Australian Privacy Principles: What Are They And What Do They Do?

australian privacy principlesAuthor: Ian Aldridge, Progressive Legal

australian privacy principles

The Australian Privacy Principles (APPs), established under the Privacy Act, 1988 (Cth) (Act), are a set of standards governing the collection and use of data and they apply to any organisation or Government agency covered by the Act.

These principles govern the rights and obligations in relation to collection, use and disclosure of personal information; integrity and correction of personal information; an organisation or agency’s governance and accountability; and the rights of individuals to access their personal information. 

On this page we’ll provide a summary of the Australian Privacy Principles and the rights and obligations they create.

How many Australian Privacy Principles are there?

The APPs encompass a total of 13 guidelines that regulate the handling of personal information by organisations and government agencies. These APPs are designed to ensure the protection and confidentiality of individuals’ personal data, covering aspects such as data collection, storage, use, and disclosure.

Understanding and adhering to these 13 Australia Privacy Principles is crucial for any entity operating in the country, as compliance not only fosters trust among consumers but also helps avoid potential legal repercussions related to privacy breaches.

Now, let’s explain each each of these 13 principles and what they mean for you.

Australian Privacy Principle 1 (APP 1) – Open and Transparent Management of Personal Information

APP 1 establishes the cornerstone for how Australian Privacy Principle entities (APP entities) handle personal information with transparency and openness. This principle necessitates the presence of a clear, up-to-date, and accessible APP privacy policy.

Under APP 1, APP entities are obliged to implement practical measures and procedures to ensure their compliance with the APPs. Additionally, these measures should enable the entity to effectively address inquiries or complaints from individuals regarding their compliance with the APPs.

APP 1 also lays down the essential components that must be included in an APP-compliant privacy policy:

Types of Collected Personal Information

The policy should specify the various categories of personal information that the entity collects.

Collection and Storage Practices

It should detail how the entity gathers and safeguards this information.

Purpose of Data Collection, Use, and Disclosure

Clearly articulate the reasons for collecting, using, and disclosing personal information.

Access and Correction Mechanisms

Describe how individuals can access and rectify their personal data.

Complaint Submission Process

Explain how individuals can raise complaints or concerns regarding their personal information.

Overseas Data Disclosure

Inform individuals whether the entity intends to disclose personal information to overseas recipients and specify the countries where these recipients are located.

Compliance with APP 1 is not only a legal requirement but also a means to foster trust and accountability in managing personal information for APP entities, ultimately benefiting both organisations and individuals.

Australian Privacy Principle 2 (APP 2) – Anonymity and Pseudonymity

APP 2 underscores the importance of providing individuals with the choice of remaining anonymous or using a pseudonym when interacting with APP entities. However, there are specific circumstances where exceptions to this principle come into play.

Under APP 2, individuals should have the option to refrain from identifying themselves or to use an alias (pseudonym) during their dealings with APP entities. Nevertheless, exceptions exist, such as when an entity is legally obligated or authorised by Australian law or a court order to interact only with individuals who have disclosed their identity.

For instance, law firms fall under this exception due to the Legal Profession Act, 2004 (NSW), which mandates the collection of full names and addresses of clients.

Additionally, APP 2 doesn’t apply when it is impractical for an entity to engage with individuals who have chosen not to reveal their identity. In such cases, practicality takes precedence over anonymity.

By adhering to the guidelines of APP 2, APP entities strike a balance between respecting individuals’ privacy choices and fulfilling their legal obligations or practical constraints, ultimately ensuring a compliant and flexible approach to data management.

Australian Privacy Principle 3 (APP 3) – Collection of Solicited Personal Information

APP 3 outlines strict guidelines for the collection of personal information by APP entities. This principle underscores that an APP entity should not gather personal information unless it can demonstrate a reasonable necessity for the information in relation to its activities.

Moreover, a heightened level of protection is warranted when dealing with ‘sensitive information,’ which encompasses data such as payment details or medical records.

As per section 6(1) of the Act, sensitive information is precisely defined to include an individual’s racial or ethnic origin, political opinions, membership in a political association, religious beliefs, affiliation with professional or trade associations, sexual preferences, or criminal record.

