Changes to Australian Federal privacy law in March 2014 have occasioned extravagant claims as to
the chilling effects of extension of regulation and new exposures of Australian businesses to regulatory
This article suggests that those claims are significantly overstated. The changes to Australian privacy
laws are limited in scope and incomplete. It is likely that Australian privacy law will require significant
further development within the foreseeable future. This will probably be the case notwithstanding
continued use of principles based regulation to accommodate unforeseen change: the author’s view is
that although the redrafted privacy principles are much clearer and more adaptable than the
predecessor principles, they are not sufficiently flexible to address some challenges already pose for
privacy regulation, as discussed in this article.
The effect of changes to the enforcement framework is more difficult to predict. The Office of the
Australian Information Commissioner (which includes the Australian Privacy Commissioner) remains
poorly funded. On current funding the OAIC would be unable to fund multiple investigations or
extensive court action. However, other regulatory agencies may also become more active. For
example, the broadened requirements for privacy policies and collection notices and overstatement by
some businesses as to their privacy practices may lead to development of a new enforcement role for
the Australian Competition and Consumer Commission in relation to emerging gaps between claimed
policies and actual practices.
In parallel, pressures continue to grow outside the information privacy field. The Rebekah Brooks
criminal trial in the United Kingdom continues the phone hacking controversy centred upon the now
defunct British tabloid News of the World. It was this controversy – arising out of clearly invasive
privacy invasive hacking into private voicemails - that became the catalyst for renewed discussion in
Australia about whether Australia needs a new private right of action for serious invasions of privacy
and led to the former Federal Government's reference to the Australian Law Reform Commission to
report on that topic (again). It is in the field or a right to seclusion, to be left alone, that we find the
most entrenched privacy divides. In one corner, privacy and consumer advocates and tort law
barristers point to intrusive and sometimes prurient media reporting of what might be considered
private activities, including ‘door stopping’ of private homes and ‘outing’ of gender preferences and
social and sexual peccadillos of allegedly public figures. In another corner, providers of social
networking sites point to the impossibility of patrolling user content and working out what is an
invasion of an individual’s privacy and what is not, whether proactively or reactively (in response to
user complaint). Social networking increasingly conflates public and private space: users of social
networking sites have complex and nuanced views about acceptable limits upon reuse or repurposing
of images or information that they elect to make available in semi-public places such as their
Facebook pages, often with unclear intentions as to any reuse or repurposing. In yet another corner,
the professional print and electronic media point to a relatively low level of privacy related complaints
under existing media codes of practice and the availability of low cost remedies for affected individuals
through the Australian Press Council and the Australian Media and Communications Authority. More
colourfully, the professional media decry a ‘chilling effect upon freedom of speech’ that would be said
to arise from any addition of a right of privacy to existing restrictions upon media reporting such as
laws of defamation, contempt, closed courts, suppression orders and non-publication orders. And
finally, there is the de-regulation corner. Creation of any new cause of action might be said to run directly counter to the professed ‘anti red tape’ agenda of the Coalition Federal Government and the
responsible Minister, Attorney General The Hon. George Brandis QC.
It is worth pausing to note the limited coverage of Australian Federal privacy law. There is at present
no common law right of action in Australia for intrusion upon an individual’s seclusion or private affairs
or for misuse or disclosure of private information. The Federal Privacy Act and some State and
Territory Acts regulate the use by government agencies and many businesses of personal information
as embodied in particular records. This is really a sub-category of private information that is personally
information collected into a material form, such as a record, for use by regulated businesses and
government. Telecommunications carriers and carriage service providers are subject to a special
framework of privacy laws and criminal offences in Part 13 of the Telecommunications Act 1997 and
the Telecommunications (Interception and Access) Act 1979, that do not apply to voice over internet
protocol (VoIP) services that provide similar service functionality to telecommunications customers.
Health records are specially regulated in some States under State Acts. There is inconsistent
coverage and reach of Federal, State and Territory laws addressing various aspects of surveillance,
tracking and recording technologies. Tracking device law makes it an offence in some states to track
movement of devices even where there is no identification of the owner of those devices or their
communications activities: this appears a simple overreach of regulation that potentially obstructs
many benign new users of tracking for logistics, store traffic analysis and transport planning. In any
event, surveillance laws do not provide nationally coherent coverage or comprehensive rights of
individual seclusion. One of the few areas of clear and nationally consistent industry sector specific
regulation is as to media reporting: there is a general carve out in the Federal Privacy Act for
journalism by media organisations that self-regulate privacy compliance in their reporting, such as
through the Statement of Privacy Principles administered by the Australian Press Council and the
electronic broadcasting codes of practice overseen by the Australian Communications and Media
Authority. However, the extent of that exception has itself been controversial: hence the continuing
demands of privacy advocates for a broader right of seclusion and the countervailing media concerns
as to freedom of reporting.
Although private rights of action for privacy related acts or practices are currently limited, private rights
of action may arise through recourse to other causes of action, including where an entity has engaged
to proceedings under section 18 of the Australian Consumer Law (Schedule 2 to the Competition and
Consumer Act 2010) through private right of action or enforcement action by the Australian
Competition and Consumer Commission (ACCC). The United States Federal Trade Commission
(FTC) does not have any express jurisdiction to address privacy breaches, but the FTC has become
an active privacy regulator through prosecution of alleged violations of section 5 of the U.S. Federal
Trade Commission Act (15 USC 45), which bars unfair and deceptive acts and practices in or affecting
commerce. This power has been used in law enforcement to require companies to live up to promises
to consumers that they will safeguard their personal information and enabled the FTC to exact very
substantial fines where companies fail to do so.
Practical remedies for Australians adversely affected by privacy invasive practices of businesses may
also be available through the operation of binding APP codes and other binding sector-specific codes
with privacy provisions. These include codes regulating broadcasting and the print media, the banking
and financial services sectors and the provision of telecommunications services (including internet
access services) to Australian consumers.
Certain criminal laws also provide protection for individuals from intrusions about their right to
seclusion, including in particular laws on unauthorised access to computer systems, electronic stalking
and harassment, and unauthorised audio-visual capture of sexual activity, also regulate and protect
privacy. Handling of telecommunications customer data is subject to sector specific regulation,
principally through the Telecommunications Act 1997, a federal Act. The Telecommunications Act1997 is administered by the Federal Minister and Department of Communications and by the
Australian Communications and Media Authority (ACMA). The ACMA also administers Codes
registered under the Telecommunications Act 1997 that, once registered by the ACMA, become
binding upon the section of the telecommunications industry to which the code relates. The
Telecommunications Consumer Protection Code 2012 is an important legally binding instrument that
regulates the handling of customer data by Australian telecommunications carriers and carriage
service providers. The federal Telecommunications (Interception and Access) Act 1979, administered
by the Federal Attorney-General, regulates interception of telecommunications (including email) traffic
and access to stored communications held on email and other servers in Australia that are controlled
by Australian licensed telecommunications carriers.
There are other industry specific codes that include privacy protective provisions that have varying
levels of enforceability and sanctions. The most important are the broadcasting codes of practice
administered by the ACMA which may be contravened where a television or radio broadcaster
broadcasts material that is a serious invasion of an individual’s privacy. The Australian Press Council
administers a code of practice as to print media and its associated electronic outlets, which is
contravened where a Council member publishes material that is a serious invasion of an individual’s
privacy. Other industry sectors deal with customer privacy in sector specific voluntary codes, including
the Banking Industry Code of Practice and the Insurance Industry Code of Practice.
requires appropriate notification to internet users whenever personal information is collected through
the use of those cookies.
