Introduction to privacy regulations in Australia
Keywords
- APA - The Australian Privacy Act 1988
- AIC - Australian Information Commissioner
- APP - Australian Privacy Principles
- APP entity –
- is defined to be an agency or organization
- An ‘organization’ is defined to be
- an individual (including a sole trader)
- a body corporate
- a partnership
- any other unincorporated association, or
- a trust.
- Collects - An APP entity collects personal information ‘only if the entity collects the personal information for inclusion in a record or generally available publication’
- Disclosure - An APP entity discloses personal information when it makes it accessible or visible to others outside the entity and releases the subsequent handling of the personal information from its effective control
- Other Key concepts can be found here
Background
- The Australian Privacy Act 1988 (APA) is a federal law that regulates the collection, use, and disclosure of personal information by Australian organizations. It applies to all organizations that carry on business in Australia, regardless of their size or location.
- The APA was enacted in response to concerns about the increasing collection and use of personal information by organizations in Australia. It is designed to protect individuals' privacy by setting standards for the handling of personal information and giving individuals control over their own information.
- The APA has 13 principles, and they govern standards, rights and
obligations around:
- the collection, use and disclosure of personal information.
- an organization or agency’s governance and accountability.
- integrity and correction of personal information.
- the rights of individuals to access their personal information.
- The APA also gives individuals the right to access their personal information held by organizations, to request that their information be corrected or deleted, and to complain about breaches of the APA.
- The APA is enforced by the Australian Information Commissioner (AIC). The AIC has the power to investigate complaints about breaches of the APA and to act against organizations that breach the law.
- The APA introduced a number of new requirements for organizations, including a requirement to obtain consent before collecting sensitive personal information and a requirement to notify individuals of data breaches.
Principles
The 13 privacy principles can be foundhere with links for detailed forms.
-
Open and transparent management of personal information
- Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.
-
Anonymity and pseudonymity
- Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
-
Collection of solicited personal information
- Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of sensitive information.
-
Dealing with unsolicited personal information
- Procedures to follow when the data received is unsolicited.
-
Notification of the collection of personal information
- Outlines when and in what circumstances an APP entity that collects personal information must tell an individual about certain matters.
-
Use or disclosure of personal information
- Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
-
Direct marketing
- An organization may only use or disclose personal information for direct marketing purposes if certain conditions are met.
-
Cross-border disclosure of personal information
- Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
-
Adoption, use or disclosure of government related identifiers
- Outlines the limited circumstances when an organization may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
-
Quality of personal information
- An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
-
Security of personal information
- An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorized access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
-
Access to personal information
- Outlines an APP entity’s obligations when an individual request to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
-
Correction of personal information
- Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals
Exceptions to the Australian Privacy Principles
-
The information handling requirements imposed by some APPs do not apply if a ‘permitted general situation’ or ‘permitted health situation’ exists. It is nevertheless open to an APP entity to comply with the APP requirements even though an exception applies
-
Permitted general situation (Chapter C: Permitted general situations |OAIC)
- Lessening or preventing a serious threat to life, health or safety
- Unreasonable or impracticable to obtain consent
- Reasonably believes collection, use or disclosure is necessary
- Lessen or prevent a serious threat
- Taking appropriate action in relation to suspected unlawful activity or serious misconduct
- Locating a person reported as missing
- Reasonably necessary for establishing, exercising or defending a legal or equitable claim
- Reasonably necessary for a confidential alternative dispute resolution process
- Necessary for a diplomatic or consular function or activity
- Necessary for certain Defense Force activities outside Australia
-
permitted health situations (Chapter D: Permitted health situations|OAIC)
- Collection — providing a health service
- Collection — conducting research; compiling or analyzing statistics; management, funding or monitoring of a health service
- Use or disclosure — conducting research; compiling or analyzing statistics
- Use or disclosure — necessary to prevent a serious threat to the life, health or safety of a genetic relative
- Disclosure — responsible person for an individual
Comparison to the GDPR
- The GDPR has a number of stricter requirements than the Australian Privacy Act, such as the requirement for explicit consent and the right to data portability.
- The GDPR applies to organizations that process the personal data of EU residents, regardless of where the organization is located. This means that Australian businesses that target or serve EU residents must comply with the GDPR.
- The GDPR has higher penalties for non-compliance than the Australian Privacy Act.
- Australian businesses that operate both in Australia and in the EU should comply with both the GDPR and the Australian Privacy Act.
Reference
Australian Privacy Principles guidelines |OAIC
Additional acts
-
Additional acts that may apply based on the territory or province. Check following pages for a detailed list
-
Australian Capital Territory (ACT)
- Information Privacy Act 2014 (ACT) (Privacy in the ACT |OAIC)
- This implements an additional set of principles called Territory Privacy Principles (TPPs) (Territory Privacy Principles quick reference |OAIC)
-
New South Wales
-
Northern Territory
-
Queensland
-
South Australia
- Check here for compliance regulatory bodies (State and territory privacy legislation |OAIC)
-
Tasmania
-
Victoria
-
Western Australia