Australian Privacy Principles (APP) and the Privacy Act 1988
Australia’s Privacy Act 1988 has been updated many times in the 34 years since its passing, and centres around the application of the “Australian Privacy Principles” (APPs).
This article will explore how the Privacy Act applies and explain each of the APPs. We’ll also look at the reform of the Privacy Act, which could have a major impact on data protection in Australia.
Who is covered by the Australian Privacy Act?
Australia’s Privacy Act 1988 applies to:
- Australian Government agencies.
- Organizations with an annual turnover of more than AUD 3 million (around USD 1.86 million).
- Some other organizations, regardless of turnover, including private sector healthcare providers, credit reporting agencies and organizations that have opted into compliance with the law.
Overseas organizations may be covered by the Privacy Act if they have an “Australian link”, which can include organizations that “carry on business” in Australia.
Australian Privacy Principles
Below is a summary of the 13 APPs, focusing on the principles as they relate to private sector bodies, known as “organizations” under the law:
APP 1: Open and transparent management of personal information
Under APP 1, an organisation must:
- Ensure it complies with the APPs
- Ensure it can deal with any inquiries by the OAIC
- Under APP 1, an organisation must:
APP 2: Anonymity and pseudonymity
- Under APP 2, individuals must have the option to deal with an organisation anonymously or under a pseudonym unless doing so would be “impracticable” or prohibited by law. In practice, this might mean ensuring web forms provide an option of anonymity or informing individuals that they do not have to provide personal information.
APP 3: Collection of solicited personal information
- APP 3 applies when an organisation requests personal information, either directly or indirectly from the individual. Organisations must not collect personal information unless it is “reasonably necessary for one or more of the organisation’s functions or activities”. In the case of sensitive personal information, the individual must also have consented to the collection—with certain exceptions, including where the organisation is required to collect the sensitive personal information by law.
APP 4: Dealing with unsolicited personal information
- APP 4 applies where an organisation receives personal information it did not request. Upon receiving such information, the organisation must determine whether it “could have collected the information” under APP 3 (so, for example, whether the information is reasonably necessary for the organisation’s activities). If the organisation finds itself dealing with information it hasn’t requested and doesn’t need (or if it is dealing with sensitive personal information without having obtained consent), it must delete or deidentify the information as soon as practicable (if it is lawful to do so).
APP 5: Notification of the collection of personal information
- Under APP 5, an organisation must provide individuals with certain information (set out in APP 5) after collecting their personal information. This information must be provided either before, at the time of, or as soon as is practicable after the point at which the information is collected.
APP 6: Use or disclosure of personal information
Organisations may not use or disclose personal information for any purpose other than that for which it was originally collected, unless:
- The individual has consented, or
- The secondary purpose is related (or, in the case of sensitive personal information, directly related) to the original purpose
- Organisations may not use or disclose personal information for any purpose other than that for which it was originally collected, unless:
APP 7: Direct marketing
APP 7 provides the circumstances under which organisations may use personal information for direct marketing. The rules cover two scenarios.
Scenario one covers situations where the organisation collected the personal information directly from the individual.
In this case, organisations may use or disclose personal information they hold for direct marketing purposes only if all of the following apply:
- The individual would reasonably expect the information to be used for direct marketing
- The organisation provides a simple opt-out
- The individual has not opted out
- The organisation collected the personal information from a third party, or
- The individual would not reasonably expect their information to use for direct marketing
- APP 7 provides the circumstances under which organisations may use personal information for direct marketing. The rules cover two scenarios. Scenario one covers situations where the organisation collected the personal information directly from the individual. In this case, organisations may use or disclose personal information they hold for direct marketing purposes only if all of the following apply:
APP 8: Cross-border disclosure of personal information
APP 8 sets out some rules regarding the transfer of personal data to third parties based outside of Australia (“cross-border disclosure”).
The main rule is that an organisation must only engage in a cross-border disclosure if the organisation “reasonably believes” that:
- The recipient is subject to a law or a “binding scheme” that provides a similar level of protection to the individual as is provided under the APPs
- The individual can take action to enforce the law or scheme
- APP 8 sets out some rules regarding the transfer of personal data to third parties based outside of Australia (“cross-border disclosure”). The main rule is that an organisation must only engage in a cross-border disclosure if the organisation “reasonably believes” that:
APP 9: Adoption, use or disclosure of government-related identifiers
- APP 9 states that organisations should not use government-related identifiers (e.g. Medicare numbers, driver’s licence numbers, passport numbers) as the means to identify individuals unless required by law or permitted to do so by regulation. Organisations must also not disclose government-related identifiers, subject to several exceptions, including where the disclosure would be reasonably necessary to verify the individual’s identity.
APP 10: Quality of personal information
- APP 10 requires organisations to take reasonable steps to ensure the personal information it collects or discloses is “accurate, up-to-date and complete”.
APP 11: Security of personal information
APP 11 states that organisations must take reasonable steps to protect personal information from:
- Misuse, interference and loss, and
- Unauthorised access, modification or disclosure
- APP 11 states that organisations must take reasonable steps to protect personal information from:
APP 12: Access to personal information
- APP 12 sets out the Privacy Act’s “right of access”. Organisations must provide an individual with access to their personal information on request, with certain exceptions—including where the organisation is legally prohibited from doing so or where doing so would prejudice the privacy of another person. Organisations must respond to access requests “within a reasonable period” and “in the manner requested by the individual, if it is reasonable and practicable to do so”. Organisations may charge a fee for carrying out the request as long as the fee is not “excessive”. On refusing to carry out a request, the organisation must explain their reasons for refusal and set out the mechanisms available to make a complaint.
APP 13: Correction of personal information
- APP 13 sets out the Privacy Act’s “right to correction”, and also requires organisations to correct inaccurate or misleading personal information that they hold proactively. When an individual makes a request that the organisation correct their personal information, the same conditions apply as when providing access to personal information under APP 12. The individual may also request that the organisation notifies any third parties with which the information has been shared.
Privacy Act Reforms
A review of the Privacy Act has been underway since December 2019. The outcome is likely to result in significant reforms to Australia’s data protection framework.
The review is considering changes to the scope of the act (which is currently unusually narrow for an advanced economy), which could mean that many more businesses are required to comply with the law.
The reforms also propose to strengthen the rules on data security, require organizations to conduct risk assessments in some circumstances, and enable individuals to opt out of targeted advertising or the sale of their personal information.