The 13 Australian Privacy Principles (APPs) are:
1. Open and transparent management of personal information
2. Anonymity and pseudonymity
Requires Australian Privacy Principles entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
3. Collection of solicited personal information
A higher standard of protection is required for the collection of ‘sensitive’ information eg payment details and medical records.
4. Dealing with unsolicited personal information
If an entity receives unsolicited personal data, it must determine whether or not it could have collected the data itself under the APPs. If not, the entity must destroy or de-identify the data.
5. Notification of the collection of personal information
Entities must take reasonable steps to notify data subjects of certain matters at the time personal data is collected, or as soon as is practicable afterwards. Such matters include:
6. Use or disclosure of personal information
Subject to certain exceptions, if an entity holds personal data collected for a particular purpose, it must not use or disclose that information for another purpose without the data subject’s consent.
7. Direct marketing
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
8. Cross-border disclosure of personal information
Subject to certain exceptions, before an entity discloses personal data to a third party located outside of Australia, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs. In certain circumstances, the entity can be deemed liable for any breach of the APPs committed by the overseas recipient.
9. Adoption, use or disclosure of government related identifiers
Entities are restricted in the way they can use and disclose government-related identifiers (such as tax file numbers and Medicare numbers).
10. Quality of personal information
An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
11. Security of personal information
Entities must take reasonable steps to protect the personal data they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Entities must also destroy or de-identify personal data if they no longer need it for any purpose for which it could be used or disclosed under the Australian Privacy Principles.
12. Access to personal information
Entities must provide data subjects with access to their personal data.
13. Correction of personal information
Entities must take reasonable steps to correct personal data to ensure it is accurate, up-to-date, complete, relevant and not misleading
“I highly recommend Progressive Legal to anyone who wants a solid foundation for business success.”
Law delivered differently,
more resolution, less confusion