For the collection of sensitive information, an entity must strictly adhere to two essential conditions:

1. Consent

The individual to whom the sensitive information pertains must provide explicit consent for its collection.

2. Reasonable Necessity

The collection of sensitive information should be reasonably necessary for the entity’s activities.

APP 3 serves as a robust safeguard, ensuring that personal information is collected only when it is genuinely required, and imposing even stricter criteria for sensitive data, reinforcing the protection of individuals’ privacy and sensitive information.

Australian Privacy Principle 4 (APP 4) – Dealing with Unsolicited Personal Information

If an entity receives unsolicited personal data, in order to comply with APP 4it must determine whether or not it could have collected the data itself under the APPs. If not, the entity must destroy or de-identify the data. 

Australian Privacy Principle 5 (APP 5) – Notification of the Collection of Personal Information

In compliance with APP 5, organisations are required to diligently inform individuals about specific details at the point of personal data collection or, when feasible, promptly thereafter. These critical details encompass:

Contact Information

Entities must provide their contact details to ensure accessibility and transparency.

Purpose of Data Collection

A clear explanation of why the entity is collecting the data is essential, fostering trust and understanding.

Consequences of Non-Collection

Individuals should be informed about the potential implications if they choose not to provide certain personal information to the entity.

Third-Party Disclosure

Disclosure of any third parties to whom the personal information might be shared is a crucial aspect of transparency.

Overseas Data Disclosure

Individuals have the right to know whether their personal information will be disclosed to recipients overseas, enhancing data privacy awareness.

Australian Privacy Principle 6 (APP 6) – Use or Disclosure of Personal Information

APP 6 outlines the fundamental guidelines governing the utilisation and disclosure of personal data.

When an entity collects personal information for a specific purpose (the primary purpose), it is obligated, under APP 6, to refrain from using or disclosing that information for any other purpose (secondary purpose) without obtaining explicit consent from the data subject.

However, certain exceptions exist, including APP 6.2(b), which permits disclosure for secondary purposes if it aligns with Australian law or falls under a ‘permitted general situation,’ such as situations where obtaining consent is impractical.

Australian Privacy Principle 7 (APP 7) – Direct Marketing

APP 7 sets forth clear provisions governing the use and disclosure of personal information for direct marketing purposes by organisations. To engage in direct marketing, entities must adhere to specific conditions as follows:

Collection for Direct Marketing

The organisation must have collected the personal information from an individual with the explicit intention of using it for direct marketing purposes.

Reasonable Expectation

It should be reasonably expected by the individual that the organisation would employ their information for direct marketing.

Easy Opt-Out Mechanism

The entity must furnish a simple and accessible means for the individual to opt out of receiving direct marketing communications. This empowers individuals to control their preferences.

Absence of Opt-Out Request

The individual should not have previously requested the entity to refrain from sending them direct marketing communications.

APP 7 underscores the importance of respect for individuals’ choices and their right to opt out of direct marketing efforts, thus ensuring a transparent and accountable approach to marketing activities while safeguarding privacy.

Australian Privacy Principle 8 (APP 8) – Cross-Border Disclosure of Personal Information

APP 8 establishes crucial guidelines governing the transfer of personal data to third parties located outside of Australia. These guidelines are designed to protect the privacy and security of individuals’ information. However, certain exceptions apply, and strict measures must be taken by the entity.

Under APP 8, unless specific exceptions come into play, an entity must undertake reasonable measures to ensure that the overseas recipient of the personal data does not violate the APPs. This ensures that data privacy standards are upheld even when information crosses international borders.

Importantly, in some situations, the entity can be held responsible for any breach of the APPs committed by the overseas recipient. This reinforces the entity’s accountability and underscores the importance of diligent oversight when sharing personal information beyond Australia’s borders.

Australian Privacy Principle 9 (APP 9): Adoption, Use, or Disclosure of Government-Related Identifiers

APP 9 lays down specific constraints on how entities can interact with government-related identifiers, including but not limited to tax file numbers and Medicare numbers. This principle places strict limitations on their adoption, use, and disclosure.

According to APP 9, an entity is prohibited from adopting, using, or disclosing a government-related identifier belonging to an individual unless such adoption is mandated or authorised by Australian law or under the authority of a court order.

Australian Privacy Principle 10 (APP 10): Quality of Personal Information

APP 10 outlines critical requirements for maintaining the quality of personal information by entities. It emphasises the need for accuracy, currency, completeness, and relevance of personal data, aligning with the intended purpose of its use or disclosure.

To fulfill the stipulations of APP 10, entities must take reasonable measures, such as:

Internal Practices and Procedures

Implementation of internal processes to correct inaccurate or outdated information, ensuring data accuracy.

Updating Existing Records

Ensuring that any new personal information is promptly added to existing records, facilitating data completeness.

Accessible and Updateable Information

Providing individuals with easy and accessible means to access and update their personal data, promoting accuracy and relevance.

Reminders for Updates

Sending reminders to individuals, prompting them to review and update their personal information, further ensuring data currency.

Australian Privacy Principle 11 (APP 11): Security of Personal Information

APP 11 is a pivotal principle that obliges entities to prioritise the security of the personal information they possess. It sets forth stringent measures to safeguard personal data from various threats, including misuse, interference, loss, and unauthorised access, modification, or disclosure.

Entities must take reasonable steps to ensure the integrity and confidentiality of personal information under their care, aligning with best practices in data security. This commitment to data protection is not only essential for maintaining trust but also for adhering to legal and regulatory standards.

Furthermore, APP 11 underscores responsible data management by requiring entities to destroy or de-identify personal data when it is no longer needed for any purpose covered by the Australian Privacy Principles. This emphasises the importance of data minimisation and the responsible disposal of personal information once its retention is no longer justified.

Australian Privacy Principle 12 (APP 12): Access to Personal Information

APP 12 stipulates that entities must grant individuals access to their personal data. However, certain exceptions apply, and an organisation is not obliged to provide access in the following circumstances:

  1. If providing access would reasonably pose a serious threat to an individual’s health, public health, or safety.
  2. When access would unreasonably impact the privacy of other individuals.
  3. In the case of frivolous or vexatious access requests.
  4. When the information pertains to ongoing or anticipated legal proceedings between the entity and the individual and is not accessible through the legal process of discovery.
  5. If providing access would be unlawful.
  6. When denying access is mandated or authorised by Australian law or a court order.

APP 12 balances the right to access personal information with the need to protect individual safety, privacy, and legal obligations, ensuring a responsible approach to data access and disclosure.

Australian Privacy Principle 13 (APP 13): Personal Data Correction

APP 13 mandates entities to take measures in maintaining the accuracy, currency, completeness, relevance, and truthfulness of personal information.

If an entity declines a correction request, it must furnish the individual with a written explanation for the refusal and guidance on how to file a complaint regarding the refusal. Requests for personal data correction should be addressed within a reasonable timeframe.

APP 13 highlights the importance of maintaining data accuracy while ensuring individuals have recourse when correction requests are denied, promoting transparency and accountability in data management.

Key Takeaways

In navigating the intricate landscape of Australian Privacy Principles (APPs), it’s essential to understand these guiding principles for responsible data management.

These Australian Privacy Principles encompass crucial aspects such as transparency, data quality, security, and individual rights. By adhering to these principles, businesses can ensure data privacy, build trust, and remain compliant with legal requirements.

At Progressive Legal, we specialise in providing expert privacy advice and guidance. Our team of experienced privacy lawyers can help you interpret and implement the Australian Privacy Principles effectively, ensuring that your business’s data practices align with the highest standards of privacy protection.

Request our advice today to safeguard your data and privacy compliance.

Popular Privacy Links

Contact Us

  • By submitting this form, your information will be dealt with in accordance with our Privacy Policy. You agree to receive emails from us, however you can unsubscribe at any stage.
  • This field is for validation purposes and should be left unchanged.

Need Privacy Advice?

Please get in touch with us today via phone or the contact form on this page.

Contact Us

  • By submitting this form, your information will be dealt with in accordance with our Privacy Policy. You agree to receive emails from us, however you can unsubscribe at any stage.
  • This field is for validation purposes and should be left unchanged.