The Australian Privacy Laws

History of the Privacy Act and Australian Privacy Laws

Australian Parliament passed the Privacy Act 1988, with the Act commencing in 1989. The Act focused on Australia’s external obligations to privacy and civil and political rights and how Australian government agencies should handle personal information, setting out 11 Information Privacy Principles. It should be noted that privacy, human rights and equal opportunity all fell under the one umbrella. In 2000, however, the Office of the Privacy Commissioner was established, separating privacy from human rights and equal opportunity. The same year, the Privacy Amendment (Private Sector) Act 2000 was drafted, extending the Privacy Act to some private sector organisations, and introducing 10 National Privacy Principles. The principles set the standard on how private organisations should collect, use and disclose, hold secure, give access to and correct, personal information.

In 2014, the Privacy Act undertook new reforms, including the introduction of the Australian Privacy Principles or APPs to regulate the handling of personal information, replacing the Privacy Principles and the National Privacy Principles. Since this time, Australia has seen two more major changes to the Privacy Act. The first occurred in 2018, with the Privacy Amendment (Notifiable Data Breaches) Act 2017 which introduced mandatory reporting obligations to organisations and agencies with existing obligations under the Privacy Act. The scheme stated that an organisation must report to the Office of the Australian Information Commission (OAIC) on any eligible data breach suffered by the organisation or agency (T&Cs apply of course) 😉

The second major change occurred late last year and was implemented in early 2023, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. For a full write-up on the Act, see our Australia’s Privacy Legislation Amendment article. A quick summary, the Act introduced new accountabilities on agencies and organisations with existing obligations and increased fines for serious or repeated interferences.

During this timeline, changes around Australian privacy laws were also happening at State and Territory levels and with regard to other aspects of privacy, such as credit reporting. However, this article’s focus is on national privacy legislation and the APPs.

The APPs

Today, the APPs apply to any organisation or agency with existing obligations under the Privacy Act and are described by OAIC as the cornerstone of the privacy protection framework. The principles, of which there are 13, are not complicated and describe a common-sense approach to handling personal information. Below is a high-level summary of the 13 principles. I have also added a cheat sheet table for you as a quick reference guide. For full details on the APPs, you should visit the Australian Privacy Principles page of OAIC.

APP 1 – Open and transparent management of personal information

You need to be open and honest with your customers about what you are doing with their information. If you are planning to on-sell it, then this needs to be clearly stated in your privacy policy. Backhand shenanigans are not accepted. You cannot promise your customers one thing, and then do something else.

APP 2 – Anonymity and pseudonymity

There are some exceptions to this principle, but it basically allows individuals to choose whether they want to identify themselves or not to an entity or use a pseudonym. I have never seen this principle in play – everyone always requires so much information and with so many things online today, there is hardly an opportunity to argue with someone to say you want to be anonymous. It does however imply, that you have every right to use a fake name or date of birth when signing up to an app or other service. The catch of course being, that you must be honest if it is authorised by law, a court or tribunal.

APP 3 – Collection of solicited personal information

The third principle, outlines when an agency or organisation can solicit personal information. In a nutshell, personal information can be solicited:

“where it is reasonably necessary for, or directly related to, the agency’s [or organisations] functions or activities”

Colour me a pessimist, but I swear I get asked for personal information above and beyond the need for an organisation’s requirement to function or undertake activities!

The third principle also applies specific rules to what is deemed sensitive.

APP 4 – Dealing with unsolicited personal information

Like many organisations, I am sure you have dealt with your share of over-sharing. Someone sends you everything all at once to save time or accidentally sends you a file, which was meant to go to another Frank and not you. Or for several other reasons, you have received information that you did not solicit and did not want. Principle four outlines how an agency or organisation should deal with situations like this.

If the information is outside a Commonwealth record, then it must be destroyed or de-identified immediately. This one is a little tricky in my books and not as straightforward as the guidelines lead you to believe, primarily, as many organisations are set to autopilot with regard to backups. If an organisation receives personal or sensitive information that is unsolicited, and deletes it straight away, how far do they have to go to ensure that no trace of that data remains? The guidelines state that an organisation may destroy the data on a timeline that is practicable for the organisation, taking into consideration technical and resource considerations. However, the guideline also states that any delay must be justified to the OAIC.

APP 5 – Notification of collection of personal information

The fifth principle talks about reasonable steps and notification of collection. Basically, you need to be upfront with who you are and why you are collecting the information, either before or after you collect personal information. Sometimes this is self-explanatory. You order something online, therefore they are going to collect your credit card details for payment and an address to deliver the package. But other times it is not so transparent. For example, the organisation you ordered your cool new drink bottle from also plans to save your credit card details for future orders. It is in these circumstances that an entity needs to be transparent. The entity also has a responsibility to disclose:

• the APP entity’s identity and contact details.
• the fact and circumstances of the collection.
• whether the collection is required or authorised by law.
• the purposes of the collection.
• the consequences if personal information is not collected.
• the entity’s usual disclosures of personal information of the kind collected by the entity.
• information about the entity’s APP Privacy Policy.
• whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

APP 6 – Use or disclosure of personal information

This principle is straightforward. You may use personal information for its primary purpose. If there is a secondary purpose, the individual must consent to this. Outside of consent, the data may only be used for a secondary purpose if an exception applies. Exceptions include the usual suspects, lawful means, a health emergency etc.

