Under APP 2, individuals must have the option to deal with an organisation anonymously or under a pseudonym unless doing so would be “impracticable” or prohibited by law.
In practice, this might mean ensuring web forms provide an option of anonymity or informing individuals that they do not have to provide personal information.
APP 3 applies when an organisation requests personal information, either directly or indirectly from the individual.
Organisations must not collect personal information unless it is “reasonably necessary for one or more of the organisation’s functions or activities”.
In the case of sensitive personal information, the individual must also have consented to the collection—with certain exceptions, including where the organisation is required to collect the sensitive personal information by law.
APP 4 applies where an organisation receives personal information it did not request.
Upon receiving such information, the organisation must determine whether it “could have collected the information” under APP 3 (so, for example, whether the information is reasonably necessary for the organisation’s activities).
If the organisation finds itself dealing with information it hasn’t requested and doesn’t need (or if it is dealing with sensitive personal information without having obtained consent), it must delete or deidentify the information as soon as practicable (if it is lawful to do so).
Under APP 5, an organisation must provide individuals with certain information (set out in APP 5) after collecting their personal information.
This information must be provided either before, at the time of, or as soon as is practicable after the point at which the information is collected.
APP 7 provides the circumstances under which organisations may use personal information for direct marketing. The rules cover two scenarios.
Scenario one covers situations where the organisation collected the personal information directly from the individual.
In this case, organisations may use or disclose personal information they hold for direct marketing purposes only if all of the following apply:
The individual would reasonably expect the information to be used for direct marketing
The organisation provides a simple opt-out
The individual has not opted out
Scenario two covers situations where organisations hold personal information and either:
The organisation collected the personal information from a third party, or
The individual would not reasonably expect their information to use for direct marketing
In this second scenario, the organisation must normally obtain the individual’s consent before using their personal information for direct marketing unless it would be impracticable to do so.
Under scenario two, organisations must also draw the individual’s attention to the fact that they can opt out.
Organisations cannot use or disclose sensitive personal information for direct marketing unless the individual has consented.
Australia’s main direct marketing legislation is the Spam Act 2003, which overrides the APPs if there is a contradiction between the two.
APP 8 sets out some rules regarding the transfer of personal data to third parties based outside of Australia (“cross-border disclosure”).
The main rule is that an organisation must only engage in a cross-border disclosure if the organisation “reasonably believes” that:
The recipient is subject to a law or a “binding scheme” that provides a similar level of protection to the individual as is provided under the APPs
The individual can take action to enforce the law or scheme
If the above does not apply, there are some other legal means to make a cross-border disclosure, including where the individual provides informed consent or where the disclosure is required by law.
APP 9 states that organisations should not use government-related identifiers (e.g. Medicare numbers, driver’s licence numbers, passport numbers) as the means to identify individuals unless required by law or permitted to do so by regulation.
Organisations must also not disclose government-related identifiers, subject to several exceptions, including where the disclosure would be reasonably necessary to verify the individual’s identity.
APP 11 states that organisations must take reasonable steps to protect personal information from:
Misuse, interference and loss, and
Unauthorised access, modification or disclosure
Organisations must also take reasonable steps to delete or identify any personal information they hold about an individual if they no longer need the information for a specified purpose, with certain exceptions, including where required to retain the information by law.
APP 12 sets out the Privacy Act’s “right of access”.
Organisations must provide an individual with access to their personal information on request, with certain exceptions—including where the organisation is legally prohibited from doing so or where doing so would prejudice the privacy of another person.
Organisations must respond to access requests “within a reasonable period” and “in the manner requested by the individual, if it is reasonable and practicable to do so”.
Organisations may charge a fee for carrying out the request as long as the fee is not “excessive”.
On refusing to carry out a request, the organisation must explain their reasons for refusal and set out the mechanisms available to make a complaint.
APP 13 sets out the Privacy Act’s “right to correction”, and also requires organisations to correct inaccurate or misleading personal information that they hold proactively.
When an individual makes a request that the organisation correct their personal information, the same conditions apply as when providing access to personal information under APP 12.
The individual may also request that the organisation notifies any third parties with which the information has been shared.
Privacy Act Reforms
A review of the Privacy Act has been underway since December 2019. The outcome is likely to result in significant reforms to Australia’s data protection framework.
The review is considering changes to the scope of the act (which is currently unusually narrow for an advanced economy), which could mean that many more businesses are required to comply with the law.
The reforms also propose to strengthen the rules on data security, require organizations to conduct risk assessments in some circumstances, and enable individuals to opt out of targeted advertising or the sale of their personal information.
Save time with smart consent audits for any legislation
If you’d like to learn more about how we can help you on your compliance journey, read our path to compliance guide.