Keeping your customers’ data safe is a crucial part of your organisation’s online presence.

There are laws which apply to certain private sector organisations’ handling of personal information. If you are collecting personal information from customers online, you will need to bear these laws in mind.

It is critical that you keep your customers’ data safe from theft.

Here, we will cover:

Keeping customers’ personal information safe

No matter the size of your customer information database, it is important that you have security measures in place to keep it safe. Aside from being a huge blow to your organisation’s reputation, there may be legal consequences for losing customers’ personal information.

For more information about keeping data safe, see the article ‘Prevent data theft’ on the Australian Government’s Stay Smart Online website.

Encryption for payment and address details

For many people who shop online it will be important to know that their payment details – like credit card number and expiry date – and delivery address are going to be kept safe. It is also important for your customers to know that you will not share their details without their consent.

If you are running an e-commerce website, you may want to consider talking to your payment gateway provider to find out what measures they take to keep this information secure when people make purchases on your website.

When discussing security with your payment gateway provider, consider asking them questions like these:

  • What level of encryption do they use to store customer payment data?
  • Are they audited by a third-party organisation?
  • Can they guarantee that they are using the best  SSL certificates?
  • Do their staff undergo background checks before they are hired?
Understanding your customer privacy obligations
There are privacy laws and guidelines that determine what you can do with the personal information of your customers, supporters or donors. It is a good idea to be aware of the National Privacy Principles (NPPs). It is also worth thinking about creating a privacy policy for your website.
Customer Privacy

There are laws about the handling of customer, supporter or donor personal information.


Most Australian organisations must comply with federal and relevant state/territory privacy laws. For example, there are privacy laws which apply to certain private sector organisations’ handling of personal information. Personal information may include things like customer, supporter and donor names, email addresses, photos and videos.

If you’d like more information about Australia’s privacy laws, you can visit the Privacy Commissioner’s website.

An introduction to privacy principles

The National Privacy Principles (NPPs) are the base line privacy standards which some private sector organisations need to comply with in relation to the personal information they collect or hold. The Office of the Australian Information Commissioner may investigate potential breaches of the NPPs. It is a good idea to consult the NPPs to help you fully understand your responsibilities.

As an overview, the National Privacy Principles include the following:

  • You can only collect personal information if it is necessary for the function or activity of your organisation.
  • You should not use or disclose personal information for a purpose different from the original purpose of collection, except in limited circumstances.
  • You must take reasonable steps to ensure that personal information collected is accurate, complete and up-to-date.
  • You must take reasonable steps to protect the personal information collected.
  • You can transfer personal information to a person or organisation outside Australia only in limited circumstances. These include the requirement that you reasonably believe that the recipient is governed by comparative privacy laws, or that the individual whose personal information you transfer consents to that transfer.
  • Although you are allowed to collect and use personal information, you are generally not allowed to collect and use sensitive information about individuals unless they first consent.
    There are only limited circumstances in which such sensitive information can be collected without the person’s consent. Sensitive information is defined in the Privacy Act and includes information regarding race, gender, political opinion, religious beliefs, philosophical beliefs, membership of a trade union or professional organisation, or sexual preference or practices.
  • These principles also require you to explain your personal information collection and use practices to the people using your website at the time you collect their information.

Drafting your own privacy policy

If you intend to collect any personal information on your organisation’s website, it’s a good idea to publish a plain English  privacy policy on your site that outlines the information you collect, what you use it for and how you protect it. If you would like more information on what you should include in your privacy policy, the Privacy Commissioner’s website is a good place to start.

Legal resources

You may wish to seek specific legal advice in relation to any privacy issues you may encounter including, for example, the drafting of a privacy policy. These sites may help you begin the search for a suitable lawyer:

external linkLaw Council of Australia

external linkArts Law Centre of Australia

external linkFindlaw Australia