The primary topics of principle six are, hold, use, disclose and purpose. This is where the importance of a privacy policy comes into play for many organisations, as it should outline why you are collecting the data, what the primary purpose of the data collection is and if you are planning to use the data for any other purpose.

APP 7 – Direct marketing

An organisation or agency must disclose whether they intend to use personal information for direct marketing and also allow an individual to opt out of any direct marketing if their information is used for direct marketing. Direct marketing refers to communicating “directly with an individual to promote goods and services”. Again, an organisation may set out the terms in their privacy policy or inform the individual via other means. A common example is online shops that ask whether you want to receive marketing communications in the future. You also have a right to request an organisation or agency as to where they received your information if they are using it for direct marketing purposes.

APP 8 – Cross border disclosure of information

The way that I interrupt this principle, is that cross-border disclosure is generally frowned upon, and if you do share personal information with an overseas recipient, you must ensure the overseas recipient follows the APPs but also understand that you remain responsible for that data, not the overseas entity.

“If the overseas entity loses the data or discloses it for unlawful purposes, you will be held responsible.”

It is also important that when disclosing the data to overseas entities you are doing so in accordance with the APPs. For example, it was the primary purpose of the data, or the individual who the data pertains to has given you permission to share the data overseas.

APP 9 – Adoption, use or disclosure of government related identifiers

Basically, you cannot use the same identifiers that government agencies use, or expose these identifiers without permission, whether it is a State or Territory, agent of an agency, or contracted serviced provider for a Commonwealth or State contract. An identifier explicitly excludes:

• an individual’s name
• an individual’s Australian Business Number (ABN)
• anything else prescribed by the regulations made under the Privacy Act.

“A government related identifier is a number, letter or symbol, or a combination of any or all of those things, that has been assigned by certain government entities and is used to identify the individual or to verify the identity of the individual.”

It anonymises the person, so to link a name to an identifier is defeating the purpose of the identifier!

APP 10 – Quality of personal information

The tenth principle states that you must make sure that any data you do collect is accurate and up to date. An example, if you are sending out emails to your clients and you notice that an email is @google.com.au and you know there is no such thing as google.com.au only google.com you have an obligation to correct this data, or at least determine why it reads google.com.au and not google.com.

APP 11 – Security of personal information

As a security professional, I like to believe that security is embedded in all aspects of the APPs but, the reality is, it comes down to principle 11. Under principle 11, an APP entity must take reasonable steps to protect the personal information it:

“holds from misuse, interference and loss, and from unauthorised access, modification or disclosure”

This concept of reasonable is also reflected in director obligations and was found in RI Advice v ASIC to be that of reasonable for a cybersecurity professional. It will be interesting to see if it is ever tested, and whether the same definition of reasonable is held under the Privacy Act and APPs.

APP 12 – Access to personal information

In a nutshell, unless exclusions apply, an individual may ask an entity what personal information they hold on them. It should be noted that the Privacy Act runs alongside and does not replace the Freedom of Information Act 1982 (FOI Act) which provides a right of access to information held by agencies.

APP 13 – Correction of personal information

The final principle states that if you hold personal information then you have an obligation to ensure this information is accurate, up-to-date, complete, relevant and not misleading. This principle applies when the APP entity believes the information to be inaccurate, incomplete, irrelevant, or misleading or when an individual requests information to be corrected.

Quick Reference Guide – The Australian Privacy Principles

How the APPs differ from General Data Protection Regulation (GDPR)

In May 2018, the GDPR, Europe’s equivalent to the Privacy Act and APPs was introduced. The GDPR is considered the ‘toughest privacy and security law in the world’. When it first came into existence, it ruffled some feathers as the jurisdiction of the legislation seemed to be global. To explain, the GDPR proclaims to be relevant around the world as it relates to any organisation that targets or collects data related to individuals in Europe. The legislation also relates to any organisation or country that targets or collects data on European citizens. For example, if you are an Australian superfund, you may have obligations under the GDPR towards any of your customers who have moved to Europe, or who maintain European citizenship.

The good news is, there are not a lot of differences between the APPs and GDPR and Australia’s notifiable data breach scheme covers most of the reporting requirements under GDPR (although I have not heard of a case that has tested this theory!).

Other similarities and differences include the terminology used by the two legislations. Australia uses the term personal information while GDPR uses the term personal data. The GDPR also specifically states that the legislation only applies to living persons, while the APPs do not comment on this.

Two areas where the GDPR and APPs differ are with regard to small businesses and employee data. While Australia excludes businesses earning less than $3 million a year and employee data, the GDPR does not exempt these data sets.

There are other differences of course, such as the need for a data controller under GDPR, and especially with regards to development. But I will leave this discussion for another day. Today’s focus is primarily on the APPs, and I think we have covered this, or at least given you a starting point to begin your own research.

To summarise current Australian privacy laws, as an entity that collects personal information, you have an obligation towards that information. You cannot use it for any reason you feel fit, you cannot give away or sell that data and you can not leave that data exposed to security concerns. You can use the data for secondary purposes, but you need to be clear about what these purposes are. This is where a privacy policy can be a very powerful tool. Your privacy policy should clearly state what data you are collecting, what that data will be used for, how that data is being kept secure, whether the data will be used for a secondary purpose, and if so, what is that purpose and who an individual can contact if they believe that data is out of date or incorrect.

On the flip side, you also need to make sure, that you are correctly identifying individuals who want access to data that they claim is theirs, but that again is another blog article altogether!

If you have any questions about Australian privacy laws or privacy in general, as always, please DM me or David, or post a comment below, as we are always here to help.