Keeping your customers’ data safe is a crucial part of your organisation’s online presence.
There are laws which apply to certain private sector organisations’ handling of personal information. If you are collecting personal information from customers online, you will need to bear these
laws in mind.
It is critical that you keep your customers’ data safe from theft.
Here, we will cover:
Keeping customers’ personal information safe
No matter the size of your customer information database, it is important that you have security measures in place to keep it safe. Aside from being a huge blow to your
organisation’s reputation, there may be legal consequences for losing customers’ personal information.
For many people who shop online it will be important to know that their payment details – like credit card number and expiry date – and delivery address are going to be kept
safe. It is also important for your customers to know that you will not share their details without their consent.
If you are running an e-commerce website, you may want to
consider talking to your payment gateway provider to find out what measures they take to keep this information secure when people make purchases on
When discussing security with your payment gateway provider, consider asking them questions like these:
What level of encryption do they use to store customer payment data?
Are they audited by a third-party organisation?
Can they guarantee that they are using the best SSL certificates?
Do their staff undergo background checks before they are hired?
Understanding your customer privacy obligations
There are privacy laws and guidelines that determine what you can do with the personal information of your
There are laws about the handling of customer, supporter or donor personal information.
Most Australian organisations must comply with federal and relevant state/territory privacy laws. For example, there are privacy laws which apply to certain private sector
organisations’ handling of personal information. Personal information may include things like customer, supporter and donor names, email addresses, photos and videos.
As an overview, the National Privacy Principles include the following:
You can only collect personal information if it is necessary for the function or activity of your organisation.
You should not use or disclose personal information for a purpose different from the original purpose of collection, except in limited circumstances.
You must take reasonable steps to ensure that personal information collected is accurate, complete and up-to-date.
You must take reasonable steps to protect the personal information collected.
You can transfer personal information to a person or organisation outside Australia only in limited circumstances. These include the requirement that you reasonably
believe that the recipient is governed by comparative privacy laws, or that the individual whose personal information you transfer consents to that transfer.
Although you are allowed to collect and use personal information, you are generally not allowed to collect and use sensitive information about individuals unless they
There are only limited circumstances in which such sensitive information can be collected without the person’s consent. Sensitive information is defined in
the Privacy Act and includes information regarding race, gender, political opinion, religious
beliefs, philosophical beliefs, membership of a trade union or professional organisation, or sexual preference or practices.
These principles also require you to explain your personal information collection and use practices to the people using your website at the time you collect their
you begin the search for a suitable lawyer: