Section 18 of Doing Business in Australia

Australia's privacy and related laws and regulations

In Australia, the use of “personal information” (personal information) is principally regulated by the federal Privacy Act 1988 (Privacy Act). The Privacy Act applies to the handling of personal information by Australian federal government agencies and Australian Capital Territory (ACT) government agencies. The Privacy Act also governs the private sector, including corporations and other businesses, but in general only applies to group businesses with aggregate group (global) revenue greater than AU$3 million.

The Privacy Act regulates collection and use in a “record” or generally available publication, and disclosure, of two main types of information:

  • personal information, being information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is in a recorded form or not. Information will also be personal information where the identification or re-identification is practicable from the information itself or in combination with reference to other information. Common examples of personal information are names, addresses and telephone numbers; and
  • sensitive information, being such information or an opinion about certain characteristics of an individual, including racial or ethnic origin, political opinions, membership of a professional or trade association, criminal record, health and health status, and biometrics used for the purpose of biometric verification and identification.

Sensitive information is subject to higher levels of regulatory protection. For example, an organisation must not collect sensitive information about an individual unless the individual consents (expressly or impliedly) to the collection of the information and the information is reasonably necessary for one of the organisation’s functions or activities.

The two principal regulators of privacy laws in Australia are the Australian Privacy Commissioner and the Australian Communications and Media Authority (ACMA).

The Australian Privacy Commissioner is responsible for enforcing compliance with the Privacy Act and reviewing proposed privacy codes. This involves investigating instances of non-compliance by agencies and organisations in relation to all commercial and public sectors.

The ACMA is responsible for administering and enforcement of the following legislative instruments which supplement the Privacy Act and deal with related privacy issues:

  • the Spam Act 2003 (Cth) (Spam Act), which deals with the sending of unsolicited commercial electronic messages, including emails and SMS;
  • the Do Not Call Register Act 2006 (Cth), (Do Not Call Register Act) regulating unsolicited commercial calling to telephone numbers listed on the national Do Not Call Register; and
  • Part 13 of the Telecommunications Act 1997 (Cth), which imposes restrictions on the use and disclosure of telecommunications and communications-related data.

State and territory regulators, generally called Privacy Commissioners, relevantly regulate state and territory government agencies and in some states also health service providers and some surveillance activities. Health privacy is an area that is dually regulated under both state and federal legislation.

There are a range of other laws in Australia, at federal and state level, which indirectly impact on handling of personal information, including:

  • state and territory privacy legislation, applying to personal information held by government agencies and contractors to government agencies and in some states also health service providers and some surveillance activities. Health privacy is an area that is dually regulated under both state and federal legislation;
  • federal laws relating to telecommunications interception;
  • telecommunications sector specific laws governing access to call product, stored electronic communications and information about telecommunications customers use of telecommunications networks;
  • federal and state/territory freedom of information legislation applying to information held by government agencies;
  • federal and state/territory laws relating to health records;
  • federal laws relating to the disclosure of or data- matching of tax file numbers; and
  • federal and state/territory laws governing the use of tracking devices, listening devices and workplace surveillance, and/or unauthorised optical surveillance.

The Privacy Act has extraterritorial operation and extends to an act done, or practice engaged in, outside Australia and Australian external territories by an organisation (including a small business operator), that has an “Australian link”. An organisation or small business operator has an “Australian link” where it is:

  • an Australian citizen, or a person whose continued presence in Australia is not subject to a legal time limitation;
  • a partnership formed, or a trust created, in Australia or an external territory;
  • a body corporate incorporated in Australia or an external territory; or
  • an unincorporated association that has its central management and control in Australia or an external territory.

Corporations and other bodies that do not fall into the above categories, broadly, any foreign corporation or body, will have an “Australian link” where:

  • the organisation carries on business in Australia; and
  • the personal information was collected or held by the organisation in Australia, either before or at the time of the act or practice.

