Australian Privacy Principles

• Take reasonable steps to implement practices, procedures and systems that ensure it complies with the APPs and any registered APP code that binds it, and can deal with enquiries or complaints from individuals about its compliance.
• Have, and make available, an APP privacy policy covering how it manages personal information. The policy must contain certain information, including:
  • The kinds of personal information the entity collects and holds;
  • How the personal information is collected and held;
  • The purposes for which the personal information is collected, held, used and disclosed;
  • How individuals can access their personal information and seek its correction;
  • How individuals can complain about breaches of the APPs or registered codes, and how the APP entity will deal with complaints; and
  • Whether the APP entity is likely to disclose information to overseas recipients and, if it is, the countries in which those recipients are likely to be located.

Individuals must have the option of not identifying themselves or of using a pseudonym when dealing with an APP entity, unless the APP entity is required or authorised by Australian law or a court/tribunal order to deal with individuals who have identified themselves, or it is impracticable for the APP entity to deal with individuals who have not identified themselves or have used a pseudonym.

Personal information that is not sensitive information

• Agencies must not collect personal information unless it is reasonably necessary for, or directly related to, one or more of their functions or activities.
• Organisations must not collect personal information unless it is reasonably necessary for one or more of their functions or activities.

Sensitive information

In addition to the conditions that apply to non-sensitive information, sensitive information cannot be collected unless the individual also consents, or:

• Its collection is authorised by or under an Australian law or a court/tribunal order.
• A permitted general situation (as defined in section 16A of the Act) exists in relation to its collection by the APP entity.
• The APP entity is an organisation and a permitted health situation (as defined in section 16B of the Act) exists in relation to its collection by the APP entity.
• The APP entity is the Immigration Department and reasonably believes that it is reasonably necessary for, or directly related to, one or more enforcement-related activities it conducts or is conducted on its behalf.
• The APP entity is an enforcement body other than the Immigration Department and reasonably believes that it is reasonably necessary for, or directly related to, one or more of its functions or activities.
• The APP entity is a non-profit organisation and the information relates to its activities and its members or individuals who have regular contact with it in connection with its activities.

Means of collection

An APP entity must collect personal information only by lawful and fair means.

An APP entity must collect personal information about an individual only from the individual unless it is unreasonable or impracticable to do so or the entity is an agency, in which case it can collect personal information from someone else:

• If the individual consents to the collection of their information from someone else; or
• The entity is required or authorised by or under Australian law, or a court/tribunal order to collect the information from someone else.

If an APP entity receives unsolicited personal information, it must determine whether it could have collected it under the terms of APP 3 if it had solicited it. (It may use or disclose the personal information for the purposes of making that determination.)

• If it determines that it could not and the information is not contained in a Commonwealth record, it must destroy the information as soon as practicable, but only if it is lawful and reasonable to do so.
• If it determines that it could then APPs 5–13 apply.

• Its identity and contact details.
• The fact that it has collected their personal information and, if necessary, the circumstances of the collection.
• Any law or court/tribunal order that requires or authorises the collection.
• The purposes for which the personal information has been collected.
• The consequences (if any) for the individual if the personal information is not collected.
• Any other APP entity, body or person (or type of APP entity, body or person) to which the APP entity usually discloses such personal information.
• How individuals can access and seek the correction of their personal information.
• How individuals can complain about breaches of the APPs or registered codes, and how the APP entity will deal with complaints.
• Information about overseas recipients if the APP entity is likely to disclose the personal information to them.
   

These include if:

• The individual would reasonably expect the APP entity to use or disclose it if the secondary purpose is related to the primary purpose.
• The use or disclosure is required or authorised by or under Australian law or a court/tribunal order.
• A permitted general situation (as defined in section 16A of the Act) exists in relation to its use or disclosure by the APP entity.
• The APP entity is an organisation and a permitted health situation (as defined in section 16B of the Act) exists in relation to its use or disclosure by the APP entity.
• The APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by or on behalf of an enforcement body.

