This is general information about the operations of the Privacy Act. It should not be relied upon without taking specific advice.
What does the Privacy Act cover?
It controls the manner in which personal information about an individual is managed. Note that the Privacy Act does not deal with information about an organisation or a company.
What is Personal Information?
The Act defines Personal Information as “information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable”.
The Act is quite broad in that it covers opinions – not necessarily information and the opinions or information, do not have to be true to obtain the protection of the Act.
It is also important to note that the Act covers information or opinions about an individual who is reasonably identifiable such that if the information or opinions are recorded in such a manner, that someone could take the material and using other sources of information, obtain the identity of the individual, then this would be covered by the Act.
Who does the Act apply to?
The Act applies to an APP entity which generally means a government entity or an organisation.
An APP entity does not include a small business operator which is an entity with an annual turnover of less than $3,000,000.
However, a small business operator will be caught if they operate another business with a turnover of more than $3,000,000, provide a health service or hold health information, disclose or collect personal information about an individual for a benefit, service or advantage, or a credit reporting body.
What are the obligations under the Act?
The Act requires that the APP entity comply with 13 Australian Privacy Principles (APP).
The APP set out how an entity must collect, handle, store and disclose Personal Information.
APP 1 Open and transparent management of personal information
This principle requires the APP entity to have policies and systems to comply with the Act and to be able to deal with any complaints.
APP 2 Anonymity and pseudonymity
This principle allows an individual to use a pseudonym or anonymity when dealing with an APP entity.
APP 3 Collection of solicited personal information
This principle provides that an APP entity may collect personal information only where reasonably necessary for one or more of its activities and requires consent from an individual to collect sensitive information.
Sensitive information is defined as information about an individual and includes information about an individual’s
- health (including predictive genetic information)
- racial or ethnic origin
- political opinions
- membership of a political association, professional or trade association or trade union
- religious beliefs or affiliations
- philosophical beliefs
- sexual orientation or practices
- criminal record
- biometric information that is to be used for certain purposes
- biometric templates
The collection and handling of sensitive information is subject to more stringent requirements than personal information that is not regarded as sensitive information.
APP 4 Dealing with unsolicited personal information
This principle prescribes what an APP entity must do with unsolicited personal information.
APP 5 Notification of the collection of personal information
This principle requires an APP entity notify the individual at or before the information is collected, whether information is collected about an individual from sources other than from the individual, the reasons the information is collected, when and to whom personal information is collected and the methods by which an individual can check and correct the personal information that has been collected and make a complaint.
APP 6 Use or disclosure of personal information
An APP entity can’t use the information for any purpose other than that for which it was collected unless the individual consents to the other purposes or the individual would reasonably expect the information to be used for the other purposes.
APP 7 Direct marketing
An APP entity can’t use personal information for direct marketing unless the individual would reasonably expect the information to be used for direct marketing purposes and the APP entity provides a simple means by which an individual may easily request not to receive direct marketing.
Alternatively, where the individual has provided consent to receive direct marketing, there is a simple means by which an individual may easily request not to receive direct marketing and with each direct marketing communication the APP entity includes a prominent statement that an individual may make such a request.
APP 8 Cross-border disclosure of personal information
An APP entity should not disclose personal information to a person outside Australia unless the entity has taken reasonable steps to ensure the overseas recipient of the information does not breach the Australian Privacy Principles. Alternatively, information may be released to an overseas recipient if the APP entity reasonably believes the recipient is subject to a law that has the effect of protecting information in a substantially similar manner to the Privacy Act.
APP 9 Adoption, use or disclosure of government related identifiers
An APP entity should not use a government identifier, such as a TFN, as the identifier of the individual.
APP 10 Quality of personal information
An APP entity must take reasonable steps to ensure that the personal information is accurate, up to date and complete.
APP 11 Security of personal information
An APP entity must take reasonable steps to ensure that the personal information is protected from misuse, interference or loss and from unauthorised access, modification or disclosure.
This also requires an APP entity to destroy or deidentify information if the information is no longer required for the purpose for which the information may be used.
APP 12 Access to personal information
An APP entity must, as a general rule, allow an individual access to the personal information held by the entity on a request.
APP 13 Correction of personal information
An APP entity must take reasonable action to correct information that is inaccurate, out of date, incomplete, irrelevant or misleading.
An APP entity may face penalties up to $1,800,000 for companies and $360,000 for individuals for breaches of the Privacy Act.
Mandatory data breach notifications
An APP entity must notify the individuals whose personal information has been involved in a data breach if the breach is likely to result in serious harm to the individual.
The entity must also notify the Australian Information Commissioner and must include recommendations about action individuals should take in response to the data breach.
If the APP entity suspects a data breach has occurred, it must make a reasonable and expeditious assessment to determine if the breach is likely to cause serious harm and if it is determined that there likely will be serious harm, to notify the individuals concerned and the Commissioner.