A Guide to The Australian Privacy Principles

The Australian Privacy Principles (APPs) are a set of guidelines established under the Privacy Act 1988 (Cth) that regulate how Australian government agencies and private sector organisations handle personal information. These principles apply to any entity that collects, uses, stores, or discloses personal information.

The APPs came into effect in March 2014, replacing the National Privacy Principles and the Information Privacy Principles. The objective of these principles is to ensure that individuals’ personal information is handled in an open, transparent, and accountable manner.

In this article, we will delve deeper into the 13 APPs and explain their significance.

1.     Open and transparent management of personal information

This principle requires organisations to be transparent about the personal information they collect, why they collect it, how it will be used, and who it will be shared with. The organisation must have a privacy policy that outlines these details and make it available to individuals upon request.

2.     Anonymity and pseudonymity

This principle states that individuals have the right to remain anonymous or use a pseudonym when dealing with an organisation. However, there may be circumstances where an organisation needs to identify an individual for legal or business purposes.

3.     Collection of solicited personal information

Organisations must only collect personal information that is necessary for their business purposes. They must also inform individuals of the purpose of collecting the information and obtain their consent before collecting it.

4.     Dealing with unsolicited personal information

This principle outlines how organisations should handle unsolicited personal information that they receive. The organisation must determine whether the information is necessary for their business purposes, and if not, they must destroy or de-identify it.

5.     Notification of the collection of personal information

Organisations must notify individuals of the collection of their personal information at or before the time of collection. The notification must include the purpose of collecting the information, the organisation’s contact details, and the consequences of not providing the information.

6.     Use or disclosure of personal information

Organisations must only use or disclose personal information for the purpose it was collected, unless the individual has consented to another use or disclosure, or it is required by law.

7.     Direct marketing

Organisations must obtain an individual’s consent before using their personal information for direct marketing purposes. They must also provide a simple way for the individual to opt-out of receiving future marketing material.

8.     Cross-border disclosure of personal information

This principle outlines how organisations should handle the cross-border disclosure of personal information. Organisations must take reasonable steps to ensure that the overseas recipient complies with the APPs, or that the individual consents to the disclosure.

9.     Adoption, use or disclosure of government-related identifiers

Organisations must not adopt, use, or disclose government-related identifiers, such as Medicare numbers or driver’s license numbers, unless it is required by law.

10.  Quality of personal information

Organisations must take reasonable steps to ensure that the personal information they collect is accurate, up-to-date, and complete. They must also take reasonable steps to correct any errors in the information.

11.  Security of personal information

Organisations must take reasonable steps to protect the personal information they hold from misuse, interference, and loss, as well as unauthorized access, modification, or disclosure.

12.  Access to personal information

Individuals have the right to access their personal information that an organisation holds, unless an exception applies. Organisations must provide access within a reasonable timeframe and at no cost to the individual.

13.  Correction of personal information

Individuals have the right to request that an organisation correct any inaccurate or out-of-date personal information that they hold. Organisations must take reasonable steps to correct the information and inform the individual of the outcome.

Conclusion and final thoughts

In conclusion, the Australian Privacy Principles are a critical aspect of privacy protection in Australia. These principles aim to safeguard personal information and give individuals more control over how their data is used. Understanding the APPs is essential for any organisation operating in Australia as non-compliance can result in significant fines and reputational damage.

To comply with the APPs, organisations must take a comprehensive approach to privacy management. This involves conducting a privacy impact assessment when collecting personal information, implementing privacy policies and procedures, and regularly reviewing and updating them. Organisations must also train their employees on privacy best practices and ensure that they comply with the APPs.

One of the key changes under the APPs is the introduction of mandatory data breach notification. If an organisation experiences a data breach that is likely to result in harm to individuals, they must notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable.

In recent years, there have been several high-profile data breaches in Australia, highlighting the importance of robust privacy management practices. One example is the 2018 My Health Record data breach, where the personal information of more than 9 million Australians was potentially compromised. This breach led to increased scrutiny of the government’s handling of personal information and calls for greater transparency and accountability.

Find out more about Australian data breaches here.

To conclude, the Australian Privacy Principles are a crucial framework for privacy protection in Australia. Businesses must understand and comply with the APPs to protect individuals’ personal information and avoid legal and reputational consequences. Privacy management is an ongoing process, and organisations must continually review and update their policies and procedures to ensure they are up-to-date with the changing privacy landscape. By adopting a proactive approach to privacy management, businesses can build trust with their customers and safeguard their data.

Ian Aldridge

Ian Aldridge has almost 20 years experience in providing legal advice to SMEs both in Australia and in the UK. He founded Progressive Legal in 2014 with a NewLaw view of providing better services to growing Australian businesses. He is passionate about protecting them and their owners and has a wealth of experience.