Australian Privacy Principles
The Australian Privacy Act 1998 lists 13 APPs (Australian Privacy Principles), which give individuals greater rights relating to how entities in the Act’s scope handle their personal information.
There are two types of APP entity. Essentially:
- Agencies are Australian and Norfolk Island government agencies.
- Organisations are businesses and not-for-profit organisations with an annual turnover of more than AU$3 million.
These definitions are not exhaustive. For full information about the APPs’ applicability, please consult the Act itself.
What are the Australian Privacy Principles?
Part 1 – Consideration of personal information privacy
APP 1: Open and transparent management of personal information
To manage personal information openly and transparently, an APP entity must:
Read more >>
- Take reasonable steps to implement practices, procedures and systems that ensure it complies with the APPs and any registered APP code that binds it, and can deal with enquiries or complaints from individuals about its compliance.
- Have, and make available, an APP privacy policy covering how it manages personal information. The policy must contain certain information, including:
- The kinds of personal information the entity collects and holds;
- How the personal information is collected and held;
- The purposes for which the personal information is collected, held, used and disclosed;
- How individuals can access their personal information and seek its correction;
- How individuals can complain about breaches of the APPs or registered codes, and how the APP entity will deal with complaints; and
- Whether the APP entity is likely to disclose information to overseas recipients and, if it is, the countries in which those recipients are likely to be located.
APP 2: Anonymity and pseudonymity
Read more >>
Individuals must have the option of not identifying themselves or of using a pseudonym when dealing with an APP entity, unless the APP entity is required or authorised by Australian law or a court/tribunal order to deal with individuals who have identified themselves, or it is impracticable for the APP entity to deal with individuals who have not identified themselves or have used a pseudonym.
Part 2 – Collection of personal information
APP 3: Collection of solicited personal information
Read more >>
Personal information that is not sensitive information
- Agencies must not collect personal information unless it is reasonably necessary for, or directly related to, one or more of their functions or activities.
- Organisations must not collect personal information unless it is reasonably necessary for one or more of their functions or activities.
Sensitive information
In addition to the conditions that apply to non-sensitive information, sensitive information cannot be collected unless the individual also consents, or:
- Its collection is authorised by or under an Australian law or a court/tribunal order.
- A permitted general situation (as defined in section 16A of the Act) exists in relation to its collection by the APP entity.
- The APP entity is an organisation and a permitted health situation (as defined in section 16B of the Act) exists in relation to its collection by the APP entity.
- The APP entity is the Immigration Department and reasonably believes that it is reasonably necessary for, or directly related to, one or more enforcement-related activities it conducts or is conducted on its behalf.
- The APP entity is an enforcement body other than the Immigration Department and reasonably believes that it is reasonably necessary for, or directly related to, one or more of its functions or activities.
- The APP entity is a non-profit organisation and the information relates to its activities and its members or individuals who have regular contact with it in connection with its activities.
Means of collection
An APP entity must collect personal information only by lawful and fair means.
An APP entity must collect personal information about an individual only from the individual unless it is unreasonable or impracticable to do so or the entity is an agency, in which case it can collect personal information from someone else:
- If the individual consents to the collection of their information from someone else; or
- The entity is required or authorised by or under Australian law, or a court/tribunal order to collect the information from someone else.
APP 4: Dealing with unsolicited personal information
Read more >>
If an APP entity receives unsolicited personal information, it must determine whether it could have collected it under the terms of APP 3 if it had solicited it. (It may use or disclose the personal information for the purposes of making that determination.)
- If it determines that it could not and the information is not contained in a Commonwealth record, it must destroy the information as soon as practicable, but only if it is lawful and reasonable to do so.
- If it determines that it could then APPs 5–13 apply.
APP 5: Notification of the collection of personal information
An APP entity must notify individuals when it collects their personal information, or otherwise make sure they are aware, of:
Read more >>
- Its identity and contact details.
- The fact that it has collected their personal information and, if necessary, the circumstances of the collection.
- Any law or court/tribunal order that requires or authorises the collection.
- The purposes for which the personal information has been collected.
- The consequences (if any) for the individual if the personal information is not collected.
- Any other APP entity, body or person (or type of APP entity, body or person) to which the APP entity usually discloses such personal information.
- How individuals can access and seek the correction of their personal information.
- How individuals can complain about breaches of the APPs or registered codes, and how the APP entity will deal with complaints.
- Information about overseas recipients if the APP entity is likely to disclose the personal information to them.
Part 3 – Dealing with personal information
APP 6: Use or disclosure of personal information
An APP entity should only use or disclose personal information for the purpose it was collected for. It may not use or disclose the information for a secondary purpose unless the individual consents or a number of other conditions apply.
Read more >>
These include if:
- The individual would reasonably expect the APP entity to use or disclose it if the secondary purpose is related to the primary purpose.
- The use or disclosure is required or authorised by or under Australian law or a court/tribunal order.
- A permitted general situation (as defined in section 16A of the Act) exists in relation to its use or disclosure by the APP entity.
- The APP entity is an organisation and a permitted health situation (as defined in section 16B of the Act) exists in relation to its use or disclosure by the APP entity.
- The APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by or on behalf of an enforcement body.
APP 7: Direct marketing
If organisations hold personal information, they cannot use or disclose it for direct marketing (defined in the Explanatory Memorandum to the Act as “communicating directly with a consumer to promote the sale of goods and services to the consumer”) unless a number of conditions apply.
