Needing some help with your privacy policy?

< script >We know tech / We know law< / script >

Privacy Policies for SaaS businesses

Are you operating or planning to run a SaaS business? Have you thought about your compliance with Australian and global privacy laws?

Privacy is an ever-evolving field and consumers are becoming increasingly concerned about how businesses use their personal information. It is more important than ever to determine whether your business is required to comply with privacy law, as penalties for non-compliance can exceed the cost of drafting a compliant Privacy Policy. For SaaS businesses, in particular those which require users to create profiles with Personal Information or who process Personal Information on behalf of their clients, privacy laws should be at the forefront of your mind and be referenced in your SaaS Agreement. This is why we’ve created our handy Guide to Privacy Policies for SaaS businesses.

Privacy Policies for SaaS businesses – What laws do you need to comply with?

When developing Privacy Policies for SaaS businesses, it is important to first understand what privacy laws you need to comply with.

All Australian businesses are potentially subject to the Privacy Act 1998 (Cth) (Act). Determining whether your business is required to comply with the Act can be complex.

Generally, the Act covers any business that:

  • has an annual turnover of more than $3 million;
  • is a private sector health service provider;
  • sells or purchases personal information;
  • is a credit reporting body;
  • is a contractor that provides services under a Commonwealth contract;
  • is an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009;
  • is related to a business that is covered by the Act; or
  • is prescribed by the Privacy Regulation 2013.

This list, however, is not conclusive and there are exceptions to these rules and exceptions to those exceptions.

Furthermore, if your SaaS business targets or collects data related to European Union (EU) residents or citizens then you will also be required to comply with the General Data Protection Regulation (GDPR). The GDPR is one of the world’s most comprehensive privacy and security laws and applies to any organisation, wherever located, that offers goods and services to people in the EU and handles their information.

For further information see our Guide to the GDPR for Australian Businesses.

Privacy Policies for SaaS businesses – Do you need a Privacy Policy?

Now that you understand what privacy laws apply to your business, you must consider whether your business requires, and therefore whether your SaaS Agreement should refer to, a Privacy Policy.

If per above, your business is considered to be an entity subject to the Privacy Act 1998 (Cth), then you are required to comply with the Australian Privacy Principles, which among other things set out the obligation to have a Privacy Policy. If you fall under the GDPR, then you are also obligated to have a Privacy Policy which is transparent, intelligible and easily accessible.  Entities which must comply with the GDPR may also need to include data processing provisions and standard contract terms, particularly where your SaaS platform processes data on behalf of other entities.

However, even where you are not legally required to hold a Privacy Policy, many consumers these days expect businesses to have one. Privacy Policies aid to ensure transparency of how people’s data is held and managed. Furthermore, in the event of a data breach, evidence of your compliance goes a long way to restoring your businesses reputation.

Privacy Policies for SaaS businesses – What should your Privacy Policy cover?

Key concepts for your Privacy Policy to cover are how your business collects, holds and processes personal information.

In order to do this, you will also need to understand your business’ functions and activities in relation to how you handle personal information and for what purpose you may disclose personal information to other entities. The Australian Privacy Principles offer a guideline on the mandatory requirements of a Privacy Policy.

Using offshore contractors or data centres

Whether an organisation will disclose information to an overseas entity and under what circumstances must clearly be outlined in any Privacy Policies for SaaS businesses.

Your Privacy Policy must clearly stipulate that personal information will only be disclosed to overseas entities under certain circumstances and what those circumstances are. Furthermore, you must list the specific countries to which personal information may be disclosed or, where it is impractical to do so, list general regions.