These include if:

• The individual would reasonably expect the information to be used or disclosed for that purpose, or, if they would not reasonably expect the information to be used or disclosed for that purpose, has consented to its being used or disclosed for that purpose, and has not opted out of receiving direct marketing communications. (A simple means of opting out must be provided.)
• The organisation is a contracted service provider for a Commonwealth contract and the use or disclosure of personal information for the purpose of direct marketing is necessary to meet a contractual obligation.

Individuals may request not to receive direct marketing communications.

These include if:

• The entity reasonably believes that the recipient is subject to a law or binding scheme that has the effect of protecting the information in a substantially similar way to the APPs, and there are mechanisms that allow the individual to take action to enforce that protection.
• The entity informs the individual that it has not taken reasonable steps to ensure the recipients do not breach APPs 2–13 in relation to the information, and the individual has consented to the disclosure.
• The disclosure is required or authorised by or under an Australian law or a court/tribunal order.
• A permitted general situation (other than the situation referred to in item 4 or 5 of subsection 16A(1) of the Act) exists in relation to the disclosure.
• The entity is an agency and:
  • The disclosure is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or
  • It reasonably believes that the disclosure is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body, and the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.

• Adopt government-related identifiers of individuals (such as passport numbers and drivers’ licence numbers) as their own unless required or authorised by or under Australian law or a court/tribunal order or prescribed by regulations (see subsections 100(2) and (3) of the Act).
• Use or disclose individuals’ government-related identifiers unless:
  • It is reasonably necessary in order to verify individuals’ identities for the purposes of the organisation’s activities or functions;
  • It is reasonably necessary in order for the organisation to fulfil its obligations to an agency or a State or Territory authority;
  • It is required or authorised by or under an Australian law or a court/tribunal order;
  • A permitted general situation (other than the situation referred to in item 4 or 5 of subsection 16A(1) of the Act) exists in relation to their use or disclosure;
  • They reasonably believe that doing so is reasonably necessary for one or more enforcement-related activities conducted by or on behalf of an enforcement body; or
  • It is prescribed by regulations (see subsections 100(2) and (3) of the Act).

• The personal information they collect is accurate, up to date and complete.
• The personal information they use or disclose is accurate, up to date, complete and relevant with regard to the purpose of the use or disclosure.

APP entities that hold personal information must take reasonable steps to protect it from misuse, interference and loss, and unauthorised access, modification and disclosure.

Personal information must be destroyed or anonymised if the entity no longer needs it, the information is not contained in a Commonwealth record, and it is not required to retain it by or under an Australian law or a court/tribunal order.

• Agencies can refuse access if they are required or authorised to refuse to give access under the Freedom of Information Act or any other relevant Act of the Commonwealth or a Norfolk Island enactment.
• Organisations can refuse access if:
  • They reasonably believe that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety;
  • Giving access would have an unreasonable impact on the privacy of other individuals;
  • The request for access is frivolous or vexatious;
  • The information relates to legal proceedings;
  • Giving access would prejudice negotiations between the organisation and the individual;
  • Giving access would be unlawful;
  • Denying access is required or authorised by or under an Australian law or a court/tribunal order;
  • The entity suspects that unlawful activity or serious misconduct is being or may be engaged in and giving access would prejudice the taking of appropriate action;
  • Giving access would likely prejudice enforcement-related activities by an enforcement body; or
  • Giving access would reveal commercially sensitive information.

Agencies must respond to access requests within 30 days and cannot charge for fulfilling the access request, nor can they charge individuals for making such requests.

Organisations must respond within a reasonable period and may charge a fee that is not excessive for fulfilling the access request. They may not charge individuals for making such requests.

Correction

If an APP entity is satisfied that personal information it holds is inaccurate, out of fate, incomplete, irrelevant or misleading, or if an individual requests the entity to correct the information, then the entity must take reasonable steps to correct it.

Notification to third parties

If the entity corrects information that it has previously disclosed to another APP entity, it must inform them of the correction if the individual requests it.

Refusal to correct information

APP entities that refuse to correct personal information when requested must give the individual written notice that sets out their reason for refusal, the mechanisms available to complain about the refusal and any other matter prescribed by regulations.

They must also take reasonable steps to add a statement to the information, stating that it is inaccurate, out of date, incomplete, irrelevant or misleading.