Introduction

As a result of technology and growing privacy concerns, the 13 Australian Privacy Principles were introduced in 2014. These replaced the National Privacy Principles. The principles cover agencies and organisations (known as APP entities). They outline how information should be gathered, used and protected. They have been compiled from the Privacy Amendment (Enhancing Privacy Protection) Act 2012. Here we will discuss what they mean.

1. Open and Transparent Management of Personal Information

APP entities must handle personal information openly and honestly. This includes having a policy in place which outlines how personal information will be managed. This policy must entail:

  • The type of personal information in question
  • The methods that the entity uses to obtain information
  • Reasons for the collection and use of the information
  • Correction of information
  • Complaints by an individual
  • Sharing of information to foreign bodies and which countries these are located in.

This must also be free and easily accessible.

2. Anonymity and Pseudonymity

APP entities must accept that people can be anonymous or use a pseudonym when dealing with them. This principle comes with exceptions such as obligations under different Australian laws, or if the APP entity requires the identity of the individual in order to deal with them.

3. Collection of Solicited Personal Information

This principle deals with sensitive information specifically. The law differs slightly depending on whether the entity is an agency or organisation. If it’s an agency it can’t obtain personal information unless it’s necessary or related to a function of the agency. If it’s an organisation then they cannot obtain personal information unless it is necessary for a function of the organisation. Sensitive information cannot be obtained by an APP entity unless the person gives consent. They also must not obtain the information unless it is required under different Australian laws or authorised by a court, if a health situation exists and the APP is an organisation, if the APP is an enforcement body, or if they are a not-for-profit organisation.

4. Dealing with Unsolicited Personal Information

In regards to information that an entity receives but did not ask for, they must demonstrate that they could have collected that information pursuant to principle 3 if they had solicited it. If they cannot demonstrate this, and if the information is not on any record within the Commonwealth, then the entity is obligated to destroy the information (if it is legal and reasonable).

5. Notification of the Collection of Personal Information

Within a reasonable time, the APP entity must notify a person about:

  • The identity and contact details of the entity
  • If they obtained the information from someone else, and how they collected the information
  • If the collection of the information was mandatory according to Australian laws or court obligations
  • The reason why the entity has collected the information
  • What happens if only some information is collected
  • If another APP entity or similar entity collected the information
  • How the individual can access the information
  • How they may make a complaint
  • If the entity can share the information with an overseas body, and in which countries these overseas bodies reside in.

The APP entity has to make sure a person is aware of all these matters.

6. Use or Disclosure of Personal Information

The APP entity can only use information relevant to its purpose. This is unless the individual has consented. The information can be used or disclosed if the individual expects it to be used for another person as long as:

  • The information relates to the main purpose;
  • If it’s required pursuant to Australian law or court decisions;  and
  • other reasons.

The information can also be used if the entity is not an enforcement body and the information is biometric, the receiver is an enforcement body and the use of it complies with the guidelines of the Commissioner. These rules to not apply to direct marketing or government related identifiers.

7. Direct Marketing

Organisations cannot use information for direct marketing, except for where:

  • The use of this information is understood by the individual;
  • The individual consented;
  • The organisation obtained the information in order to satisfy a contractual obligation.

The individual may also make a request not to receive direct marketing communications free of charge.

8. Cross-border Disclosure of Personal Information

The entity must make sure that any overseas recipient of information complies with the Privacy Principles, except for where they are bound by laws that protect information. However, this must be similar to protection provided by the Principles. Similarly, if the individual gives consent to the disclosure or if disclosure is necessary under Australian law they are also exempt.

9. Adoption, Use or Disclosure of Government Related Identifiers

Organisations cannot use a government related identifier from an individual as its own identifier unless approved by an Australian law or court order. Using a government related identifier is also another exemption.

10. Quality of Personal Information

Any information obtained by the APP entity must be correct, complete, and up to date. An APP entity can only disclose and use information once they ensure it’s accurate, relevant and complete.

11. Security of Personal Information

An APP entity must protect information from misuse, loss, interference, disclosure, modification or unauthorised access. Information must also be destroyed or de-identified if it is no longer in use.

12. Access to Personal Information

Individuals must be able to access information when they request it. An entity is exempt if they’re authorised to refuse the request due to the Freedom of Information Act or any Commonwealth act. Exceptions include if they believe access to the information would pose a serious threat, it would impact the privacy of others, it would be unlawful, and more. This principle also serves to explain conditions of providing access, denying access and receiving requests.

13. Correction of Personal Information

The entity must ensure that they collect inaccurate, up to date, complete, relevant information that is not misleading. The APP entity must also notify other affected entities of the changes. If they refuse to correct information then they must notify the individual and set out reasons for the refusal.

Conclusion

These 13 principles are essential for any business or organisation that deals with the personal information of individuals. Privacy is a very serious matter, and the penalties for not complying are severe. If you think your business needs to brush up on its privacy measures, watch this helpful video to learn what a privacy policy is and why it is so important.

Unsure where to start? Contact a LawPath consultant on 1800529728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest legal marketplace.

Akira Singh

Akira is a legal intern at LawPath working in the content team. She is currently studying a Bachelor of Arts and a Bachelor of Laws at Macquarie University.