The Australian Privacy Principles (APPs), established under the Privacy Act, 1988 (Cth) (Act), are a set of standards governing the collection and use of data. It applies to any organisation or Government agency covered by the Act and governs rights and obligations in relation to collection, use and disclosure of personal information, integrity and correction of personal information, an organisation or agency’s governance and accountability and the rights of individuals to access their personal information.
This article provides a summary of the Australian Privacy Principles and the rights and obligations it creates.
APP entities must take reasonable steps to implement practices and procedures to ensure the entity complies with the APPs and that allows the entity to address inquiring or complaints from individuals about the entity’s compliance with the APPs.
APP 2 requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply, for example APP 2 doesn’t apply if the entity is required or authorised by or under an Australian law, or a Court order, to deal with individuals who have identified themselves. This exception applies to law firms, as it is a requirement that law firms collect the full name and address of clients under the Legal Profession Act, 2004 (NSW).
APP 2 also, doesn’t apply if it is impractical for an entity to deal with individuals who have not identified themselves.
A higher standard of protection is required for the collection of ‘sensitive information’ such as payment details or medical records.
Under section 6(1) of the Act, ‘sensitive information’ is defined as information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs, membership of a professional or trade association, sexual preferences or criminal record.
An entity must not collect sensitive information, unless the individual to whom the information belongs provides consent and the information is reasonably necessary for the entity’s activities
If an entity receives unsolicited personal data, in order to comply with APP 4, it must determine whether or not it could have collected the data itself under the APPs. If not, the entity must destroy or de-identify the data.
In accordance with APP 5, entities must take reasonable steps to notify data subjects of certain matters at the time personal data is collected, or as soon as is practicable afterwards. Such matters include:
1. the entity’s contact details;
2. the purpose for which the entity collected the data;
3. the main consequences for the individual if all or some of the personal information is not collected by the entity;
4. any 3rd parties that the entity discloses personal information to; and
5. whether the entity will disclose personal information to overseas recipients.
Under APP 6, if an entity holds personal data collected for a particular purpose (primary purpose), it must not use or disclose that information for another purpose (secondary purpose) without the data subject’s consent or unless an exception applies, such as that found in APP 6.2(b) where disclosure for a secondary purposes is required or authorised under an Australia Law or where a ‘permitted general situation’ applies, for example that it is impractical to obtain consent.
APP 7 states that an organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. These conditions are as follows:
1. the entity has collected personal information from an individual for the purpose of direct marketing;
2. the individual would reasonably expect the entity to use or disclose the information for that purpose;
3. the entity has provided an easy way for the individual to request not to receive direct marketing communications from the entity; and
4. the individual has not made such a request to the entity.
Under APP 8, subject to certain exceptions, before an entity discloses personal data to a third party located outside of Australia, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs.
In certain circumstances, the entity can be deemed liable for any breach of the APPs committed by the overseas recipient.
Under APP 9, entities are restricted in the way they can use and disclose government-related identifiers, such as tax file numbers and Medicare numbers.
An entity must not adopt, use or disclose a government-related identifiers of an individual, unless the adoption is required or authorised by or under an Australian Law or a Court order.
In accordance with APP 10, an entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
The following are examples of reasonable steps:
APP 11 states that entities must take reasonable steps to protect the personal data they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Entities must also destroy or de-identify personal data if they no longer need it for any purpose for which it could be used or disclosed under the Australian Privacy Principles.
Under APP 12, entities must provide data subjects with access to their personal data.
However, an entity that is an organisation it not required to provide an individual with access to their personal information in circumstances where:
An entity must respond to requests for access to personal information within a reasonable period after the request is made.
APP 13 states that entities must take reasonable steps to correct personal data to ensure it is accurate, up-to-date, complete, relevant and not misleading.
If an entity refuses a request to correct personal information, it must provide the individual with a written notice that includes the reasons for the refusal and the process to follow to submit a complaint concerning the refusal.
An entity must respond to requests to correct personal information within a reasonable period after the request is made.
“I highly recommend Progressive Legal to anyone who wants a solid foundation for business success.”
Law delivered differently,
more resolution, less confusion