What are the Australian Privacy Principles?
On 12 March 2014 significant amendments to the Australian Privacy Act 1988 (Privacy Act) became effective. What has emerged is one overarching set of 13 Australian Privacy Principles (APPs), which will apply to any businesses with an annual turnover of AUS$3 million (US$2.7 million) or more (unless an exemption applies) and to government agencies.
However, the Privacy Act and the APPs also extend to organisations that have an “Australian link”. This not only includes organisations that are incorporated in Australia, but also organisations that carry on business in Australia or in an external Territory.
Am I carrying on business in Australia?
Guidance from the Australian Information Commissioner states that an entity may “carry on business” in Australia despite the bulk of its business being carried out outside of Australia, provided that there is some activity in Australia that forms part of the entity’s business. The Australian Information Commissioner has provided some examples of situations where an entity with no physical presence in Australia could be considered to be carrying on business in Australia. These include where:
- the organisation collects personal data from individuals who are physically located in Australia;
- the organisation has a website which offers goods or services to countries including Australia (but this should be distinguished from simply having a website that can be accessed from Australia);
- Australia is one of the countries on a drop down menu appearing on the organisation’s website;
- the entity is the registered proprietor of trade marks in Australia.
What should I do if they do apply?
Most of the APPs are based to some extent on the previous privacy principles, but the new APPs also include some significant changes and greatly enhance the protection of personal information. Organisations will need to review their existing policies and practices to ensure that they are in line with these new principles.
What are the 13 APPs?
What follows below is a brief summary of the 13 APPs:
APP 1 – Open and Transparent management of personal information
Organisations must implement practices, procedures and systems to ensure that they will comply with the APPs and will be able to deal with enquiries and complaints. Organisations must have a clearly expressed and up-to-date privacy policy, including the information set out in the APP.
APP 2 – Anonymity and Pseudonymity
Individuals must have the option of not identifying themselves, or of using a pseudonym when dealing with an organisation, subject to certain exceptions.
APP 3 – Collection of Personal Information
Private organisations may only solicit and collect data that is reasonably necessary for one or more of its functions or activities, whilst government agencies may also solicit and collect data if it is directly related to one or more of its functions or activities.
Furthermore, if the information is sensitive personal information (namely information about racial or ethnic origin, political opinions, membership of political associations, religious beliefs, philosophical beliefs, membership of trade associations, membership of a trade union, sexual preferences or practices, criminal records, health information, genetic information or biometric information or templates) then consent must be obtained to such collection, unless an exemption applies.
Organisations must also collect personal information by lawful and fair means, and such personal information must be collected directly from the individual (unless an exception applies).
APP4 – Dealing with unsolicited Personal Information
There are specific privacy principles relating to unsolicited information, i.e. information that the entity has taken no steps to collect. Following receipt, an entity must determine whether the unsolicited personal information could have been collected under APP 3 if the entity had solicited the information. If it determined that it could not have collected that information, it must destroy or anonymise the information.
APP 5 – Notification of the collection of Personal Information
An organisation must notify the individual from whom it collects information at or before the time of collection, or if that is not practicable, as soon as practicable afterwards. The matters that the individual must be informed of are set out in APP 5.2 and include the identity of the organisation, the purposes of the collection, disclosures of the information (including details of any overseas transfers) and the consequences if the information is not collected.
APP 6 – Use or disclosure of Personal Information
If an organisation holds information about an individual that was collected for a particular purpose, the organisation must not use or disclose the information for another purpose unless it obtains the individual’s consent, or an exemption applies. The exemptions include: if the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose and the secondary purpose is directly related to the primary purpose, in the case or sensitive personal data, or simply related to the purpose in the case of personal data.
However, this APP does not apply to direct marketing, which is covered in APP 7.
APP 7 – Direct Marketing
Organisations must not use or disclose personal information for direct marketing, unless an exemption applies.
The APP continues by stating that an organisation may use the information for direct marketing if certain criteria are met, namely that it collected the information directly from the individual, the individual would expect the organisation to use or disclose the information for that purpose, and the organisation has provided a simple means by which to opt out from receiving such direct marketing.
Where the organisation has not collected information directly from the individual or where the individual would not reasonably expect the organisation to use its data for direct marketing, an additional obligation is placed on the organisation to take steps to inform the individual that they can opt out of direct marketing communications.
APP 8 – Cross Border Disclosure of Personal Information
Before an organisation can disclose personal information about an individual to an overseas recipient, the organisation must take steps as are reasonable to ensure that the overseas recipient does not breach the APPs. Therefore, in some cases the organisation can be held responsible for the actions of the overseas recipient.
The APP will not apply if the organisation reasonably believes that the overseas recipient is subject to a law, or binding scheme, that protects the information in a way that is similar to the APPs and there are mechanisms by which the individual can enforce that protection.
Alternatively, the organisation can obtain the consent of the individual, but only after informing the individual that if it consents to the overseas transfer of its information, APP 8.1. above will no longer apply to the organisation in respect of that information.
APP 9 – Adoption, use or disclosure of government related identifiers
APP 9 relates to government related identifiers such as a passport numbers, driving license numbers or social security numbers.
There are strict rules on the adoption of a government related identifier. Furthermore, an organisation cannot use a government related identifier unless such use is reasonably necessary for the organisation to be able to verify the identity of the individuals for the purposes of that organisations activities.
APP 10 – Integrity of Personal Information
Organisations must take steps to ensure that the personal data that it collects, uses and discloses is accurate, up to date and complete.
APP 11 – Security of Personal Information
Organisations have an obligation to protect personal information from misuse, disclosure and loss, and from unauthorised access, modification and disclosure. Organisations must also destroy personal information or to anonymise it once it is no longer needed.
APP 12 – Access to Personal Information
Organisations are required to grant individuals access to their information. However, there are a number of exemptions, such as where access would have an unreasonable impact on the privacy of other individuals, or where it would reveal the intentions of the entity in relation to negotiations with the individual. Interestingly, it also includes an exemption where the request is vexatious or frivolous. The guidance states that there must be clear and convincing grounds for deciding that a request is frivolous or vexatious and provides some helpful examples, such as where the request contains offensive or abusive language.
APP 13 – Correction of Personal Data
The final principle is that if the personal information that is being held by an organisation is inaccurate, out of date, incomplete or misleading, or if the individual requires that an organisation correct its data, the entity mush take such steps as are reasonable to correct that information.
What if I fail to comply?
Organisations risk penalties of up to AUS$1.7 million (US$1.6 million) for breaches of the Privacy Act. Individuals can face penalties of up to AUS$340,000 (US$311,000).
Conclusions
Organisations that conduct activities in Australia will have to consider whether they are subject to the Australian Privacy Act. Although many of these principles may already been familiar, the APPs have made privacy compliance in Australia much more stringent. Businesses affected by the new provisions need to make sure that their existing practices and policies have been adequately reviewed and revised in order to comply with the enhanced protections now in force in Australia.