AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1999 >> [1999] PrivLawPRpr 15

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Croydon, Kerry --- "Business entry point: draft privacy policy" [1999] PrivLawPRpr 15; (1999) 5(8) Privacy Law & Policy Reporter 161

Business entry point: draft privacy policy

Kerry Croydon

The Commonwealth Department of Employment, Workplace Relations and Small Business (DEWRSB) has developed the following draft Personal Privacy Policy for the Commonwealth Government’s Business Entry Point (BEP) initiative.

The BEP facility can be accessed on the internet at

Information about the BEP initiative, including this draft BEP Privacy Policy, is published at

BEP Management regards timely consultations and testing of this draft policy with stakeholders as important and significant. As part of this process, BEP Management needs and welcomes feedback. Feedback containing personal information will be treated as confidential, and will not be disclosed without consent other than to the BEP personnel developing the BEP facility, who are all bound to comply with the Commonwealth Privacy Act.

Feedback on the draft BEP Personal Privacy Policy would be appreciated by 21 May 1999.

Please forward your feedback to BEP Management Branch: Attention Kerry Croydon, Department of Employment, Workplace Relations and Small Business, GPO Box 9879 CANBERRA ACT 2601, or by email to:

The Commonwealth Government’s Business Entry Point (BEP) initiative is an internet based, whole-of-government, one-stop service to business. The BEP initiative is designed to reduce red tape for business and make it easier for users to interact with all levels of Australian governments.

The BEP initiative is managed by the Office of Small Business in the DEWRSB.

In this draft BEP Personal Privacy Policy, the term ‘BEP facility’ covers what is under the control of the Commonwealth Government, that is the domain, and the Commonwealth public servants and consultants (‘BEP personnel’) responsible for that facility.

The primary delivery mechanism used for the BEP initiative is the internet. Businesses or individuals without internet access can use the service through community internet access facilities. The BEP initiative is also supported by a telephone hotline which provides additional assistance such as printed copies of documents and forms, to ensure that government information is available to businesses without computer access.

The BEP initiative operates in a business context and as such is not primarily concerned with citizens in their private capacities. However, data that identifies persons in some way may be collected by the BEP facility, but only if users supply such data to obtain information from government relating to their business activity, or to conduct business with government. An example would be where a user provides personal information in the course of establishing a business in his or her own name.

Benefits to be delivered by the BEP facility include a secure environment, a reliable system and personal privacy protection when interacting with the BEP facility.

Users should note there are inherent risks associated with transmission of information via the internet and should make their own assessment of the potential risks when deciding whether to should utilise the BEP facility. There are alternative ways to obtain government information and transact business with governments for those users who do not wish to use public networks such as the internet.

Most Commonwealth government agencies and their personnel are governed by the Commonwealth Privacy Act 1988 and the Commonwealth Crimes Act 1914. Personnel who are mainly Commonwealth public servants operate the BEP facility. In addition, some private sector consultants work on the BEP facility under contracts by which they agree to comply with the Information Privacy Principles (IPPs) in the Privacy Act relevant to their work. Consultants are also required in their contracts to acknowledge their awareness of the relevant provisions of the Crimes Act.

As part of the BEP initiative’s whole-of-government approach, the BEP facility provides access to state and territory government agencies which do not come within the scope of the Commonwealth privacy legislation (except for the ACT Government which is subject to the Commonwealth Privacy Act). Some of these agencies are subject to State privacy legislation. The BEP facility endeavours to encourage these agencies to observe high standards of privacy protection. However the Commonwealth cannot guarantee the privacy of information once data has left the BEP facility.

The BEP personnel welcome questions and feedback in relation to the BEP facility’s design and practices, which should be addressed to


The BEP Personal Privacy Policy addresses personal privacy matters. This policy does not extend to commercial-in-confidence and other security matters, which are addressed by the BEP Security Policy.

The Commonwealth and ACT agencies participating in the BEP initiative are collectors and record-keepers for the purposes of the Commonwealth Privacy Act. DEWRSB is the Commonwealth agency that is the initial collector and record-keeper of personal information gathered by the BEP facility.

