Make sure you adhere to the Privacy Act

Contractors with an annual group business turnover of more than $3 million must comply with privacy law.

Most importantly, privacy law requires these installers to treat their customer’s personal information as confidential.

Michael Leahy, an accredited specialist in business law with extensive AV industry experience, says that privacy law requires these installers to carry out the following procedures:

  • Prepare a privacy policy and publish it to customers – for example, on their website;
  • Establish a privacy policy and an access procedure for personal information;
  • Provide a privacy notice to new individual customers, when signing them up for installation work;
  • Appoint a privacy officer as a point of contact for any customers wishing to access their personal information.

Businesses must comply with the National Privacy Principles, some of which are summarised below.

A business can collect customer’s personal information only if it is necessary for one of the installer’s functions or activities and only from the individual concerned, where it is reasonable and practicable to do so.

The installer can only use personal information for the purpose for which it was collected. However, an installer may use personal information for a related purpose, if that would be within the reasonable expectations of the individual. So if your group is looking to ‘cross-sell’ an unrelated product to your customers, your privacy policy needs to say so. For example, if you’ve installed a security system for a customer, you can’t pass that customer’s details to another company in your group, which sells flat screen televisions or hi-fi systems, to assist them to market those products to your customer, unless your privacy policy states that you may do this.

Michael adds that it pays to have a privacy policy statement which works sensibly for your whole business, so that another company in your group can market to your customers.

“What an installer mustn’t do is sell a customer list to a separate company (outside the group) purely for marketing to installer’s customers. Privacy law is very much against ‘trafficking’ in customer lists,” he says.

“An installer must take reasonable steps to protect the information from misuse and loss and from unauthorised access, modification or disclosure. This may mean checking to ensure that your in-house computer and document systems are secure from hacking and theft. Computers should be password protected and documents kept locked away when not being accessed.”

An installer must destroy or permanently de-identify customer’s personal information, if it is no longer needed. Obviously a customer’s personal information can be retained by installer for as long as customer is still likely to need the installer for service calls, warranty issues, regular maintenance or even replacement products. A six year period is the minimum period for which most customer information should be stored, as a customer could make a claim on an installer for breach of contract or negligence within six years after an installation.

The privacy officer will handle any customer requests for access to their personal information and any complaints about breaches of privacy law.
Michael has noticed that most medium size companies appoint as their privacy officer the person who handles credit or internal administrative issues within the office. These people are usually well versed in the practicalities of privacy law, as you need to be, when handling credit issues, when considerable money is at stake. The last thing you want to do is ruin your chances of getting your money back, by wrongly disclosing details of an overdue account to someone else, when customer hasn’t given you permission to do so.

Another interesting issue in recent times is how source codes are dealt with when undertaking security installations.

“When installing security technology, many installers don’t provide the customer with the source codes that are necessary to make any modifications in the future. This is a serious breach of privacy law when the customer is an individual,” Michael says.

“If a home owner doesn’t have those codes they can effectively be locked out of their own house and be unable to access a system that opens the front door, turns on the lights and activates the air conditioning. Not only that, but if you are ever going to sell your house, you need to have the codes to pass onto the new buyer.”

Michael believes the problem is not only that installers are not supplying the codes, it’s that they are not informing the customer that they exist in the first place.

“Sometimes the installer wants to make sure that any future business isn’t undertaken by untrained professionals or doesn’t become overly expensive for the client. However, most of the time they withhold the information to guarantee themselves repeat business.”
Michael advises that the correct approach is for the installer to inform the client the codes will be supplied when the installation bill has been paid in full.

“The real issue arises when the installer refuses to supply the codes or doesn’t them they exist and then the customer finds out further down the track.”

As this privacy law has only been in place since 2000, the consequences for a breach are still not particularly severe, however Michael says this could be set to change in the future.

“A complaint is usually lodged with the privacy commissioner and under current Australian Law, the commissioner has power to lodge a claim with the offending party for any financial loss that the customer has suffered. This can be a real problem when the installer is collecting overdue debts, so care needs to be taken in credit collection practices.”

He adds that there have been proposals to bring in a legal tort (a wrongful act that results in injury to a person’s property or reputation, which entitles the injured party to compensation) which will allow a customer to sue an installer for a breach of a privacy law.

The information in this article is general information only and is not legal advice.

For legal advice on these matters, you may contact Michael Leahy, email [email protected] mobile 0416203205 – his liability is limited by a scheme under professional standards legislation.

For privacy generally you may contact the Office of the Australian Information Commissioner (OAIC) at