The Privacy Act 1988 (Cth) (Privacy Act) regulates the collection, use, storage and disclosure of personal information relating to individuals. The Privacy Act currently applies to all Commonwealth government agencies and eligible businesses that either have an annual turnover of:
More than $3 million
Less than $3 million but which:
Operate as a health service provider
Trade in personal information (e.g. buying and selling a mailing list)
Are related to a business that has an annual turnover or more than $3 million
Are a contractor that provides services under a Commonwealth contract
Are a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
Are an operator of a residential tenancy database.
Historically, the obligations of government bodies and eligible businesses in relation to personal information have been outlined through separate sets of principles, being the National Privacy Principles (NPPs) (which apply to businesses) and Information Privacy Principles (IPPs) (which apply to government agencies).
There are also credit reporting provisions that apply to the handling of credit reports and other credit worthiness information.
Reform to the Privacy Act
In November 2012, the Commonwealth Parliament passed the Privacy Amendment (Enhancing Privacy Protection) Act 2012 to amend the Privacy Act so as to align the privacy principles and credit reporting provisions to more accurately reflect the ‘life cycle’ of personal information.
Key to the reforms is the creation of a single set of privacy principles, known as the Australian Privacy Principles (APPs) that will apply to both government and eligible businesses. The APPs are largely based on the existing NPPs and IPPs and include some key changes which reflect the influence of modern technology on personal information and associated privacy issues.
In addition to the creation of the APPs, the amendments give the Office of the Australian Information Commissioner greater powers, including powers to resolve privacy complaints, conduct investigations, issue enforceable undertakings and the ability to apply to a court for an order that an individual or organisation has breached a civil penalty provision, with a possible maximum penalty of $340,000 in the case of an individual, or $1.7 million in the case of a body corporate.
The Australian Privacy Principles
In part one of this two part publication we provide a brief outline of the APPs and pose some questions to consider to ensure that you are in a position to comply with the APP regime.
The Office of the Australian Information Commissioner has summarised the APPs as follows:
APP 1 – Open and Transparent Management of Personal Information
APP 2 – Anonymity and Pseudonymity
APP 2 sets out a new requirement that an organisation provide individuals with the option of dealing with it using an assumed name (pseudonym). This obligation is in addition to the existing requirement that organisations provide individuals with the option of dealing with them anonymously.
Both requirements are subject to certain limited exceptions, such as where it is impracticable for the organisation to deal with an unidentified individual, or where the law requires or authorises the organisation to deal with individuals who have identified themselves.
APP 3 – Collection of Solicited Personal Information
APP 3 outlines when and how an organisation may collect personal and sensitive information that it solicits from an individual or another entity.
An organisation must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the organisation’s functions or activities.
APP 3 clarifies that, unless an exception applies, sensitive information must only be collected with an individual’s consent if the collection is also reasonably necessary for one or more of the organisation’s functions or activities.
APP 4 – Dealing With Unsolicited Personal Information
APP 4 creates new obligations in relation to the receipt of personal information which is not solicited.
Where an organisation receives unsolicited personal information, and it would have been permitted to collect the information under APP 3, APPs 5 to 13 will apply to that information. If the information could not have been collected under APP 3, and the information is not contained in a Commonwealth record, the organisation must destroy or de-identify that information as soon as practicable.
APP 5 – Notification of the Collection of Personal Information
APP 5 specifies certain matters about which an organisation must generally make an individual aware, at the time, or as soon as practicable after, the organisation collects their personal information.
APP 6 – Use and Disclosure of Personal Information
APP 6 outlines the circumstances in which an organisation may use or disclose the personal information that it holds about an individual and introduces a limited number of new exceptions to the general requirement that an organisation only uses or discloses personal information for the purpose for which the information was collected.
APP 7 – Direct Marketing
The use and disclosure of personal information for direct marketing is now addressed in a discrete privacy principle (rather than as an exception in NPP 2).
Generally, organisations may only use or disclose personal information for direct marketing purposes where the individual has either consented to their personal information being used for direct marketing, or has a reasonable expectation that their personal information will be used for this purpose.
APP 8 – Cross-Border Disclosures
APP 8 and a new section 16C introduce an accountability approach to organisations’ cross-border disclosures of personal information.
Before an organisation discloses personal information to an overseas recipient, the organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to that information. In some circumstances an act done, or a practice engaged in, by the overseas recipient that would breach the APPs, is taken to be a breach of the APPs by the organisation. There are a number of exceptions to these requirements.
APP 9 – Adoption, Use or Disclosure of Government Related Identifiers
APP 9 prohibits an organisation from adopting, using or disclosing a government related identifier unless an exception applies.
In the next edition of Commercial Directions we outline the remaining APPs (10 to 13) and provide some guidance for Commonwealth government agencies and eligible businesses in relation to ensuring that your organisation is in a position to comply with the APPs.
Authored by Scott Moloney, Special Counsel, Canberra.