The Australian Guideline for Online Behavioural Advertising is a self-regulatory guideline for third party
online behavioural (interactive) advertising. The guideline regulates sharing of information between
signatories to the guideline and third parties that would enable third parties to serve behavioural
advertising to an internet user. In such a circumstance user consent and provision of a ready means
for an individual to opt-out is required, regardless of whether personal information is disclosed by code
signatory to the third party and regardless of whether cookies or other tracking technologies are used.
The guideline prescribes the relevant requirements.
Further complexities in scope of coverage of Australian privacy laws arise through the longevity of
Australian privacy law when measured in internet time. Although the March 2014 amendments to the
Federal Privacy Act were extensive, these amendments were developed from an Australian Law
Reform Commission (ALRC) review into the Privacy Act that was completed in May 2008. That review
predated important technological and business developments including availability of tablet and mobile
apps, broad adoption of social networking services, extensive use of data hosting services, delivery of
software applications ‘as a service’ (often from overseas and sometimes transient and indeterminate
locations), extensive use of geo-location services and sensing devices, online behavioral advertising
and ‘big data’ based customer data analytics. Each of these developments challenges traditional
privacy concepts of territorial based regulation and reliance upon notice and consent through privacy
statements and collection notices. For example, in September 2013 the Privacy Commissioner
developed a guide for app developers to embed better privacy practices in their products and services
and to help developers operate in the Australian market in accordance to Australian privacy law.
However, mobile and tablet apps were not considered in the ALRC review and international delivery of
app based services creates fundamental difficulties in application of national privacy regulation such
as the Federal Privacy Act. Compounding the problem, the Privacy Act has sketchy geographical and
jurisdictional nexus provisions that are difficult to interpret and apply in relation to internet delivered
services provided across national borders. Frequently, jurisdictional questions cannot be clearly
answered and the laws of multiple jurisdictions must be applied.
So what do the changes to the Federal Privacy Act achieve?1 Overview of the March 2014 changes
The the Federal Privacy Act was amended by the Privacy Amendment (Enhancing Privacy Protection)
Act 2012. The amendments took effect on 12 March 2014.
Under the Australian federal system, the Privacy Act applies to the handling of personal information by
the Australian federal government and its agencies and the Australian Capital Territory (ACT)
government and its agencies. State and Territory privacy laws regulate State and Northern Territory
(public sector) agencies. The federal Privacy Act also governs the private sector, including
corporations and other organisations that conduct business, but (subject to important exceptions) only
operates in relation to business organisations where annual turnover of revenue of the corporate
group of which the business is a member is greater than AU$3 million. Organisations and agencies
are collectively referred to as 'APP entities'. The Privacy Act defines ‘organisation’ broadly to include
an individual, body corporate, partnership, trust or any unincorporated association. Many provisions of
the Privacy Act apply to all APP entities, but some apply only to agencies, and some only to
The Privacy Act does not apply to the collection, holding, use, disclosure or transfer of personal
information by an individual for the purposes of, or in connection with, the individual’s personal, family
or household affairs.
While the Privacy Act applies to many private and public sector organisations and agencies, certain
entities are excluded from the Act’s coverage. These include small business operators (as noted
above, operators of businesses with an annual turnover determined on a corporate group basis of less
than A$3 million), registered political parties, organisations that are individuals acting in a nonbusiness capacity, organisations acting under a state contract, employer organisations acting in
respect of employee records and the Australian intelligence agencies.
The Privacy Act deals with employee records of public sector and private sector employees differently.
The handling of personal information by a private sector employer is exempt from the Privacy Act if it
is directly related to a current or former employment relationship or an employee record. The effect is
that a private sector employer does not need to comply with the APPs when it handles current and
past employee records, or grant a current or former access to the employee record about them.
However, the employee records exemption relates to private sector organisations only: Australian,
ACT and Norfolk Island government employee records are covered by the Privacy Act. The definition
of ‘employee records’ is also relatively narrow. Accordingly this exemption is of limited utility to most
An act or practice is not an interference with privacy if it consists of the collection or disclosure of
personal information by a body corporate from or to a ‘related body corporate’. Before an organisation
can rely on this exemption to disclose (non-sensitive) personal information to other related companies,
it must take reasonable steps to ensure that the individual knows that the organisation has collected
the information, the use that will be made of the information and the types of organisations to which
the information is usually disclosed. In addition, although related companies may share personal
information, the handling of that information is still subject to the APPs in all other respects. For
example, each company within the group of related companies must only use the information for the
primary purpose for which it was originally collected, and may only use the personal information for a
secondary purpose permitted for the collecting organisation.
This partial exemption for related bodies corporate also does not apply in a range of circumstances,
including (but not only) the collection or disclosure of ‘sensitive information’; the collection of personal
information from an entity that is exempt from the Privacy Act; where the company is a contractor under a Commonwealth contract and; the collection or disclosure of personal information from or to
the related company is contrary to a contractual provision; and where the collection of personal
information is for the purpose of meeting an obligation under the contract and the disclosure is for
direct marketing purposes.
The APPs are arranged in the order of the personal information lifecycle, from collection, to use, to
disclosure, to retention. They are not lengthy, but their interpretation can be complex. The
Commissioner’s Guidelines as to their interpretation and operation of the APPs run to over two
hundred pages. As already noted, some APPs draw distinctions between organisations and agencies,
while otherwise applying to all APP entities. Some APPs require different and higher standards in
relation to the sub-category of personal information that is sensitive personal information.
The March 2014 amendments generally added provisions to the Federal Privacy Act and
corresponding compliance obligations. However, two Parts of the Privacy Act were completely
Part IIIA of the Privacy Act, dealing with credit reporting, was replaced in full by new credit information
provisions. These included important changes to the current framework as to credit information
policies, the collection and recording of credit related information, and disclosure of credit related
information to overseas entities. Banks, retail businesses that issue credit cards, entities who carry on
businesses which substantially involve the provision of credit, suppliers of goods and services on
credit/payment terms, equipment lessors and hire purchase credit providers are ‘credit providers’ and
therefore must comply with the new framework. That framework is then expanded through a Credit
Reporting Privacy Code prepared and then revised by the Australian Retail Credit Association and
registered by the Australian Privacy Commissioner on 24 April 2014.
The National Privacy Principles (NPPs) (for private entities, but subject to the small business
exception) and Information Privacy Principles (IPPs) (for government entities) were replaced with a
single regime of privacy principles, the Australian Privacy Principles (APPs). The APPs generally apply
to Federal and ACT government agencies and organisations alike: however, individual APPs draw
distinctions in their scope of coverage of government agencies and private sector entities respectively.
(notification obligations), which place a higher onus on entities to institute practices, procedures and
policies in relation to the protection of privacy. Many entities continue to focus their compliance review
upon publication of policies of general application and service-specific disclosures through collection
notices. This focus can lead to insufficient emphasis being placed upon the development of processes
and procedures to ensure that these policies are implemented and notices complied with and that
implementation and compliance is effective, reliable and verifiable. Entities concentrating upon form
over implementation will find the developing focus of the Privacy Commissioner upon whether an
entity has taken all reasonable and practical steps to implement policies and notices, rather than just
write and publish, as a novel compliance challenge.
Among other implementation challenges, an entity must ensure:
• where user consent is required and alleged, that the entity can demonstrate through an audit trail
that user consent was in fact obtained, and
• that the entity has in place effective procedures to deal with inquiries and complaints about an
entity’s compliance with the APPs and any applicable registered APP code of practice (when such
codes are registered and apply to such organisations). That is not to suggest that stated privacy policies and collection notices have become less important.
To the contrary, the Privacy Act has become more prescriptive in its requirements as to their form,
substance, accessibility and intelligibility. The Privacy Commissioner has emphasised in two recent
guides the importance of readily understandable disclosure as to privacy practices and match of
• specific kinds of personal information that the entity collects and holds and how it is collected
• purposes (both primary and secondary) for which the entity collects, holds, uses and discloses
• how an individual may access personal information about the individual that is held by the entity
and seek the correction of such information;
• how an individual may complain about a breach of the APPs or an applicable registered APP
• how the entity will deal with a complaint (entities will also need to ensure that internal
procedures are implemented consistently with this description, including by appropriate training
Other changes include:
• APP 2 (anonymity and pseudonyms), which provides that where practicable individuals must
not be required to disclose their identity and may use a pseudonym. Previously there was only
the requirement to provide an option of anonymity: the requirement to allow the use of
pseudonyms (where practicable) is new.
• APP 4 (unsolicited personal information), which provides that where an entity receives
unsolicited personal information that it could not have obtained through solicited means on
reasonable terms, the entity must destroy the information.
• APP 5 (notification of collecting personal information), which is much more prescriptive than the
former provision dealing with this subject matter, NPP 1. At or before the time information is
collected, or if that is not practicable, as soon as practicable after information is collected, the
collecting entity must ensure that it informs an affected individual of certain matters, including
that the information has been collected; the purpose of collection; the consequences for the
individual if the information is not collected; the procedure to complain about or amend
information and any third parties that the information may be disclosed to.
• APP 7 (direct marketing), which increases requirements for informed user consent in relation to
direct marketing and operates in parallel with the Spam Act 2003. Entities must provide a simple
means by which an individual can readily request not to receive direct marketing from the entity
and ensure that personal information about the individual is not provided to third parties for the
purpose of direct marketing.
• APP 8 introduces a new ‘accountability principle’ to the effect that where an Australian entity
intends to disclose (including disclosure through provision of electronic viewing access – a
physical data transfer is not required) personal information to an overseas entity, the Australian
entity must ‘take such steps as are reasonable in the circumstances to ensure’ that the overseas entity complies with the APPs in respect to the provided information. If the overseas
entity does not comply with the APPs in respect to the provided information, then the Australian
entity is ‘accountable’ and liable pursuant to section 16C as if it had not complied itself. This is
the case regardless of whether the Australian entity had in fact taken reasonable steps to
ensure that the overseas entity complied with the Privacy Act, or failed to take such steps.
Accordingly, entities considering providing personal information to overseas entities will need to
consider contractually binding such overseas entities to comply with the new privacy legislation
and the legal exposure of the Australian entity if the overseas entity fails to comply with that
contract and implement and observe those safeguards. There are a number of important
exceptions to this ‘accountability’ rule: these exceptions are discussed later in this article.
In February 2014 the Commissioner released the Australian Privacy Principles (APP) Guidelines. As
stated by the Commissioner, “The APP guidelines outline the mandatory requirements of the APPs,
how the OAIC will interpret the APPs, and matters we may take into account when exercising
functions and powers under the Privacy Act”. These Guidelines are therefore of significant interest as
an expression of the Commissioner’s interpretation of key provisions of the Privacy Act. The
Commissioner’s Guidelines and Guides are not given any legislative status. However, the Guidelines
and Guides may influence subsequent judicial interpretation of relevant provisions that are subject to
guidance. It is interesting to note in this regard that in some cases the explanation of the intended
operation of certain provisions of the amending Act that is given in the Explanatory Memorandum to
the amending Act and also referred to in the Guidelines does not appear to conform to a plain reading
of corresponding provisions of the amending Act. Issues of interpretation are therefore likely to arise.
Under the amended Privacy Act, industry groups or sectors may develop privacy codes of practice -
so-called 'APP codes' - for review and possible registration by Office of the Australian Information
Commissioner. If accepted for registration (and then in like manner to ACMA registered industry codes
of practice) an APP Code becomes binding upon organisations within the industry sector specified in
the Code. In other words, a Code once registered binds not only initial or later signatories to the Code,
but also binds organisations within the industry sector to which the Office of the Australian Information
Commissioner designates the Code applies. To date, only a small number of such codes have been
approved, including in particular the Credit Reporting Privacy Code issued under the Privacy Act. It is
expected that other industry codes will be now developed and registered with the OAIC.
There are criminal penalties under the Privacy Act for unauthorised access to and disclosure of credit
reporting personal information. If, during an investigation, the Commissioner forms the opinion that
these offences (and certain others under other Acts) may have been committed, he or she must refer
the matter to the Australian federal police.
Criminal sanctions also apply to the unauthorised disclosure of personal information during an
emergency or disaster situation. The Australian Federal Police would investigate such offences.
The Commissioner has the power to investigate on his or her own motion, or in response to a complaint
(from an individual or a class), acts and practices of organisations that may breach the APPs. In
conducting investigations, the Commissioner must follow a prescribed process. The Commissioner
can require the production of documents and information, and may also require people to appear and
The Commissioner may make a non-binding determination following investigation of a complaint
where there has been a breach of the APPs. The Commissioner may determine that the conduct must
not be repeated; that the agency or organisation must take action to redress the loss or damage
caused; or that the complainant is entitled to a specified amount of compensation. The Commissioner may also dismiss the complaint or decide to take no further action. If it is necessary to enforce the
Commissioner’s determination, action must be taken in the Federal Courts.
From March 2014, the Commissioner also has a power to seek a Court injunction against a person
engaging in conduct that may contravene the Privacy Act, to obtain enforceable undertakings by a
person that has breached the Privacy Act, and to seek the making by a federal court of civil penalty
orders where there is either a serious or repeated interference with the privacy of an individual. A civil
penalty order may require a body corporate to pay up to $1.7 million. A civil penalty is a pecuniary
penalty imposed by a court according to civil (as opposed to criminal) processes. It is expected that
the new power to accept court enforceable undertakings from organisations will be used to gain
agreement from organisations that experience data breaches to implement privacy compliance
programmes and change existing information security and information handling practices. This power
to accept court enforceable undertakings is similar to that enjoyed, and frequently used, by the ACCC
under the Competition and Consumer Act 2010 and by the ACMA under the Spam Act 2003 and the
Do Not Call Register Act 2006.The Commissioner’s new enforcement powers are summarised in the following diagram:
The parallel and concurrent operation of federal law, state and territory laws and industry codes of
practice sometimes leads to simultaneous and sometimes coordinated enforcement action by multiple
regulators, including in particular the OAIC and the ACMA. This has been the case on multiple
occasions in relation to misuse of telecommunications customer data. Overlap may also arise in
respect of other sectors. For example, a health personal information data breach in Victoria may be
handled by both the Victorian Health Services Commissioner and the Australian Privacy
The Privacy Act applies to all acts or practices within Australia in respect of personal information about
individuals wherever those individuals may reside.
Accordingly, personal information of persons outside Australia that is held on servers located within
Australia is regulated by the Act.
The Act extends to any use outside Australia or disclosure from Australia of personal information that
has been collected within Australia, although the extraterritorial application of the Act in this area is
subject to some uncertainty.
In general, corporations incorporated in Australia and Australian incorporated or constituted bodies are
deemed to have an Australian link. The Act applies to an act or practice wherever done outside
Australia by an agency (broadly, an Australian federal government entity). The Act also applies in
relation to an act or practice outside Australia of an organisation or small business operator wherever
that organisation or small business operator has a relevant 'Australian link'. However, a small business
operator is regulated in relation to an act or practice outside Australia only to the extent similarly
regulated in Australia.