Users seeking more information about personal privacy protection in the States and Territories are referred to (Australian Privacy Commissioner’s Information Sheet).

The rest of this BEP Personal Privacy Policy applies to user interactions with the BEP facility.


The Privacy Act and the Crimes Act may provide redress mechanisms and sanctions if users of the BEP facility suffer loss or damage as a result of a breach of those Acts by the BEP facility.

Users inquiring about their rights and remedies for breaches of privacy can access detailed information at the Australian Privacy Commissioner’s website, at

Collection of personal information

Under the Privacy Act, IPPs 1-3 regulate collection of personal information.

The main way in which the BEP facility collects information from users is through forms provided on web pages.

The user’s information is not collected by the BEP facility without the user’s consent, that is, the user must click on a button provided on each web page to submit their information to the BEP facility.

At or before the time the BEP facility collects personal information, the BEP facility will take reasonable steps to inform the user of the BEP website as follows:

(a) whether they are on the BEP facility; and

(b) when they leave the BEP facility by following a link from the BEP site to another site.

At or before the time the BEP facility collects personal information, the BEP facility will give notice to the user of the BEP website as follows:

(a) the purposes for which the information is collected;

(b) to whom, or the types of individuals or organisations to which, the BEP facility might usually disclose information of this kind; and

(c) any law that requires the particular information to be collected, and the main consequences for the user if all or part of the information is not provided.

The BEP website provides an optional cookie tool, Target Inquiry, to filter information for a user during a browser session. A cookie is a piece of information sent by a web server to the user’s web browser that the browser software saves and sends back to the server whenever the browser makes additional requests from the server. Target Inquiry information collected includes the industry sector and the states or territories the user has selected. A decision by a user not to use Target Inquiry will not limit the user’s access to any information, but will limit their ability to refine large lists of search results to suit the user’s specific requirements. The BEP facility will not retain information from the Target Inquiry cookie.

Users seeking more information about cookies in general are referred to

Data security

Under the Privacy Act, IPP 4 regulates storage and security of personal information.

The BEP initiative has a Security Policy which complies with IPP 4.

The BEP facility stores data as follows:

  1. Completed transaction details are removed from the database upon transmission to the receiving agency, and are stored in encrypted form for 10 days.
  2. Incomplete transactions are stored for a maximum of 24 hours in a highly secure environment.
  3. The non-personal transaction log will be retained in archival storage for up to seven years.
  4. The encrypted record will be retained in archival storage for up to seven years.
  5. Voluntary site feedback will be retained in archival storage for up to seven years.
  6. The Target Inquiry cookie is deleted once the user exits the browser.

Access to and alteration of records containing personal information

Under the Privacy Act, IPPs 6 and 7 provide for individuals’ access to and alteration of records containing their personal information.

The Commonwealth Freedom of Information Act 1982 provides the mechanism and process by which users of the BEP facility are allowed to have access to records containing their personal information, and to have their records changed or annotated if necessary.

A key objective of the BEP initiative is to provide routine transactions enabling users to access and alter their data without having to exercise their legal rights under the freedom of information legislation.

Data quality

Under the Privacy Act, IPPs 7 and 8 regulate data quality.

Users should note that when they provide data to the BEP facility the BEP initiative relies on the accuracy of that data.

Use and disclosure of information

Under the Privacy Act, IPPs 9 and 10 regulate the use of personal information.

Under the Privacy Act, IPP 11 regulates the disclosure of personal information.

Generally the BEP facility does not itself use information, other than feedback to improve the BEP service. Instead the BEP facility passes information to other government agencies linked to the BEP facility. The information is passed by the BEP facility in accordance with the IPP, and normally with the user’s consent (that is, the user must click on the button provided on the BEP web page), so that the transaction for which the user is on the BEP website can proceed.

The BEP facility will only disclose personal information in accordance with the IPP or as otherwise required or authorised by or under law.

Kerry Croydon, Department of Employment, Workplace Relations and Small Business.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback