The Australian Privacy Act was enacted in 1988. Since then, it’s seen a lot of effective amendments that have strengthened the nation’s approach to data privacy and security. In March 2014, the Australian Privacy Principles (APPs) were added into the Privacy Act to provide businesses with a clearer outline of what’s expected of them when they collect and store personal information. While most micro and small business are exempted from the Privacy Act and the APPs, bigger organisations, including government agencies, have to comply. Such organisations are referred to as APP entities in the Act. Here’s a quick rundown of what each Australian Privacy Principle involves:
Part 1: Consideration of personal information privacy
APP 1: Open and transparent management of personal information
APP 2: Anonymity and pseudonymity
All customers/users of an APP entity should have the option to remain anonymous or use a pseudonym when raising concerns or otherwise dealing with the entity about a privacy matter. The only exception to this is if the entity is legally restricted to dealing with people who've identified themselves.
Part 2: Collection of personal information
APP 3: Collection of solicited personal information
An APP entity should only collect information from a consenting individual, and only if and when that information is reasonably necessary or related to the entity's functions. There are three exceptions to this rule: When an entity is required by government regulations to collect personal information; during a permitted health situation; and in a permitted general situation.
APP 4: Dealing with unsolicited personal information
If an APP entity receives or acquires personal information without a person's consent, then the entity should first evaluate if it could have obtained the same information by seeking consent (as per APP 3). If the evaluation concludes that the entity could have collected that information as required under APP 3, then the entity is allowed to use or disclose that information in accordance with APPs 5 - 13.
If the evaluation concludes that the entity couldn't have acquired that information, even if it had asked for the person's consent, then the entity should immediately delete or de-identify that information. De-identifying data is removing identifiable elements from a batch of data.
APP 5: Notification of the collection of personal information
If an APP entity collects or acquires personal information without direct consent, then the entity should, as soon as it's practical, contact the person and inform them what information is collected and its purpose; why the entity had to collect that data, along with any consequences of not collecting that data; and how the entity intends to use and process that data, including details of overseas entities that might get access to that data.
The entity should also notify the person of how they can access their information and raise concerns or complaints about the data stored.
Part 3: Dealing with personal information
APP 6: Use or disclosure of personal information
If an APP entity has collected personal information for a primary reason, the entity can't use the information for any secondary reasons. However, there are a few exceptions to this condition.
If a person consents to their data being used for secondary reasons, then the entity can do so.
If the person would generally expect their data to be used for a secondary purpose that's either directly (for sensitive information) or indirectly (for non-sensitive information) related to the primary purpose, or if the secondary purpose is a permitted general or permitted health situation, or a legal requirement, then the entity can use or disclose the information.
Disclosing data to an enforcement authority for its activities is also permitted, but in that case, the entity should provide a written notice to the person outlining the disclosure of their data.
APP 7: Direct marketing
An APP entity should only use or disclose sensitive and non-sensitive information if the individual has provided consent for that information to be used for marketing activities. In every such marketing communication, the entity should also offer a straightforward option for individuals to opt out of such communications. If a previously-consented individual opts out, the entity should stop using their information in marketing activities.
There are also certain exceptions to using non-sensitive information for marketing:
If the entity collects non-sensitive information directly from an individual who would have expected their information to be used for marketing, then the entity can use that information in its marketing.
If the entity is a Commonwealth government contractor and it's necessary for the entity to use or disclose the information to meet its contractual obligations, then the entity can use that information in its marketing.
APP 8: Cross-border disclosure of personal information
If an APP entity has to disclose personal information to overseas recipients, it can only do so by implementing necessary precautionary and safety measures to ensure the recipient complies with Australian Privacy Principles 2 - 13. For example, if you use a CRM vendor whose data centre is outside of Australia, you have to make sure the vendor is compliant with the APPs. The law also allows for some exceptions in this case.
- If the entity believes that the recipient is bound by other local privacy regulations that are on par with the APPs, and that individuals can raise questions about the way their data is used, then the entity doesn't have to seek confirmation of APP compliance.
- If the entity explains to its users/customers that their data will be shared with an overseas recipient, and the individual consents to this process, then the entity doesn't have to ensure APP compliance from the overseas recipient.
- If the entity is required by government regulations, or there's a permitted health or permitted general situation, the entity can disclose personal information to overseas recipients without enforcing APP compliance.
APP 9: Adoption, use, or disclosure of government related identifiers
An APP entity shouldn't adopt government-provided identifiers (such as Medicare and license numbers) as its own primary identifier of an individual's identity. The only exception to this is if using government IDs as an entity's own IDs is mandated by the Australian court systems or other regulations of the Privacy Act.
That said, this principle doesn't prohibit entities from collecting government IDs. If an entity collects government IDs from an individual, it can only use or disclose that information if:
- Doing so is necessary to verify the person's identity and conduct its operations; or
- The entity is bound by state/territory government obligations to do so; or
- There's a permitted general situation or permitted health situation to do so; or
- Disclosing or using that information is necessary for any enforcement activities that the entity conducts itself or on behalf of an enforcement body; or
- Using or disclosing that data is required by the Australian court systems or other regulations.
Part 4: Integrity of personal information
APP 10: Quality of personal information
An entity should take all measures within its power to ensure the information it collects, uses, and discloses remains accurate and up to date.
APP 11: Security of personal information
An entity that collects or holds personal information should take all measures within its power to prevent unauthorised access to that information, as well as misuse, modification, or interference.
If an entity holds personal information that it no longer needs, it should destroy the information or de-identify it. The only exceptions to this are if the entity is required by the Australian court systems to retain that information or if it's an Australian government record.
Part 5: Access to, and correction of, personal information
APP 12: Access to personal information
If an individual requests access to their data, an APP entity should provide them access. If the entity is an agency, it should respond to requests within 30 days and shouldn't charge the individual for requesting access or to provide the data. If the entity is a business organisation, it should respond to requests as soon as possible. It can charge a fee to provide the data, but the cost should be affordable.
The entity can refuse access to data in certain situations.
If the entity is an agency, it can refuse access if it is prevented from sharing data under the Freedom of Information Act or any other Commonwealth Act or Norfolk Island legislation.
If the entity is a business organisation, it can refuse access for any of the following reasons:
- Access to the data will pose a serious risk to an individual's, or the public's, health or safety.
- Providing access would infringe on the privacy rights of others.
- The information is directly related to ongoing or possible legal action between the business and the individual, and the information cannot be accessed through lawful court proceedings.
- The entity believes that the request is frivolous, or is related to an illegal activity, and granting access would impact any action that the entity may take in the future about that activity.
- The entity is required by law or the Australian court systems to refuse access to data.
- Giving access would jeopardise any ongoing negotiations between the entity and the individual.
- Giving access would affect the entity's enforcement activities, whether conducted by itself or on behalf of an enforcement authority.
- Access to that data would disclose sensitive decision-making processes of the entity.
If the entity refuses access to data, it should provide the requester a written notice explaining its reason for refusal, including details of how the individual can complain or appeal the refusal.
If the entity can only partly provide access, due to the exceptions listed above, the entity should provide whatever information it can to try and meet the individual's requirements.
APP 13: Correction of personal information
If an APP entity holds outdated or false personal information, the entity should do all in its power to correct the information as soon as it becomes aware of changes, or if the individual requests it to be corrected.
If the entity is an agency, it should respond to any data correction requests within 30 days. If the entity is a business organisation, it should respond to requests as soon as possible. APP entities shouldn't charge an individual for making the request or to correct the information.
If the entity has previously shared the information with a second entity, it should also inform the second entity of the need to correct its data, should the individual request it—as long as it's legal or practical to do so.
If the entity refuses to correct the information, it should provide the requester with a written notice explaining its reason for refusal, including details of how the individual can complain or appeal the refusal.
If the entity refuses to correct information, the individual can then request to attach a statement or note along with their information record stating that the information is no longer accurate. An APP entity should honour that request as long as it's practical to do so.
It’s never been more important to be aware of Australian privacy requirements. Even if you’re exempted from the Privacy Act, you can voluntarily comply with it. It’s a good way to reassure your customers that their data is in safe hands, especially if you intend to expand your operations.