Corporations and other bodies and agencies that do not fall into the above categories - broadly, any
foreign corporation or body - will be regulated where (1) the organisation carries on business in
Australia, and (2) the personal information was collected or held by the organisation in Australia, either
before or at the time of the act or practice.
The collection of personal information ‘in Australia’ includes the collection of personal information from
an individual who is physically within the borders of Australia, or an external territory, by an overseas
entity. The Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill
2012 states that a collection is taken to have occurred ‘in Australia’ where an individual is physically
located in Australia or an external Territory and personal information is collected from that individual
via a website and the website is hosted outside of Australia and owned by a foreign company that is
based outside of Australia and that is not incorporated in Australia’. The Explanatory Memorandum
goes on to state that for the operation of the Act, entities such as those described in the last sentence
who have an online presence (but no physical presence in Australia) and collect personal information
from people who are physically in Australia, carry on a ‘business in Australia or an external Territory’.
However, this interpretation is not supported by a plain reading of the Act and prior Australian
jurisprudence (as to other statutory provisions) concerning ‘carrying on business in Australia’.
Accordingly, the operation of the Privacy Act in this scenario (without other factors indicating business
presence in Australia) should be considered currently uncertain and potentially contentious.
An overseas act or practice (that takes place outside Australia and its external Territories) act or
practice will not breach the APPs, an approved APP Code, or interfere with an individual’s privacy, if
the act or practice is required by an applicable foreign law. However, a similar act or practice within
Australia pursuant to compulsion of an applicable foreign law is not excused from breach of the APPs
or an approved APP Code, or from being an interference with an individual’s privacy.
It is also important to note that APP 8, which deals with the cross-border disclosure of personal
information from Australia to outside Australia, is not limited in its application by the nationality of the
individual whose personal information is the subject of the transfer. In other words, APP 8 will apply to
a cross-border disclosure of personal information collected in Australia, irrespective of whether the
information relates to an Australian citizen or Australian resident or not. 2 Personal information
Generally, the Privacy Act covers all processing or use of personal information.
The Act makes no express distinction between entities that control or own personal information, and
those that provide services to owners (except in the case of contracted service providers to publicsector agencies). All such entities are regulated as APP entities in respect of their handling of personal
The definition of ‘personal information’ from March 2014 extends to information or an opinion about an
individual who is reasonably identifiable, whether or not the information or opinion is recorded in a
material form (this includes information communicated verbally) and regardless of whether that
identification or re-identification is practicable from the information itself or in combination with or
reference to other information.
Personal information will therefore include information about an individual whether collected or made
available in a personal or business context and regardless of whether that information is in the public
domain and the subject individual is specifically identified or consented for that information to enter the
Personal information remains such while ever identification or re-identification of an individual is
‘practicable’ either from the information itself or by reference to that information in combination with or
by reference to other information. Privacy regulation operates up to the point at which personal
information is transformed such that any risk that the information might either of itself or in combination
with other information enable an individual to be identifiable becomes effectively impracticable. That
transformation might be through aggregation or anonymisation of the personal information. Many
organisations maintain multiple transaction databases, some of which may include personal
information and some of which may include transaction data that does not identify a particular
individual undertaking a transaction. These databases may be partitioned so that the non-identifying
transactional database is not matched against the databases containing personal information.
Partitioning of databases within organisations will be ineffective to allow non-identifying transactional
data to be used without complying with the rules that relate to use of personal information, wherever
there is any way in which an individual could be matched and tied to non-identifying transaction data,
because the individual remains ‘reasonably identifiable’. The Privacy Commissioner’s February 2014
APP Guidelines put it this way:
B.87 Whether a person is ‘reasonably identifiable’ is an objective test that has practical regard
to the context in which the issue arises. Even though it may be technically possible to identify
an individual from information, if doing so is so impractical that there is almost no likelihood of
it occurring, the information would not generally be regarded as ‘personal information’. An
individual may not be reasonably identifiable if the steps required to do so are excessively
time-consuming or costly in all the circumstances.
B.88 Where it is unclear whether an individual is ‘reasonably identifiable’, an APP entity
should err on the side of caution and treat the information as personal information.
This view reflects regulatory guidance in some jurisdictions to the effect that determination as to
whether information is ‘personal information’ is to be made having regard to all relevant circumstances
as to possible re-identification by any reasonably contemplated recipient, or as it is sometimes put, to
be made ‘in the round’, rather than having regard to whether the information was passed to the first
recipient in apparently de-identified form. In assessing the risk of re-identification, regulatory guidance
in some jurisdictions suggests that risk management strategies – or as it is sometimes put, technical, operational and contractual safeguards – are to be taken into account. The United Kingdom regulator
suggest a ‘motivated intruder’ test: this test considers whether a reasonably competent motivated
person with no specialist skills would be able to identify the data or information, having access to
resources such as the internet and all public documents and making reasonable enquiries to gain
3 Regulation of collection, use and disclosure of personal
The Privacy Act effectively requires that collection, use and disclosure of personal information are
justified on specific grounds.
kinds of personal information it collects, how an individual may complain about a breach of the APPs,
and whether the organisation is likely to disclose information to overseas recipients.
charge and in an appropriate form.
APP 1 also introduces a positive obligation for organisations to implement practices, procedures and
systems that will ensure compliance with the APPs and any registered APP codes. APP 1 requires
organisations to have ongoing practices and policies in place to ensure that they manage personal
information in an open and transparent way. ‘Transparent’ is not defined, but as used in the Australian
Consumer Law a contractual term is ‘transparent’ if it is expressed in reasonably plain language,
legible, presented clearly and readily available to the person affected by the term. The positive
obligation for organisations to implement practices, procedures and systems has been suggested to
require implementation of privacy assurance practices and procedures – so-called 'Privacy by Design'
principles - into business processes and products.
APP 3 outlines when and how an organisation may collect personal and sensitive information that it
solicits from an individual or another entity. An organisation must not collect personal information
(other than sensitive information) unless the information is reasonably necessary for one or more of
the organisation’s functions or activities.
APP 3 clarifies that, unless an exception applies, sensitive information must only be collected with an
individual’s consent if the collection is also reasonably necessary for one or more of the organisation’s
functions or activities.
An organisation must only collect personal information from the individual, unless it is unreasonable or
impracticable to do so.
APP 4 creates obligations in relation to the receipt of personal information which is not solicited.
Where an organisation receives unsolicited personal information, it must determine whether it would
have been permitted to collect the information under APP 3. If so, APPs 5 to 13 will apply to that
information. If the information could not have been collected under APP 3, the organisation must
destroy or de-identify that information as soon as practicable, but only if it is lawful and reasonable to
APP 5 specifies certain matters about which an organisation must generally make an individual aware,
at the time, or as soon as practicable after, the organisation collects their personal information. In addition to other matters listed in APPs 1.4 and 5.2, APP 5 requires organisations to notify
individuals about the access, correction and complaints processes in their APP privacy policies, and
also the location of any likely overseas recipients of individuals’ information.
APP 6 outlines the circumstances in which an organisation may use or disclose the personal
information that it holds about an individual. If an organisation collects personal information about an
individual for a particular purpose (the primary purpose), it must not use or disclose the information for
another purpose (the secondary purpose) unless the individual consents to the use or disclosure, or
another exception applies.
Additional protections apply to the collection, use and disclosure of a subcategory of personal
information called ‘sensitive information’, which the Privacy Act defines as information or an opinion
about an individual’s:
• racial or ethnic origin;
• political opinions;
• membership of a political association;
• religious beliefs or affiliations;
• philosophical beliefs;
• membership of a professional or trade association;
• membership of a trade union;
• sexual orientation or practices; or
• criminal record,
• which is also personal information; and
• health information about an individual;
• genetic information about an individual that is not otherwise health information;
• biometric information that is to be used for the purpose of automated biometric verification or
biometric identification; or
• biometric templates.
An organisation must not collect an individual’s sensitive information unless an exception applies.
Sensitive information may be collected about an individual with consent and if the information is
reasonably necessary for one or more of the organisations activities or functions. Further, an
organisation may collect sensitive information if required or authorised by or under an Australian law
or a court/tribunal order or in certain permitted health situations, such as where the entity reasonably
believes that the collection is necessary to lessen or prevent a serious threat to the life, health or
safety of any individual or to public health or safety.
The Privacy Act also contains special provisions that apply to personal information included in individuals’
credit information files or in credit reports, including information about an individual’s repayment history. These provisions also provide for consumer protection in relation to processes dealing with
notification, data quality, access and correction and complaints.
The Act also provides for the making of guidelines by the Commissioner concerning the collection,
storage, use and security of tax file number information. Compliance with the Tax File Number
Guidelines is mandatory for all tax file number recipients.
APP 6 (Use and disclosure) generally restricts the use and disclosure of personal information to the
primary purpose for its collection or related secondary purposes within the exceptions discussed
above. A user may consent to other uses or disclosures.
Further restrictions on the disclosure of credit-related personal information are set out in the credit
reporting provisions of the Act. Such disclosure restrictions include the following:
• a credit reporting body must not disclose personal information contained in an individual’s credit
information file to a third party unless one of the specified exceptions applies (such as where
the information is contained in a credit report given to a credit provider for the purpose of
assessing an application for credit by the individual); and
• a credit provider must not disclose any personal information in a credit report to a third party for
any purpose (subject again to specified exceptions).
The Act also imposes specific restrictions on the transfer of personal information outside Australia, as
discussed below transfer).
The Federal Privacy Act does not include any mandatory requirement to appoint a data protection
officer. However, it is becoming more common for major corporations to appoint a privacy
professional, generally working within a legal or regulatory compliance team.
There is no general requirement as to record keeping. However, the Privacy Act does require an
organisation to keep a written note of any use or disclosure of personal information where the
organisation reasonably believes that the use or disclosure of the information is reasonably necessary
for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Written notes must also be made in relation to certain uses or disclosures of credit related personal
information, including the use and disclosure of such information for direct marketing pre-screening
Further, reasonable steps to protect information security in accordance with APP 11 (Security) may
require certain processes to be established, depending on the circumstances.
Some Australian states require owners of health-related personal information to keep records of when
this type of personal information is deleted or disposed of.
4 ‘Openness’ and Notification
APPs 1 and 5 impose 'openness' requirements in relation to collection of personal information.
An APP entity must take reasonable steps to notify an individual, or otherwise ensure that the
correction of personal information, and information about the organisation’s complaints process; and
whether it is likely to disclose an individual’s personal information to overseas recipients and, if it is practicable, to specify the countries in which those recipients are likely to be located. If it is not
practicable to specify the countries in the notification, the organisation may make the individual aware
of them in another way.
Notification obligations arise under the Privacy Act at the point of collection of personal information by
an organisation, whether collected directly from the individual or obtained from a third party. If the
organisation collects the personal information from someone other than the individual, or the individual
may not be aware that the organisation has collected the personal information, it must also take
reasonable steps to notify an individual, or otherwise ensure that the individual is aware:
• that the organisation collects or has collected the information, and
• of the circumstances of that collection (APP 5.2(b)).
Specifically, APP 1.4 requires APP entities collecting personal information to specify the following
• the kinds of personal information that the entity collects and holds;
• how the entity collects and holds personal information;
• the purposes for which the entity collects, holds, uses and discloses personal information;
• how an individual may access personal information about the individual that is held by the entity
and seek the correction of such information;
• how an individual may complain about a breach of the Australian Privacy Principles, or a
registered APP code (if any) that binds the entity, and how the entity will deal with such a
• whether the entity is likely to disclose personal information to overseas recipients
• if the entity is likely to disclose personal information to overseas recipients—the countries in
which such recipients are likely to be located if it is practicable to specify those countries in the
More specific notification requirements are stated in APP 5. At or before the time or, if that is not
practicable, as soon as practicable after, an APP entity collects personal information about an
individual, the entity must take such steps as are reasonable in the circumstances to notify the
individual of such matters referred to in subclause 5.2; or to otherwise ensure that the individual is
aware of any such matters. The matters referred to in subclause 5.2 are:
• the identity and contact details of the APP entity;
• if the APP entity collects the personal information from someone other than the individual; or the
individual may not be aware that the APP entity has collected the personal information, the fact
that the entity collects or has collected the information and the circumstances of that collection;
• if the collection of the personal information is required or specifically authorised by Australian
law or court order, details about that;
• the purposes for which the APP entity collects the personal information;• the main consequences (if any) for the individual if all or some of the personal information is not
collected by the APP entity;
• any other person, or the types of persons, to which the APP entity usually discloses personal
information of the kind collected by the entity;
access the personal information about the individual that is held by the entity and seek the
correction of such information;
complain about a breach of the APPs, or a registered APP code (if any) that binds the entity,
and how the entity will deal with such a complaint;
• whether the APP entity is likely to disclose the personal information to overseas recipients;
• if the APP entity is likely to disclose the personal information to overseas recipients—the
countries in which such recipients are likely to be located if it is practicable to specify those
countries in the notification or to otherwise make the individual aware of them.
Use or disclosure of personal information for a purpose other than the primary purpose of collection
(being a 'secondary purpose') is permitted under specific exceptions where that secondary use or
• required or authorised by or under an Australian law or a court order;
• necessary to lessen or prevent a serious threat to any individual’s life, health or safety, or to
public health or safety, and it is unreasonable or impracticable to obtain the consent of the
• necessary in order for an organisation to take appropriate action in relation to a reasonable
suspicion of unlawful activity, or misconduct of a serious nature, that relates to the entity’s
functions or activities. APP 6.2(e) also permits the use or disclosure of personal information for
a secondary purpose to an enforcement body for one or more enforcement related activities;
• in the conduct of surveillance activities, intelligence gathering activities or monitoring activities,
by a law enforcement agency;
• the conduct of protective (for example, in relation to children) or custodial activities;
• to assist any APP entity, body or person to locate a person who has been reported as missing
(where the entity reasonably believes that this use or disclosure is reasonably necessary, and
where that use or disclosure complies with rules made by the Commissioner);
• for the establishment, exercise or defence of a legal or equitable claim; and
• for the purposes of a confidential alternative dispute resolution process.
Generally notification is required wherever a use or disclosure of personal information is made, unless
a specific exception applies.5 Control of use
There are a number of provisions in the Privacy Act which directly, or indirectly, enable individuals to
exercise a degree of choice or control over use of their personal information by organisations.
• APP 1 (Openness and transparency), which requires organisations to have ongoing practices
and policies in place to ensure that they manage personal information in an open and
• APP 2 (Anonymity and pseudonymity), which requires that an organisation provide individuals
with the option of dealing with it using a pseudonym or anonymously. Both requirements are
subject to certain limited exceptions, including where it is impracticable for the organisation to
deal with an individual who has not identified themselves, or where the law or a court/tribunal
order requires or authorises the organisation to deal with individuals who have identified
• APP 3 (Collection of solicited personal information), which clarifies that, unless an exception
applies, sensitive information must only be collected with an individual’s consent and if the
collection is also reasonably necessary for one or more of the organisation’s functions or
• APP 5 (Notification), which requires organisations to notify individuals about the access,
correction and complaints processes in their APP privacy policies, and also the location of any
likely overseas recipients of individuals’ information;
• APP 7 (Direct marketing), which requires the availability of opt-out mechanisms in relation to
• APP 12 (Access), which requires an organisation to give an individual access to the personal
information that it holds about that individual, unless an exception applies. There is a new
express requirement for organisations to respond to requests for access within a reasonable
period. In addition, organisations must give access in the manner requested by the individual if
it is reasonable to do so. If an organisation decides not to give an individual access, it must
generally provide written reasons for the refusal and information about the mechanisms
available to complain about the refusal;
• APP 13 (Correction), which requires an organisation to take reasonable steps to correct
personal information to ensure that, having regard to a purpose for which it is held, it is
accurate, up-to-date, complete, relevant and not misleading, if either the organisation is
satisfied that it needs to be corrected, or an individual requests that their personal information
be corrected. Organisations generally need to notify other APP entities that have been provided
with the personal information of any correction, if that notification is requested by the individual.
6 Data accuracy
APP 10 (Integrity) requires an organisation to take reasonable steps to ensure that the personal
information that it collects is accurate, up-to-date and complete, In relation to use and disclosure, the APP 10 requirement is that an organisation will need to take
reasonable steps to ensure that the personal information is relevant (in addition to being accurate, upto-date, and complete), having regard to the purpose of that use or disclosure.
APP 13 (Correction) requires an organisation to take reasonable steps to correct personal information
to ensure that, having regard to a purpose for which it is held, it is accurate, up-to-date, complete,
relevant and not misleading, if either the organisation is satisfied that it needs to be corrected, or an
individual requests that their personal information be corrected. Organisations generally need to notify
other APP entities that have been provided with the personal information of any correction, if that
notification is requested by the individual.
7 Amount and duration of data holding
There are no express restrictions as to the quantity of personal information an organisation may
collect or hold, but organisations are prohibited from collecting and holding personal information
unless the information is reasonably necessary for one or more of the organisation's functions or
In addition, where the personal information is sensitive information, organisations are prohibited from
collecting and holding that sensitive information unless the individual consents and the information is
reasonably necessary for one or more of the organisation's functions or activities or if an exception
APP 11.2 requires an APP entity to take reasonable steps to destroy or de-identify personal
information if the organisation no longer needs it for any for which it may be used or disclosed in
accordance with the APPs. There are two exceptions to this requirement: if the personal information is
contained in a Commonwealth record, or if the organisation is required by or under an Australian law
or a court order to retain the information.
8 Finality principle
European privacy lawyers sometimes refer to a ‘finality principle’, to the effect that use and disclosure
of personal information is limited by the purposes for which it was originally collected (subject to
various exceptions). The concept is that organisations cannot change their minds about the uses they
(or others) wish to make of personal information, after the event of collection.
The ‘finality principle’ is partially reflected in APP 6 (Use or disclosure). If an APP entity holds personal
information about an individual that was collected for a particular purpose (the primary purpose), the
entity must not use or disclose the information for another purpose (the secondary purpose) unless the
individual has consented to the use or disclosure of the information; or an exception in subclause 6.2
or 6.3 applies.
• the individual would reasonably expect the APP entity to use or disclose the information for the
secondary purpose and the secondary purpose is, if the information is sensitive information,
directly related to the primary purpose; or if the information is not sensitive information, related
to the primary purpose;
• the use or disclosure of the information is required or authorised by or under an Australian law
or a court order;• the use or disclosure of the information is necessary to lessen or prevent a serious threat to any
individual’s life, health or safety, or to public health or safety, and it is unreasonable or
impracticable to obtain the consent of the individual;
• the use or disclosure of the information is necessary in order for an organisation to take
appropriate action in relation to a reasonable suspicion of unlawful activity, or misconduct of a
serious nature, that relates to the entity’s functions or activities; or
• the individual has consented to the use or disclosure.
An APP entity may also use or disclose personal information for the secondary purpose of direct
marketing subject to the prescriptive requirements of APP 7.
9 Data security and notification of data breaches
APP 11 (Security) requires organisations to take reasonable steps to protect personal information from
misuse, interference and loss and unauthorised access, modification or disclosure. When personal
information is no longer needed for an authorised purpose by an organisation, it must take reasonable
steps to destroy or permanently de-identify it.
Reasonable steps in relation to protection of personal information will vary with the circumstances.
Relevant circumstances include (by way of non-exhaustive examples) how sensitive the personal
information is, how it is stored (e.g. paper or electronically), the likely harm to the data subject if a
breach occurred and the size of the organisation. Similarly, destruction or de-identification processes
will vary. In any event, personal information should be destroyed securely and de-identified such that
the data subject’s identity is no longer reasonably ascertainable from the personal information.
In April 2013, the OAIC published a Guide to information security which discusses some of the
circumstances that the OAIC takes into account when assessing the reasonableness of the steps
taken by entities to ensure information is kept secure. This guide presents a set of non-exhaustive
steps and strategies that may be reasonable for an entity to take in order to secure personal
information. The OAIC has stated that the Commissioner will refer to this guide when assessing an
entity’s compliance with security obligations in the Privacy Act.
The Privacy Act does not presently impose obligations on agencies or organisations to notify either the
OAIC, or the individual concerned, of security breaches involving personal information.
However, the OAIC recommends notification in its guide Data Breach Notification: A guide to handling
personal information security breaches, April 2012. The recommendations in this guide are generally
followed by larger corporations in Australia.
The ALRC recommended the introduction of a mandatory data breach notification scheme in its 2008
report, For Your Information: Australian Privacy Law and Practice. In 2013, the then federal
government introduced the Privacy Amendment (Privacy Alerts) Bill 2013. This Bill had not been
passed by both Houses of the Federal Parliament when the Parliament was prorogued and
accordingly lapsed. If enacted, this Bill would have built upon the OAIC’s scheme of voluntary
notification of serious data breaches by entities, as set out in the OAIC’s guidelines. The Bill proposed
a high threshold based on a reasonable belief by the entity concerned that the data breach is
sufficiently serious to pose a real risk of serious harm to affected individuals. In the event of such a
breach, the provisions of the Bill, if enacted, would have required the entity to notify affected
individuals and the Information Commissioner as soon as practicable. The provisions of the Bill would
require that the data breach notice include:• the identity and contact details of the entity;
• a description of the breach;
• the kinds of personal information concerned;
• recommendations about the steps that individuals should take in response to the breach; and
• any other information specified in any made regulations under the Bill (if enacted).
As at May 2014 it remained unclear whether the Federal Government will consider re-introducation
data breach notification legislation.
If an APP entity holds personal information about an individual, the entity must, on request by the
individual, give the individual access to the information (APP 12 (Access)).
Exceptions apply, as outlined below.
personal information about the individual that is held by the entity and seek the correction of such
information (APP 1.4(d)).
An APP entity must respond to a request for access to the personal information if the entity is an
agency, within 30 days after the request is made; or if the entity is an organisation, within a reasonable
period after the request is made; and give access to the information in the manner requested by the
individual, if it is reasonable and practicable to do so.
Exceptions applicable to organisations include where:
• the entity reasonably believes that giving access would pose a serious threat to the life, health
or safety of any individual, or to public health or public safety;
• giving access would have an unreasonable impact on the privacy of other individuals;
• the request for access is frivolous or vexatious;
• the information relates to existing or anticipated legal proceedings between the entity and the
individual, and would not be accessible by the process of discovery in those proceedings;
• giving access would reveal the intentions of the entity in relation to negotiations with the
individual in such a way as to prejudice those negotiations;
• giving access would be unlawful;
• denying access is required or authorised by or under an Australian law or a court order;
• the entity has reason to suspect unlawful activity, or misconduct of a serious nature, that relates
to the entity’s functions or activities and giving access would be likely to prejudice the taking of
appropriate action in relation to the matter; and• giving access would be likely to prejudice one or more enforcement related activities conducted
by, or on behalf of, an enforcement body; giving access would reveal evaluative information
generated within the entity in connection with a commercially sensitive decision-making
If the APP entity refuses to give access to the personal information or to give access in the manner
requested by the individual, the entity must give the individual a written notice that sets out:
• the reasons for the refusal except to the extent that, having regard to the grounds for the
refusal, it would be unreasonable to do so; and
• the mechanisms available to complain about the refusal; and
• any other matter prescribed by regulations made pursuant to the Act.
A sector specific access and correction framework applies in relation to credit related information.
If an APP entity holds personal information about an individual; and either the entity is satisfied that,
having regard to a purpose for which the information is held, the information is inaccurate, out of date,
incomplete, irrelevant or misleading; or the individual requests the entity to correct the information, the
entity must take such steps as are reasonable in the circumstances to correct that information to
ensure that, having regard to the purpose for which it is held, the information is accurate, up to date,
complete, relevant and not misleading (APP 13.1 (Correction)).
A breach of the APPs generally does not give rise to a cause of action exercisable at the suit of the
affected individual. However, in certain circumstances the Commissioner can exercise jurisdiction and
seek damages on behalf of an affected individual.
11 Cross-border disclosure and transfer of personal information
Transfer of personal information is not regulated as such: the relevant act or practice that is regulated
is use or disclosure of personal information. Accordingly, it is not relevant whether the custody and
control of the personal information is transferred to the provider of outsourced processing services: it
is sufficient if there is a disclosure, such as through the provider being provided with any form of
access to the personal information.
The transfer of personal information to entities providing outsourced processing services in Australia,
therefore, constitutes a disclosure of personal information for the purposes of the Privacy Act. The Act
makes no distinction between disclosure of personal information to outsourced processing services
and disclosure of personal information to any other third party. Each disclosure would need to be
undertaken subject to the requirements of APP 6 (Use and disclosure).
APP 6 generally prohibits the disclosure of personal information by organisations unless the disclosure
is consistent with the primary purpose for collection of the information, or a related secondary purpose.
However, there is an exception under the Act in relation to use or disclosures by related bodies
corporate: broadly, related bodies corporate are treated as a single entity for the purposes of privacy
APP 8 also imposes restrictions on the disclosure of personal information to recipients outside
Australia: these restrictions apply in addition to the disclosure restrictions under APP 6. As is the case with disclosures to third parties within Australia, transfer of personal information to
outside Australia is not regulated as such: for example, in relation to Australian regulated personal
information an organisation may transfer Australian regulated personal information from its branch in
Australia to another branch of itself outside Australia, or provide its overseas branch with electronic
access to its Australian based database. However, any transfer to, or provision of electronic access
(including read-only) to, Australian regulated personal information to a third party ‘overseas recipient’,
including a related body corporate of the discloser, is a disclosure of that personal information. If the
third party to whom the personal information is disclosed is outside Australia, APP 8 (Cross-border
disclosure) will operate.
APP 8 does not specifically address the common scenario of provision of custody and management of
encrypted Australian regulated personal information to a provider of outsourced hosting services. A
sensible view is that unless there is any reasonable possibility that the provider of outsourced hosting
services or persons that might reasonably be anticipated to have access to the personal information
might also have the capability to decrypt and thereby at least view personal information, there is no
‘disclosure’ of that personal information to any overseas recipient. On this view, capability needs to be
assessed ‘in the round’, having regard to technical capability of the provider of outsourced hosting
services or persons that might reasonably be anticipated to have access to the encrypted personal
information), and operational and contractual safeguards against decryption or other misuse, taken
together. OAIC’s APP Guideline on APP 8 (Cross-border disclosure of personal information) at
paragraph 8.14 suggests that the OAIC will consider the provision of personal information to cloud
service providers located overseas for the limited purpose of storing and ensuring that the Australian
regulated entity may access that information a ‘use’ rather than a ‘disclosure’ by the Australian
regulated entity if:
• the contract with the provider requires the provider to only handle the information for these
• the contract with the provider requires that any sub-contractors to the provider must agree to the
same obligations; and
• the contract gives the Australian entity effective control of how the personal information is
handled by the overseas entity. According to the OAIC, contractual indicators that APP entity
has retained effective control of the information include whether the entity has retained the right
or power to access, change or retrieve the personal information, who else will be able to access
the personal information and for what purposes, what types of security measures will be used
for the storage and management of the personal information and whether the personal
information can be retrieved or permanently deleted by the entity when no longer required at the
end of the contract.
In practice, determining whether the provision of information to service providers constitutes a
‘disclosure’ or ‘use’ will likely be a difficult exercise and will ultimately turn on the nature of the services
provided and the terms of the services agreement. APP entities are expected to take a cautious
approach to this issue until further clarity around the concept of ‘disclosure’ is provided by the OAIC or
APP 8 and section 16C of the Act also introduce an accountability approach to cross-border
disclosures of personal information.
Before an organisation discloses personal information to an overseas recipient, the organisation must
take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than
APP 1) in relation to that information. In some circumstances an act done, or a practice engaged in, by the overseas recipient that would breach the APPs, is taken to be a breach of the APPs by the
organisation. Generally, this will apply where:
• APP 8.1 applies to the disclosure (APP 8.1 applies to all cross-border disclosures of personal
information, unless an exception in APP 8.2 applies), and
• the overseas recipient is not subject to the APPs, but the act or practice would be a breach of
the APPs if they were.
• APP 8.2 lists a number of exceptions to APP 8.1. For example, APP 8.1 will not apply where:
• the organisation reasonably believes that the recipient is subject to a law or binding scheme that
has the effect of protecting the information in a way that is, overall, substantially similar to the
APPs; and there are mechanisms available to the individual to enforce that protection of the law
or binding scheme (APP 8.2(a));
• an individual consents to the cross-border disclosure, after the organisation expressly informs
them that APP 8.1 will no longer apply if they give their consent (APP 8.2(b)).
Each of these two exceptions is difficult to interpret and apply. Attempts to invoke the exceptions are
likely to be the subject of significant debate and regulatory scrutiny.
As to the former, the OAIC has not issued a list of countries whose laws, or binding privacy schemes,
that the OAIC considers have the effect of protecting the information in a way that is, overall,
substantially similar to the APPs and allow for appropriately effective and available enforcement
mechanisms. Law firms may be expected to be unwilling to ‘sign off’ based upon an ‘overall’
assessment of laws and remedies or as to a contractual scheme, noting the difficulties of such an
assessment and the exposure of the Australian entity to strict liability under section 16C in the event of
any subsequent determination by the OAIC (or court enforcing a determination of the OAIC) that the
foreign laws or a scheme did not in fact not qualify for the exception in APP 8.2(a). However, the
OAIC’s Guidelines (at paragraph 8.21) do give some support to the use of binding corporate rules
(BCRs) by international organisations, at least where the BCRs reflect “the stringent, intra-corporate
As to notice and consent, the form, prominence (conspicuousness) and level of comprehensibility of
the ‘express informing’ are likely to be controversial. It is clear that the express notice needs to be
sufficiently clear, but to ensure fully informed consent must the notice spell out what the practical effect of
APP 8.1 not applying will be? The Commissioner’s Guidelines (at paragraphs 8.28 to 8.30) are not
prescriptive as to the form of notice, beyond stating that at the minimum the statement should explain that if
the individual consents to the exposure and the overseas recipient handles the personal information in
breach of the APPs, the (Australian regulated) entity will not be accountable under the Privacy Act and the
individual will not be able to seek redress under the Privacy Act. Many notices as recently revised do not
comply with these ‘minimum’ requirements. For example, consider a notice as follows (following a
description of permitted purposes): You consent to your personal information being disclosed to a
destination outside Australia for these purposes, including but not limited to the United States of America,
and you acknowledge and agree that Australian Privacy Principle 8.1 will not apply to such disclosures and
that we will not be required to take such steps as are reasonable in the circumstances to ensure such third
parties outside of Australia comply with the Australian Privacy Principles. The notice does not include the
second limb required by the Commissioner: it does not state that the individual will not be able to seek
redress under the Privacy Act. Other questions remain. How prominent does this notice need to be? If the
consent is to have an ongoing operation, does the notice or consent need to be reinforced, or otherwise the
subject of reminders, at periodic intervals, and if so, how often? Is the form of consent required for APP 8.2(b) different to the form of consent for other purposes, noting in this regard the unusual juxtaposition in
the drafting of APP 8.2(b) of expressly informs and after being so informed, the individual consents?.
APP 8.2 also introduces a number of other circumstances in which APP 8.1 will not apply:
• where the cross border disclosure is required or authorised by or under an Australian law, or a
court/tribunal order (APP 8.2(c));
• where an organisation reasonably believes that the disclosure is necessary to lessen or prevent
a serious threat to the life, health or safety of any individual, or to public health or safety (APP
8.2(d), s16A item 1);
• where an organisation reasonably believes that the disclosure is necessary to take action in
relation to the suspicion of unlawful activity or misconduct of a serious nature that relates to the
organisation’s functions or activities (APP 8.2(d), s 16A item 2);
• where an organisation reasonably believes that the disclosure is necessary to assist any APP
entity, body or person to locate a person who has been reported as missing (APP 8.2(d), s 16A
The transfer of personal information outside Australia does not require the transferor to notify, or seek
the authorisation of, a supervisory authority.
The restrictions of APP 8 apply equally to overseas transfers to service providers as to other overseas
recipients. The accountability requirements of APP 8 and section 16C of the Act apply in respect of the
first recipient and any subsequent recipient.
However, an act or practice engaged in outside Australia does not breach the APPs if that act or
practice is required by an applicable law of a foreign country.
Credit related provisions
Probably the most complex changes to the Privacy Act are the credit related provisions now
completely redrafted in Part IIIA (the CR Scheme).
The CR Scheme applies exclusively to the collection, use and disclosure of personal credit-related
information about individuals and regulates the handling of a particular type of personal credit-related
information, namely credit information. Credit information comprises, on the whole, information about
an individual’s consumer credit history. However, credit information may also include some information
about an individual’s commercial credit history. One example is court proceedings information about
an individual, which may relates to both commercial and consumer credit history.
The CR Scheme sets out the limited purposes for which a credit provider may use an individual’s
credit information. These permitted purposes include the assessment of an application for consumer
credit or commercial credit (the latter only with the individual’s express consent). As such, the
application of the CR Scheme is not necessarily dependant on whether an individual is applying for
consumer or commercial credit. Rather, the determining factor as to the Scheme’s application is
whether a credit provider is proposing to collect, use or disclose credit information about an individual.
The majority of the restrictions in the CR Scheme address collection, use and disclosure of credit
information in the course of a credit provider’s engagement with a credit reporting bureau, such as
Veda Advantage or Experian. (There are also other provisions that deal specifically with a credit
provider’s disclosure of information to other entities, such as debt collectors). Accordingly, if a credit provider does not collect from a CRB, or disclose to a CRB, credit information about individuals, many
of the key provisions in the CR Scheme are not applicable.
The following categories of credit information are regulated under the Scheme.
• As noted above, the first and foundational category of information regulated by the CR Scheme
is called credit information. In basic terms, credit information is essentially the personal creditrelated information a credit provider collects from its dealings with an individual and discloses to
a CRB. Credit information is defined exhaustively in the CR Scheme to include limited kinds of
personal credit-related information, such as identification information, default information and
repayment history information.
• Credit information is repackaged and consolidated with other information held by a CRB to form
credit reporting information. Credit reporting information includes credit information and any
information derived by CRB from the credit information. CRBs disclose credit reporting
information about individuals to credit providers that request the information.
• In the hands of a credit provider, credit reporting information becomes credit eligibility
information, which comprises the credit reporting information that is obtained from a CRB and
any other information a credit provider derives from that information. The restrictions in the CR
Scheme that govern use and disclosure of credit eligibility information by a credit provider apply
only to information obtained from a CRB (and information derived therefrom) and not any other
information a credit provider may have collected directly from the individual.
The CR Scheme must be read in conjunction with the terms of the Credit Reporting Privacy Code (CR
Code). The CR Code is legally binding on credit providers and sets out further and more detailed
restrictions and obligations relating to (among other things) the collection, use and disclosure of
personal credit-related information.
For the purpose of determining whether an organisation is a credit provider under the CR Scheme in
relation to a particular transaction, it is irrelevant whether Bauer provides a customer with consumer
credit or commercial credit. This distinction only becomes relevant in relation to the purposes for which
the entity may use and disclose credit information. Section 6G of the Privacy Act describes a number
of scenarios in which an entity is deemed to be a credit provider. Of most general relevance, an
organisation is a credit provider if it carries on a business in the course of which it provides credit in
connection with the sale of goods, or the supply of services, by the supplier; and the credit is available
for at least 7 days.
12 Emerging trends and issues
Emerging trends in Australian privacy law will reflect global trends, concerns and issues as they arise.
Australia tends to closely follow major global trends, paying particular attention to regulatory
developments in the U.S.A., European Union and ASEAN region.
Current trends include:
• Applications for registration and registrations of APP codes. The amendments to the Act
effective from March 2014 give a prominent role to enforceable industry Codes. It is expected
that there will be significant industry sector activity in development of Codes.
• Possible introduction of mandatory data breach notification requirements.• Increased focus upon privacy by design and information security by design principles and
practical implementation of privacy protective processes and systems by corporations.
• Review of published privacy policies for 'transparency': prominence, readability and structuring
appropriate to the likely readers and as to the description of primary and secondary purposes of
• Pressure for expansion of privacy protection in relation to surveillance and geo-tracking devices
and extension of the definition of personal information, or introduction of new restrictions as to
‘profiling’, to address concerns as to particular, perceived socially detrimental uses of big data
enforcement activities by the Australian Communications and Media Authority
(www.acma.gov.au), a well-resourced regulator by comparison with the OAIC.
• Changes to privacy regulation of news gathering and news reporting by the print and electronic
media. It is likely that media Codes or other media regulation affecting privacy will change in the
• The ALRC’s final report (due June 2014) as to introduction of a statutory cause of action for
serious invasion of privacy.
• Continuing pressure for more extensive regulation of third party online behavioural advertising.
As at May 2014 there had not been an active ‘do not track’ debate in Australia.
• More active cross-border coordination and joint enforcement activity by the OAIC and
comparable regulators in other jurisdictions.
• Continuing consultation as to alignment of privacy regulation in the Asia Pacific region.
Focus upon law enforcement exceptions to privacy laws following the Edward Snowden revelations as
to activities of the U.S. National Security Agency and national security collaboration between the ‘Five
Eyes’ countries, including Australia.
Given the volatility and unpredictability of emergence of issues in privacy regulation, it is likely that the
above list will change by addition of further issues.
11 May 2014
Partner, Gilbert + Tobin Lawyers
T +61 2 9263 4003
Copyright © 2014 Gilbert + Tobin Lawyers