Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

There is no such requirement under Australian law. However, the APPs provide that an APP entity may only hold, use or disclose personal information for the primary purpose for which it was collected, or any other purpose that is related to the purpose for which the information was collected. Typically, parties in Australia have a privacy policy that explains the various uses that may be made of personal information so that it can be used for multiple purposes.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

The Privacy Act distinguishes between personal information generally and sensitive information specifically. Sensitive information includes:

  • any information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record;
  • health or genetic information about an individual; and
  • biometric information and templates.

The APPs contain higher standards for the collection and use of sensitive information. Sensitive information:

  • may only be collected with the express consent of the relevant individual, except in specified circumstances;
  • must not be used or disclosed for any purpose other than the purpose for which it was collected, and any other purpose that is directly related to that purpose (provided the secondary purpose would be within the reasonable expectations of the relevant individual); and
  • cannot be shared between members of the same corporate group in the same way that they may share other personal information.

Health information is also subject to additional requirements and restrictions under state, territory and Commonwealth legislation, as outlined above.

Data handling responsibilities of owners of PII


Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Yes. APP 5 requires APP entities to take such steps as are reasonable in the circumstances to notify the individual of various matters at or before the time their personal information is collected (or, if that is not practicable, as soon as practicable after collection). These matters include:

  • the identity and contact details of the APP entity;
  • where relevant, the fact that the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order;
  • the purposes for which the information is collected;
  • any other person to which the APP entity may disclose the personal information;
  • that the entity’s APP privacy policy contains information about how the individual may access and correct their personal information, or complain about a breach of the APPs (and how the entity will deal with such a complaint); and
  • whether the entity is likely to disclose the personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located.

APP entities usually comply with this requirement by having a privacy policy on their website and providing individuals with a privacy collection statement that notifies the individual of the purpose of collection and other mandatory disclosures, and refers the individual to the APP entity’s privacy policy for more complete details.

Exemption from notification

When is notice not required?

The notification requirement in APP 5 is not an absolute requirement. It requires APP entities to take such steps as are reasonable in the circumstances to notify the individual (see question 13). This means that an APP entity does not have to notify the individual if it would be unreasonable or impracticable to do so. The Information Commissioner has indicated that the circumstances in which it would be reasonable for an APP entity not to notify an individual include where notification is impracticable (including where the time and cost outweighs the privacy benefits), notification would jeopardise the purpose of collection, notification may pose a serious threat to the health and safety of a person or public health and safety, or where the APP entity collects information from the individual on a recurring basis.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

Not specifically. As discussed in question 11, personal information must only be used for the purpose for which it was collected or reasonably related purposes; however, this does not extend to giving individuals choice or control over its use. However, individuals must be given access to their information on request, and must be able to direct that information be updated where it is no longer accurate (subject to some exceptions).

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Yes. An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects, holds, uses or discloses is accurate, up to date, complete and, having regard to the purpose of the use or disclosure, relevant. The reasonable steps that an APP entity should take will depend on the sensitivity of the information, the nature of the APP entity (ie, its size, resources and business model), the possible adverse consequences for the relevant individual if the quality of the information is not ensured and the practicability and cost of taking such steps.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

There is no specific limit on the amount of information that may be collected, or the period for which it may be held, but there are general principles that impose limits on similar grounds.

Personal information must only be collected to the extent it is reasonably necessary for the purposes of the APP entity’s activities. Also, APP entities must take reasonable steps to destroy or permanently de-identify personal information if that information is no longer needed for any purpose for which it was collected or for a related purpose (unless it is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the personal information).

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes. An APP entity can only use or disclose personal information for the purpose for which it was collected or for a related purpose (or directly related purpose in the case of sensitive information). These purposes are usually determined by reference to the purposes disclosed in the APP entity’s privacy policy.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

As discussed above, generally speaking personal information may only be used for the purposes disclosed in the APP entity’s privacy policy or any related purposes. There are also general exceptions that allow for further uses, including where an individual has given their consent, where the use or disclosure is required or authorised by Australian law or by a court (including tribunals and enforcement bodies), where the information is used to prevent a serious threat to the life or health of a person or for research or statistical analysis that is relevant to public health or public safety, or where personal information (other than sensitive information) is disclosed to a related entity within the same corporate group.

These exceptions do not apply to the use or disclosure by an APP entity of personal information for the purpose of direct marketing or of government-related identifiers (such as tax file numbers or social security numbers).