However, it is not enough to merely have a Privacy Policy stating under what circumstances overseas disclosure of personal information will take place, without also steps to ensure that privacy is protected when you disclose it. It is necessary for businesses disclosing personal information to overseas entities to have in place agreements with these entities which ensure the confidentiality and protection of personal information. Ensuring proper handling of personal information is also important considering your business can be held accountable where a third party entity mishandles the information. The Office of the Australian Information Commissioner states:

“The framework generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs, and makes the APP entity accountable if the overseas recipient mishandles the information.” - APP 8.1

In this regard it is required that SaaS businesses who are required to comply with the Act have well-drafted Service Agreements with confidentiality clauses. These aid in ensuring third party entities you engage maintain proper privacy practices and limits the chances your business will face the potential heavy fines associated with breaching the Act.

Data Breach Policy

Another important area of privacy compliance for SaaS businesses relates to its obligations in the event of a data breach.

A data breach is where personal information is accessed or disclosed without authorisation, or where it is lost. Under the Act, where a business is subject to a data breach, they are obligated to notify the individual(s) affected and the Office of the Australian Information Commissioner (OIC).

They must do so when:

  • the breach is likely to result in serious harm to one or more individuals; and
  • the business hasn’t been able to prevent the likely risk of serious harm with remedial action.

Examples of serious harm include:

  • identity theft, which can affect finances and credit report;
  • financial loss through fraud;
  • a likely risk of physical harm, such as by an abusive ex-partner;
  • serious psychological harm; or
  • serious harm to an individual’s reputation.

Generally, a business has 30 days after a data breach to assess whether serious harm is likely to result and to notify the individuals affected and the OAIC. If a business is able to determine that serious harm is unlikely to result, they may not be obligated to notify affected persons or the OAIC of the breach. However, you should always seek advice from a lawyer regarding the often complex interpretation of the data breach notification scheme.

Key Takeaways when considering Privacy Policies for SaaS businesses

If you’ve jumped to the bottom of our Guide to Privacy Policies for SaaS businesses then here are our key takeaways.

Generally, a business has 30 days after a data breach to assess whether serious harm is likely to result and to notify the individuals affected and the OAIC. If a business is able to determine that serious harm is unlikely to result, they may not be obligated to notify affected persons or the OAIC of the breach. However, you should always seek advice from a lawyer regarding the often complex interpretation of the data breach notification scheme.

  • Having a compliant Privacy Policy may be required under the Australian Privacy law, the GDPR, by your customers and by your business partners, who generally expect businesses to have one.
  • When drafting a Privacy Policy one of the first tasks is determining which privacy laws your SaaS business is required to comply with.
  • You should consider whether you need to create a Privacy Policy, in most cases it is preferably but in some cases you are legally obligated to.
  • Even if you are not required to comply with privacy law your business partners may contractually bind you.
  • It is important to ensure your Privacy Policy covers all the necessary elements;
  • If you are transferring personal information overseas, whether by having data centres located overseas or from engaging overseas contractors, you will need to have in place terms relating to them in your Privacy Policy and also an appropriate Service Agreement with them.
  • Be sure to create a compliant Privacy Policy which can assist in mitigating reputational damage.
  • Finally, in the event of a data breach, obtain advice from a lawyer immediately.

Have you read our Legal Considerations for SaaS? Make sure to also also check out our Guide to SaaS Agreements and advice on Structuring a SaaS Business!

We know tech.

Are you looking for an IT Lawyer that knows tech? Today almost every business is a technology business. Even if you are not on the cutting edge of innovation you are probably entering into business relationships with people who are. If you are not you should be. Helping businesses thrive and reducing transaction costs is at the very heart of any real IT Lawyer.

We know business.

Need a software development lawyer, with IT, business and accounting qualifications? One who spent over a decade running their own management consulting firm? The sort of commercial lawyer that can translate IT to business, business to law and law back to IT? Contact us today and speak to a multi-disciplinary commercial lawyer.

IT Lawyers are proud to be based in the innovative heart of Brisbane.

Free initial consultation.

Looking for a real IT Lawyer that knows technology?

Contact us today to talk about your next tech venture.

TOP
IT Lawyers Brisbane