Australian privacy principles

The Privacy Act principally comprises:

  • the 13 Australian Privacy Principles (APPs) which apply to the handling of personal information by government agencies and private organisations which are in general collectively referred to as “APP entities”; and
  • credit-reporting provisions which apply to the handling of personal credit information about individuals by credit reporting bodies, credit providers and some other third parties.

The APPs follow the personal information lifecycle from collection, to use, to disclosure, to retention, to destruction or de-identification. They are not lengthy, but their interpretation can be complex. The Privacy Commissioner’s Guidelines as to interpretation and operation of the APPs run to over two hundred pages. Some APPs draw distinctions in their coverage and operation as between organisations and agencies, while others apply alike to all APP entities (organisations and agencies together). Some APPs require different and higher standards in relation to the sub-category of personal information that is sensitive personal information.

The coverage of the APPs can be briefly summarised as follows:

APP 1 Open and transparent management of personal information

APP entities (that is, entities regulated by the Australian privacy laws) must manage personal information in an open and transparent way. This generally requires APP entities to have a clearly expressed and up to date APP privacy policy. Collection, use and retention of personal information is to be minimised to that reasonably required as notified in a privacy policy or otherwise with a user’s consent.

“Transparent” is not defined, but as used in the ACL contractual term is “transparent” if it is expressed in reasonably plain language, legible, presented clearly and readily available to the person affected by the term.

The positive obligation for APP entities to implement practices, procedures and systems to “manage” personal information has been interpreted as requiring implementation of privacy assurance practices and procedures – sometimes called “Privacy by Design” – into business processes and products.

APP 2 Anonymity and pseudonymity

APP entities must give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

APP 3 Collection of solicited personal information

Outlines when an APP entity can collect personal information that is solicited by the entity. APP 3 applies higher standards to the collection of “sensitive” information, such as health information.

APP 4 Dealing with unsolicited personal information

Outlines how APP entities must deal with unsolicited personal information.

APP 5 Notification of the collection of personal information

Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.

APP 1 and APP 5 together set out quite prescriptively those things that need to be notified to an individual in relation to any collection of personal information about that individual. Read together with APP 1, APP 5 constitutes a comprehensive list of what should be covered in a collection notice, although in practice a number of these matters may instead be dealt with in a privacy policy in order to keep the collection notice to manageable length. In Australia the respective roles of privacy policies and collection notices is less defined than is the case in otherwise comparable privacy jurisdictions.

Special requirements apply where any personal information about an individual is collected from anyone other than the affected individual: in particular, notice of that collection is required to be given to affected individuals.

APP 6 Use or disclosure of personal information

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

APP 7 Direct marketing

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. Broadly, direct marketing:

  • is use or disclosure of personal information to communicate directly with an individual to promote goods and services;
  • may only be undertaken where an individual would reasonably expect it, such as with informed consent;
  • must provide a prominent statement about a simple means to opt out; and
  • must be stopped when an individual opts-out.

APP 8 Cross-border disclosure of personal information

Outlines the steps an APP entity must take to protect personal information before it is disclosed to any other entity (including related entities) outside Australia.

APP 9 Adoption, use or disclosure of government related identifiers

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual. Examples of government related identifiers are drivers’ licence numbers, Medicare numbers, Australian passport numbers and Centrelink reference numbers.

APP 10 Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

APP 11 Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

APP 12 Access to personal information

An APP entity must provide access when an individual requests to be given access to personal information held about them by the entity. Some limited, specific exceptions apply.

APP 13 Correction of personal information

An APP entity must correct information held by it about an individual in response to a reasonable request by an affected individual.

Mandatory date breach notification

The Privacy Act requires APP entities to notify the Commissioner and affected individuals if the entity experiences an ‘eligible data breach’ - that is, a breach that a reasonable person would conclude is likely to result in serious harm to the individual/s concerned.

Limited exceptions to the notification requirements are available, including a public interest exception of avoiding prejudicing the activities of law enforcement agencies or disclosing information where it would be inconsistent with a secrecy provision in another law.

The Australian Privacy Commissioner has the power to investigate noncompliance with the mandatory data breach notification scheme and make a determination requiring the entity to remedy such noncompliance.

Direct marketing and spam

Direct marketing is primarily regulated through the Spam Act, the Do Not Call Register Act and APP 7 of the Privacy Act.

APP 7 initially states a very broad prohibition of direct marketing: an organisation must not use or disclose the personal information that it holds about an individual for the purpose of direct marketing (APP 7.1).

APP 7 then carves-down that prohibition in a number of specified circumstances. Key factors as to whether APP 7 applies are:

  • whether a particular marketing activity is “direct marketing” (and then regulated by APP 7); and
  • whether the Spam Act and the Do Not Call Register Act apply to regulate the particular activity, such that APP 7 does not apply (because an exception in APP 7.8 operates).

“Direct marketing” is not defined in the Privacy Act. However, the Australian Privacy Commissioner in the Australian Privacy Principles guidelines (February 2014) has expressed the view that “direct marketing involves the use and/or disclosure of personal information to communicate directly with an individual to promote goods and services. A direct marketer may communicate with an individual through a variety of channels, including telephone, SMS, mail, email and online advertising”. APP 7 requires the direct marking organisation to provide a simple way for the individual to request not to receive direct marketing communications from the organisation. There must be a visible, clear and easily understood explanation of how to opt out and a process for opting out which requires minimal time and effort that uses a straightforward communication channel accessible at no more than nominal cost.

An organisation must also, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.

In addition, in any circumstance where the individual would not reasonably expect their information to be used or disclosed for the purpose of direct marketing or personal information about them was collected from a third party, in each direct marketing communication with the individual the organisation must include a prominent statement (“opt out statement”), or otherwise draw the individual’s attention to the fact that the individual may request an opt-out.

The Spam Act applies to “electronic messaging”, which covers emails, instant messaging, SMS and other mobile phone messaging. The Spam Act prohibits “unsolicited commercial electronic messages” with an “Australian link” from being sent or caused to be sent. The “Australian link” concept is much broader than in the Privacy Act and includes sending of commercial electronic messages from outside Australia to any Australian email account holder.

The Spam Act defines a “commercial electronic message” as an electronic message, where, having regard to the content, presentation and access to other supplementary information it could be considered that a purpose, or one of the purposes, of the message is to (among other things) offer, advertise or promote the supply of goods, services, land or business or investment opportunities. Importantly, commerciality may be a secondary purpose and the message is still caught: for example, a message that is mainly factual or useful information, but then has some marketing or promotional content.

If a business engages a third party to send a commercial electronic message/campaign on its behalf, the business needs to be aware of its legal obligations, as it may be found responsible for any contraventions of the Spam Act by the third party.

The Spam Act also prohibits the use, supply or acquisition of address harvesting software and any list of electronic addresses produced using such software.

Avoid the pitfalls

A message does not have to be sent out to numerous addresses, or in bulk, to be in breach of the Spam Act. Businesses can also be responsible for breaches of the Spam Act by third-party contractors.

Do not call

The Do Not Call Register provides consumers in Australia with the choice to “opt-out” of receiving unwanted and unsolicited telemarketing calls through a regulatory framework under which their “opt-out” is recorded on a centralised Do Not Call Register.

The Do Not Call Register Act prohibits “telemarketing calls” from being made to a number entered on the Do Not Call Register, unless:

  • the recipient of the call (the account holder or their nominee) has consented to the making of the call;
  • the telemarketer “washed” the number against numbers on the Do Not Call Register within the preceding 30 days and the number was not then identified as a “do not call” number (this enables a database check to be relied upon for 30 days, therefore a registration would not be fully effective for 30 days); or
  • the call is otherwise exempted as a “designated telemarketing call”.

This guide is current as of April 2021.