From your regular fitness club to your favourite e-commerce page (or even your local law firm!) most organisations can be observed to be complying with the Federal legislation that governs the handling of personal information within Australia.
In complying with these frameworks, organisations are required to publish their privacy policies in a clearly expressed manner. This is usually the hyper-link located at the very bottom of an organisation’s landing page labelled “Privacy”.
But why do these organisations even bother with publishing this (frequently overlooked) material? Are they even required to do so? And what does it mean for us as individuals?
The Privacy Act 1988 (Cth) (the Act) was introduced at a federal level in 1988, giving effect to Australia’s agreement to implement international guidelines for the protection of privacy and personal data.
The key objectives of the Act include the protection of individuals’ privacy and to establish a regulatory framework that dictates the handling of personal information.
Thanks to the Act, individuals within Australia must be informed:
- why their personal information is being collected;
- how it will be used by the collecting organisation; and
- who it is going to be disclosed to.
So what is ‘personal information’?
‘Personal information’ is defined as “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not” (s6(1)).
For example, personal information includes an individual’s name, date of birth, address, details of employment, medical history and so on. Personal information will also include information about the individual, for example their attitude and opinion.
Who must comply with the Act?
The Act requires the compliance of organisations that are classified as “APP Entities”.
An “APP Entity” includes an individual, a body corporate, a partnership, any other unincorporated association or a trust. An agency (for example, a federal government entity) may also be considered an APP Entity in certain circumstances.
An APP Entity does not include a small business operator (being the operator of a business with an annual turnover of $3million or less for a financial year, unless the below exception applies), a registered political party, or a State and Territory Authority.
According to section 6D of the Act a small business operator will be considered an APP Entity (meaning they will be required to comply with the Act) if the operator of that business:
- provides a health service and holds health information other than in an employee record;
- discloses personal information about an individual for a benefit, advantage or service; or
- is a contracted service provider for a Commonwealth contract.
The Australian Privacy Principles
The Act includes 13 mandatory Australian Privacy Principles (APPs) that are imposed on APP Entities.
The APPs set out the standards, rights and obligations that govern the way APP Entities collect, use, store and disclose personal information.
In summary, the APPs provide as follows:
APP1: Open and transparent management of personal information
Pursuant to APP1, APP Entities must take reasonable steps to ensure that the entity complies with the APPs and is able to deal with enquiries or complaints from individuals under the Act.
APP2: Anonymity and pseudonymity
APP2 requires APP Entities to provide individuals with the option of not identifying themselves when providing personal information, or using a pseudonym (subject to limited exceptions).
APP3: Collection of solicited personal information
An APP Entity is permitted to collect personal information from individuals by APP3 if it is reasonably necessary for or directly related to one or more of the APP Entities functions or activities. The collection of the information must be direct (i.e. the entity has requested the individual to provide the particular information).
The collection of sensitive information (including information about an individual’s race or ethnic origin, political opinion, sexual orientation and so on) is only permitted if the individual consents to its collection (subject to limited exceptions).
APP4: Dealing with unsolicited personal information
APP4 contemplates the scenario where an APP Entity receives personal information and the entity did not solicit that information (i.e. it did not try to obtain the personal information that has been collected).
In these circumstances, the APP Entity must determine whether or not it could have collected that information via the means of APP3 (i.e. would the individual have provided that information had it been asked to do so?).
If the entity determines that it would have obtained that information had the individual been asked, then it must comply with the remaining APPs.
If the APP Entity determines that it could not have obtained the information in accordance with APP3, then it must destroy the information or ensure the information is de-identified.
APP5: Notification of the collection of personal information
According to APP5, the APP Entity must ensure that when personal information is collected (or as soon as reasonably practicable after), the entity notifies the individual or otherwise ensures that the individual is made aware of certain information, including but not limited to:
- the identity and contact details of the APP Entity;
- whether the collection of the personal information is required or authorised under an Australia law or court order;
- the purpose for which the personal information is being collected; and
- the details of any other party that the APP Entity will disclose this information.
APP6: Use or disclosure of personal information
APP6 outlines the circumstances in which an APP Entity will be permitted to disclose the personal information that it has collected from individuals.
Here, information that was collected by an APP Entity for a particular reason (the primary purpose), must not be used or disclosed for another purpose (the secondary purpose), unless certain exceptions apply (for example, the individual has consented to the disclosure).
APP7: Direct marketing
Unless certain exceptions apply, APP Entities must not use or disclose personal information for direct marketing purposes under APP7.
‘Direct marketing’ is when an entity uses your personal information to communicate with you directly for sales or advertising purposes.
A few of the exceptions to this prohibition include circumstances where the individual would reasonably expect the organisation to use or disclose the information for that purpose, or the individual provides its consent to that use/disclosure.
APP8: Cross-border disclosure of personal information
If an APP Entity intends to disclose an individual’s personal information to an overseas recipient, then the entity must take reasonable steps to ensure the recipient complies with the APPs (except for APP1). There are a number of circumstances in which this APP will not apply that entities should be mindful of when contemplating the disclosure of information.
APP9: Adoption, use or disclosure of government related identifiers
The limited circumstances in which an organisation may adopt, use or disclose a government related identifier are set out in APP9.
APP10: Quality of personal information
APP10 requires APP Entities to ensure that the personal information it collects is accurate, up to date and complete.
APP11: Security of personal information
APP Entities are required to take reasonable steps to ensure that the personal information they collect is protected from misuse, interference, loss, accessed by unauthorised entities, modified and disclosed.
Further, if an APP Entity holds personal information and the information is no longer required by that entity, then they must ensure that information is destroyed or the individual is de-identified.
APP12: Access to personal information
APP12 sets out the criteria in which an APP Entity must provide an individual with access to their personal information, should they request it. In general, an APP Entity must provide an individual with access to their personal information unless certain exceptions apply.
APP13: Correction of personal information
An APP Entity must take reasonable steps to correct an individual’s personal information if:
- the entity is satisfied that the information is inaccurate, out of date, incomplete or misleading; or
- the individual asks the entity to correct the information.
The individual should be notified of any correction that is made to personal information held by an APP Entity, and if the entity refuses to make a requested correction then that entity must give the individual the reasons for its refusal.
The above applies to me – what next?