A Definitive Break-Down of the 13 Privacy Principles
Does privacy law seem like an over-complicated maze? Here, we break-down the basics.
As a result of technology and growing privacy concerns, the 13 Australian Privacy Principles were introduced in 2014. These replaced the National Privacy Principles. The principles cover agencies and organisations (known as APP entities). They outline how information should be gathered, used and protected. They have been compiled from the Privacy Amendment (Enhancing Privacy Protection) Act 2012. Here we will discuss what they mean.
1. Open and Transparent Management of Personal Information
APP entities must handle personal information openly and honestly. This includes having a policy in place which outlines how personal information will be managed. This policy must entail:
- The type of personal information in question
- The methods that the entity uses to obtain information
- Reasons for the collection and use of the information
- Correction of information
- Complaints by an individual
- Sharing of information to foreign bodies and which countries these are located in.
This must also be free and easily accessible.
2. Anonymity and Pseudonymity
APP entities must accept that people can be anonymous or use a pseudonym when dealing with them. This principle comes with exceptions such as obligations under different Australian laws, or if the APP entity requires the identity of the individual in order to deal with them.
3. Collection of Solicited Personal Information
This principle deals with sensitive information specifically. The law differs slightly depending on whether the entity is an agency or organisation. If it’s an agency it can’t obtain personal information unless it’s necessary or related to a function of the agency. If it’s an organisation then they cannot obtain personal information unless it is necessary for a function of the organisation. Sensitive information cannot be obtained by an APP entity unless the person gives consent. They also must not obtain the information unless it is required under different Australian laws or authorised by a court, if a health situation exists and the APP is an organisation, if the APP is an enforcement body, or if they are a not-for-profit organisation.
4. Dealing with Unsolicited Personal Information
In regards to information that an entity receives but did not ask for, they must demonstrate that they could have collected that information pursuant to principle 3 if they had solicited it. If they cannot demonstrate this, and if the information is not on any record within the Commonwealth, then the entity is obligated to destroy the information (if it is legal and reasonable).
5. Notification of the Collection of Personal Information
Within a reasonable time, the APP entity must notify a person about:
- The identity and contact details of the entity
- If they obtained the information from someone else, and how they collected the information
- If the collection of the information was mandatory according to Australian laws or court obligations
- The reason why the entity has collected the information
- What happens if only some information is collected
- If another APP entity or similar entity collected the information
- How the individual can access the information
- How they may make a complaint
- If the entity can share the information with an overseas body, and in which countries these overseas bodies reside in.
The APP entity has to make sure a person is aware of all these matters.
6. Use or Disclosure of Personal Information
The APP entity can only use information relevant to its purpose. This is unless the individual has consented. The information can be used or disclosed if the individual expects it to be used for another person as long as:
- The information relates to the main purpose;
- If it’s required pursuant to Australian law or court decisions; and
- other reasons.
The information can also be used if the entity is not an enforcement body and the information is biometric, the receiver is an enforcement body and the use of it complies with the guidelines of the Commissioner. These rules to not apply to direct marketing or government related identifiers.
7. Direct Marketing
Organisations cannot use information for direct marketing, except for where:
- The use of this information is understood by the individual;
- The individual consented;
- The organisation obtained the information in order to satisfy a contractual obligation.
The individual may also make a request not to receive direct marketing communications free of charge.
8. Cross-border Disclosure of Personal Information
The entity must make sure that any overseas recipient of information complies with the Privacy Principles, except for where they are bound by laws that protect information. However, this must be similar to protection provided by the Principles. Similarly, if the individual gives consent to the disclosure or if disclosure is necessary under Australian law they are also exempt.
9. Adoption, Use or Disclosure of Government Related Identifiers
Organisations cannot use a government related identifier from an individual as its own identifier unless approved by an Australian law or court order. Using a government related identifier is also another exemption.
10. Quality of Personal Information
Any information obtained by the APP entity must be correct, complete, and up to date. An APP entity can only disclose and use information once they ensure it’s accurate, relevant and complete.
11. Security of Personal Information
An APP entity must protect information from misuse, loss, interference, disclosure, modification or unauthorised access. Information must also be destroyed or de-identified if it is no longer in use.
12. Access to Personal Information
Individuals must be able to access information when they request it. An entity is exempt if they’re authorised to refuse the request due to the Freedom of Information Act or any Commonwealth act. Exceptions include if they believe access to the information would pose a serious threat, it would impact the privacy of others, it would be unlawful, and more. This principle also serves to explain conditions of providing access, denying access and receiving requests.
13. Correction of Personal Information
The entity must ensure that they collect accurate, up to date, complete, relevant information that is not misleading. The APP entity must also notify other affected entities of the changes. If they refuse to correct information then they must notify the individual and set out reasons for the refusal.
Akira is a legal intern at Lawpath working in the content team. She is currently studying a Bachelor of Arts and a Bachelor of Laws at Macquarie University.