Read more >>
These include if:
- The individual would reasonably expect the information to be used or disclosed for that purpose, or, if they would not reasonably expect the information to be used or disclosed for that purpose, has consented to its being used or disclosed for that purpose, and has not opted out of receiving direct marketing communications. (A simple means of opting out must be provided.)
- The organisation is a contracted service provider for a Commonwealth contract and the use or disclosure of personal information for the purpose of direct marketing is necessary to meet a contractual obligation.
Individuals may request not to receive direct marketing communications.
APP 8: Cross-border disclosure of personal information
Before an APP entity discloses personal information to overseas recipients, it must take reasonable steps to ensure they do not breach APPs 2–13 in relation to the information, unless a number of conditions apply.
Read more >>
These include if:
- The entity reasonably believes that the recipient is subject to a law or binding scheme that has the effect of protecting the information in a substantially similar way to the APPs, and there are mechanisms that allow the individual to take action to enforce that protection.
- The entity informs the individual that it has not taken reasonable steps to ensure the recipients do not breach APPs 2–13 in relation to the information, and the individual has consented to the disclosure.
- The disclosure is required or authorised by or under an Australian law or a court/tribunal order.
- A permitted general situation (other than the situation referred to in item 4 or 5 of subsection 16A(1) of the Act) exists in relation to the disclosure.
- The entity is an agency and:
- The disclosure is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or
- It reasonably believes that the disclosure is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body, and the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.
APP 9: Adoption, use or disclosure of government related identifiers
Organisations must not:
Read more >>
- Adopt government-related identifiers of individuals (such as passport numbers and drivers’ licence numbers) as their own unless required or authorised by or under Australian law or a court/tribunal order or prescribed by regulations (see subsections 100(2) and (3) of the Act).
- Use or disclose individuals’ government-related identifiers unless:
- It is reasonably necessary in order to verify individuals’ identities for the purposes of the organisation’s activities or functions;
- It is reasonably necessary in order for the organisation to fulfil its obligations to an agency or a State or Territory authority;
- It is required or authorised by or under an Australian law or a court/tribunal order;
- A permitted general situation (other than the situation referred to in item 4 or 5 of subsection 16A(1) of the Act) exists in relation to their use or disclosure;
- They reasonably believe that doing so is reasonably necessary for one or more enforcement-related activities conducted by or on behalf of an enforcement body; or
- It is prescribed by regulations (see subsections 100(2) and (3) of the Act).
Part 4 – Integrity of personal information
APP 10: Quality of personal information
APP entities must take reasonable steps to ensure that:
Read more >>
- The personal information they collect is accurate, up to date and complete.
- The personal information they use or disclose is accurate, up to date, complete and relevant with regard to the purpose of the use or disclosure.
APP 11: Security of personal information
Read more >>
APP entities that hold personal information must take reasonable steps to protect it from misuse, interference and loss, and unauthorised access, modification and disclosure.
Personal information must be destroyed or anonymised if the entity no longer needs it, the information is not contained in a Commonwealth record, and it is not required to retain it by or under an Australian law or a court/tribunal order.
Part 5 – Access to, and correction of, personal information
APP 12: Access to personal information
APP entities must give individuals access to their personal information on request if reasonable and practicable.
There are a number of exceptions to this rule:
Read more >>
- Agencies can refuse access if they are required or authorised to refuse to give access under the Freedom of Information Act or any other relevant Act of the Commonwealth or a Norfolk Island enactment.
- Organisations can refuse access if:
- They reasonably believe that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety;
- Giving access would have an unreasonable impact on the privacy of other individuals;
- The request for access is frivolous or vexatious;
- The information relates to legal proceedings;
- Giving access would prejudice negotiations between the organisation and the individual;
- Giving access would be unlawful;
- Denying access is required or authorised by or under an Australian law or a court/tribunal order;
- The entity suspects that unlawful activity or serious misconduct is being or may be engaged in and giving access would prejudice the taking of appropriate action;
- Giving access would likely prejudice enforcement-related activities by an enforcement body; or
- Giving access would reveal commercially sensitive information.
Agencies must respond to access requests within 30 days and cannot charge for fulfilling the access request, nor can they charge individuals for making such requests.
Organisations must respond within a reasonable period and may charge a fee that is not excessive for fulfilling the access request. They may not charge individuals for making such requests.
APP 13: Correction of personal information
Read more >>
Correction
If an APP entity is satisfied that personal information it holds is inaccurate, out of fate, incomplete, irrelevant or misleading, or if an individual requests the entity to correct the information, then the entity must take reasonable steps to correct it.
Notification to third parties
If the entity corrects information that it has previously disclosed to another APP entity, it must inform them of the correction if the individual requests it.
Refusal to correct information
APP entities that refuse to correct personal information when requested must give the individual written notice that sets out their reason for refusal, the mechanisms available to complain about the refusal and any other matter prescribed by regulations.
They must also take reasonable steps to add a statement to the information, stating that it is inaccurate, out of date, incomplete, irrelevant or misleading.
Complying with the APPs
The APPs aim to reduce the risk of a personal data breach by reducing or removing risks at each stage that personal data is processed – including when it is collected, stored, used, disclosed, anonymised and destroyed.
ISO 27001 sets out the specification for a best-practice ISMS (information security management system), an organisation-wide approach that encompasses people, processes and technology. Organisations can be independently audited and certified against the Standard. If you need more guidance or advice on implementing ISO 27001, please contact us by clicking the button below.
Speak to an expert
Please contact us for further information or to speak to an ISO 27001 expert.