what personal information you collect, and how you use, disclose and store it.
- Have an internal system Establish or revise internal procedures so your staff know what personal information they can collect, and how to use, disclose and store it.
- Add a privacy notice where you collect personal information When you collect personal information, inform individuals of details including your organisation’s name, contact details and the purpose of collection. You can mention the Privacy Policy on your website.
- Sort out your Privacy Policy This tells people what personal information you collect, how you collect and store it, and the purposes for which you use and disclose it. If you use it for direct marketing, this needs to be disclosed. If you disclose personal information to parties overseas you need to disclose that. If practicable, specify the countries where those parties are located.
For all real estate businesses, here are seven quick questions to ask yourself to see if your privacy policy and practices are up to scratch.
- Do people know what personal information I collect and why?
People need to know what personal information is being collected, what you will store, and how you will use it. Each time you collect personal information, you need a Privacy Notice, which should refer to your Privacy Policy. - Do people know how I will use their personal information?
Your Privacy Policy should indicate what you will do with their information; for example for internal record-keeping. You need to state whether you will use their personal information for direct marketing. - Can my customers and database unsubscribe from marketing and email communications?
You may only use personal information for direct marketing if you disclose that the information will be used for direct marketing and you provide your customers with a way to unsubscribe. Each piece of direct marketing should refer to your Privacy Policy and how your customers can unsubscribe from your marketing. Commercial electronic messages must also include clear information about the business that sent the message, a reference/link to the Privacy Policy if possible, and an unsubscribe facility. - Do I have a secure way for storing personal information?
After personal information is collected, you should ensure that this information is stored securely. Some businesses provide their staff with individual logins and passwords to help protect electronic records of personal information. - Am I correctly using personal information from a third party?
You can use personal information provided by a third party (for example customer database) for direct marketing if, and only if, the relevant individual consented to that use and you provide a way for people to unsubscribe. If you receive personal information from a third party, you should check their Privacy Policy and Privacy Notice to ensure compliance. - Do I have a complaint-making process?
You need a process to deal with complaints about your compliance with the Australian Privacy Principles. This needs to be in your Privacy Policy. - Do people on my database know how they can contact me?
You need to give individuals the right to access their personal information and correct anything that’s out-of-date or incorrect. You need to provide accurate contact details so your customers can contact you if they have any questions about the Privacy Policy. These points also need to be included in your Privacy Policy.
If you answered ‘no’ to any of the above, you should look at your internal privacy policy and systems as soon as possible. The ramifications of non-compliance are potentially very serious, but by complying with the law you can show your customers that you care about protecting their personal information.