In this article we review aspects of the Australian Privacy Act 1988 and its principles.
As a registered business entity in Australia, you are required to comply with the Australian Privacy Act and Australian privacy laws. The main component of Australian law governing the handling of personal information (PI) about individuals is the Privacy Act 1988. It covers the federal public and private sectors’ acquisition, use, storage, and disclosure of personal information.
It can be challenging for individuals to understand aspects of Australian privacy laws and how they affect your business. This article is designed to assist in the understanding of the principles underpinning the Australian Privacy Act and the elements that serves as the core of our privacy framework in Australia.
Australian Privacy Act – Comply with Australian privacy laws
As a registered business owner, you must ascertain whether your business falls under the Australian Privacy Act 1988. Not every business will come under this act or law. A firm with a yearly turnover of over A$3M must comply with the Australian Privacy Act. For reference, annual turnover includes income from all sources generating revenue except the business’s assets, capital gains, or proceeds of capital sales. The Privacy Act also covers other business sectors regardless of annual turnover.
These include:
- Health service providers
- Traders of personal information
- Contractors that provide services under a Commonwealth contract
- Agencies managing residential tenancy databases
- Credit reporting bodies
- Entities reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
- Consumer Data Right (CDR) accredited businesses
- Fair Work (Registered Organisations) Act 2009 recognised employee associations
- Businesses partnering with other enterprises that fall under the data privacy act
- Any other business willingly complying or opting into the data privacy act
If your business falls under any of these requirements, you must ensure you comply with the principles covered by the Australian Privacy Act 1988.
The Information privacy principles
1. Open and transparent management of personal information
As a business entity, you should ensure that personal information is handled openly and transparently. You must establish a policy for that purpose which must comprise:
- Nature of the personal information collected
- The procedures utilised for obtaining personal information
- The reason for collecting and utilising individuals information
- The ability for individuals to correct inaccuracies
- The process for managing complaints
- Process to follow if sharing information with foreign entities.
2. Anonymity and Pseudonymity
This principle is established to give individuals the freedom to remain anonymous. Individuals may also use a pseudonym that can provide them with an alternative identity. However, this freedom does not apply in every case. Especially when an Australian law is in place preventing it. Also in those cases where it is crucial to ascertain an individual’s identity.
3. Collection of Solicited Personal Information
This principle defines the circumstances under which you can collect personal information. Solicited information is information provided in response to a request made from a business. You must justify the collection of that data by the business to sustain functionality within the organisation.
4. Unsolicited Personal Information
When you receive unrequested personal information from individuals it will be considered unsolicited information. In such a scenario, you must either return/destroy it or manage it as if it had been collected under the third information privacy act principle.
5. Notification of Collection of Personal Information
When collecting personal information, your business must provide them with the business contact details, the reasons behind personal information collection, your business privacy policy, and details as to whether their information will be shared with third parties or not.
6. Use or Disclosure of Personal Information
You may use or disclose personal information in a manner that is acceptable to the individual. This means they must have expressly or implicitly consented to the way you handle their information, or alternatively you must handle it in a manner which they should reasonably expect.
7. Direct Marketing
Where a business looks to use personal information for marketing purposes, it may be used for purposes which the individual would reasonably expect, but they must have the opportunity to opt out. Note that the Australian privacy act only applies to facsimile marketing – the Spam Act 2003 regulates SMS and email direct marketing , under a different set of rules.
8. Cross-Border Disclosure of Personal Information
You may transfer personal information overseas if the individual has consented or if the recipient is in a country with similar privacy laws. In all other cases, your business must ensure that overseas data recipients do not breach any personal information privacy act principles. You will be accountable for any breaches.
9. Adoption, Use, or Disclosure of Government-Related Identifiers
Under this principle of privacy, your business will be prohibited from using or disclosing government-related identifiers for its own filing purposes unless you have permission from the legal authorities.
10. Quality of Personal Information
You must take all measures necessary to ensure the ongoing authenticity and accuracy of personal information collected from the individuals. This means you have an ongoing responsibility to keep stored information up to date.
11. Security of Personal Information
You must keep personal information secure by implementing measures to keep the data free from outside interference, loss, unauthorised access, alterations and disclosures. You must not retain personal data which you no longer require in connection with the original purpose of collection.
12. Access to Personal Information
Individuals are generally permitted to access their personal information which is held by your business. You must verify the identity of the individual before providing them with such access. There are however, a few circumstances in which individuals may not be permitted to access their personal information. These situations include:
- Circumstances where sharing data may affect another individual’s safety
- The information relates to ongoing legal proceedings
- Giving access would contravene a court order or would otherwise be unlawful
- The request is frivolous or vexatious.
13. Correction of Personal Information
An entity must correct personal information which is shown to be inaccurate. If you disagree with an individual regarding the accuracy of their information which you hold, you can refuse to correct it but, if requested by the individual, you must attach a statement to the effect that the individual disputes the accuracy of that information.
Make sure your business complies with the Australian Personal Information Privacy Act 1988
The principles falling under the Australia privacy act can be complex for any business to comprehend and adhere to. However, complying with them is crucial for just about every business entity. This article outlines some of the business obligations required under the Australia privacy act principles. Refer to your legal counsel or seek legal advice for full interpretation of governing Australian privacy laws, acts and legislation.
Proposed Changes to Australian Privacy law
There have been some recent proposed changes to the Privacy Act that are under consideration. These include:
- Increasing the maximum fines for serious breaches of the Privacy Act: This would increase the penalties for organizations that fail to protect personal information, in order to provide a stronger deterrent against breaches.
- Introduce a notification scheme for data breaches: This would require organizations to notify individuals and the Office of the Australian Information Commissioner (OAIC) of data breaches that are likely to result in serious harm.
- Expansion of the Privacy Act to cover small businesses: Currently, the Privacy Act only applies to businesses with an annual turnover of more than $3 million. The proposed changes would extend the coverage of the Privacy Act to smaller businesses.
- Introduce mandatory data retention: This would require organizations to keep certain types of data for specific periods of time, in order to assist with investigations and data breaches.
- Harmonize the Privacy Act with the EU’s General Data Protection Regulation (GDPR): This would help align the Australian Privacy Act with international privacy standards and make it easier for organizations to comply with both laws.
These are just a few examples of the proposed changes. The final outcome will depend on the results of the review of the act and the political decision. It’s important to note that the Privacy Act is subject to change over time. So it’s important for you to stay informed of any updates or changes that may impact your organization or personal information.
