From 12 March 2014, the Australian Privacy Principles (‘APPs’) replace the National Privacy Principles (‘NPPs’) and apply to some private sector organisations as well as most Government agencies^[1]. 

APP entities are obliged to comply with the APPs, which impose positive obligations to implement practices, procedures and systems to ensure compliance with the new privacy laws.

This overview will assist private sector organisations to put in place the necessary practices and procedures for compliance with the APPs, and Australian privacy law generally.

What is Personal Information or ‘PI’?

Privacy in Australia relates to the core concept of protection of ‘personal information’ (‘PI’).

The Privacy Act defines PI as: “…information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.”

Common examples of PI are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about an individual.

For more information, check out our analysis of what counts as personal information.

What is covered in the Australian Privacy Principles?

The 13 Australian Privacy Principles broadly cover the following key principles:

• Open and transparent management of PI held by organisations (including a mandatory requirement to have a privacy policy).
• The right of individuals to deal with organisations anonymously or by using a pseudonym where practicable.
• Collection of PI by organisations and notification requirements.
• Use and disclosure of PI by organisations (including overseas).
• Use of PI for direct marketing by organisations.
• Maintaining the quality of PI held by organisations.
• Maintaining the security of PI held by organisations.
• The right for individuals to access and correct PI held by organisations.

Summary of changes with the new Australian Privacy Principles

Below is a summary of the main differences and changes between the old NPPs and the new APPs^[2].

APP 1 – Open and transparent management of PI

APP 1 requires organisations to have in place ongoing practices and policies to ensure they manage PI in an open and transparent way.

The principle introduces more prescriptive requirements for privacy policies than the existing requirements (NPP 5.1).

An organisation must have a privacy policy that contains specified information, including:

• The kinds of PI it collects
• How an individual may complain about a breach of the APPs
• Whether the organisation is likely to disclose information to overseas recipients.

An organisation needs to take reasonable steps to make its privacy policy available free of charge and in an appropriate form.

The principle also introduces a positive obligation for organisations to implement practices, procedures and systems that will ensure compliance with the APPs and any registered APP codes.

APP 2 – Anonymity and Pseudonymity

APP 2 maintains the existing requirement that organisations provide individuals with the option of dealing with them anonymously.

It sets out a new requirement that an organisation provide individuals with the option of dealing with it using a pseudonym (e.g. The Tessernator101).

Both requirements are subject to certain limited exceptions, including where it is impracticable for the organisation to deal with an individual who has not identified themselves, or where the law or a court/tribunal order requires or authorises the organisation to only deal with individuals who have identified themselves.

APP 3 – Collection of solicited PI

APP 3 outlines when and how an organisation may collect personal and sensitive information that it solicits from an individual or another entity.

An organisation must only collect PI:

• which is reasonably necessary for the organisation’s functions or activities; and
• where the PI is sensitive information, unless an exception applies, where the individual’s consent has been obtained.

‘Sensitive information’ is a form of PI which includes information about an individual’s:

• racial or ethnic origin;
• health;
• political opinions;
• membership of a political association, professional or trade association or trade union;
• religious beliefs or affiliations;
• philosophical beliefs;
• sexual orientation or practices;
• criminal record;
• genetic information; and
• biometric information that is to be used for certain purposes, and biometric templates (only this category of sensitive information is an addition to the old NPPs).

APP 4 – Dealing with unsolicited PI

APP 4 creates new obligations in relation to the receipt of PI which is unsolicited by the organisation.

Where an organisation receives unsolicited PI, it must determine whether it would have been permitted to collect the information as solicited PI under APP 3. If the information:

• could have been collected if solicited (under APP 3), APPs 5 to 13 apply to that information; or
• could not have been collected if solicited (under APP 3), and the information is not contained in a Commonwealth record, the organisation must destroy or de-identify that information as soon as practicable, but only if it is lawful and reasonable to do so.

APP 5 – Notification of the collection of PI

APP 5 specifies certain matters about which an organisation must generally make an individual aware at the time of collection, or as soon as practicable thereafter.

In addition to the matters listed in NPP 1.3, APP 5 requires organisations to notify individuals about:

• the access, correction and complaints processes in their privacy policies; and
• the location of any likely overseas recipient of the PI.

APP 6 – Use and disclosure of PI

APP 6 outlines the circumstances in which an organisation may use or disclose PI.

APP 6 generally reflects NPP 2 that PI only be used or disclosed for the purpose for which it was collected, but introduces new exceptions where the use or disclosure is reasonably necessary:

• to assist in locating a missing person; or
• for the purposes of a legal or equitable claim or confidential alternative dispute resolution.

APP 7 – Direct marketing

Use and disclosure for direct marketing is now addressed in a discrete privacy principle (rather than as an exception in NPP 2).

Generally, organisations may only use or disclose PI for direct marketing where, either:

• the individual has consented; or
• the individual has a reasonable expectation that their PI will be used for this purpose, and required opt-out mechanisms are available.

APP 8 – Overseas disclosures

APP 8 and a new s 16C introduce an accountability approach to organisations’ cross-border disclosures of PI.

Before an organisation discloses PI to an overseas recipient, the organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to that information.

In some circumstances an act done, or a practice engaged in, by the overseas recipient that would breach the APPs, is taken to be a breach of the APPs by the organisation.

There are a number of exceptions to these requirements.

APP 9 – Adoption, use or disclosure of government related identifiers

APP 9 prohibits an organisation from adopting, using or disclosing a government related identifier unless an exception applies. APP 9 generally retains the same exceptions as NPP 7, with some additions and amendments.

APP 10 – Quality of PI

Under APP 10, an organisation must take reasonable steps to ensure the PI it collects is:

• accurate, up-to-date and complete (like NPP 3); and
• having regard to the purpose of the use or disclosure, relevant (in addition to NPP 3).

APP 11 – Security of PI

APP 11 requires an organisation to take reasonable steps to:

• protect the PI it holds from:
  • misuse, loss, unauthorised access, modification and disclosure (as required by NPP 4.1); and
  • interference (in addition to NPP 3).

• destroy or de- identify PI if the organisation no longer needs it for any authorised purpose (like NPP 4.2). However APP 11 adds the following two exceptions to this requirement, where:
  • the PI is contained in a Commonwealth record, or
  • the organisation is required to retain the information by Australian law or a court/tribunal order.

APP 12 – Access to PI

APP 12 provides that:

• An organisation shall give an individual access their PI unless an exception applies (substantially similar to the exceptions in NPP 6);
• There are new requirements for organisations to:
  • respond to requests for access within a reasonable period
  • give access in the manner requested by the individual if it is reasonable to do so
  • If access is not given, it must generally provide written reasons and the mechanisms available to complain about the refusal.
  • If an organisation charges an individual for access, the charge must not be excessive, and must not apply to the making of the request.

APP 13 – Correction of PI

APP 13 introduces new obligations in relation to for correcting PI, which differ from those in NPP 6:

• The NPP 6 requirement is removed for an individual to have to establish their PI is inaccurate, incomplete or not up-to-date and should be corrected;
• An organisation must take reasonable steps to correct PI to ensure that (having regard to a purpose for which it is held) it is accurate, up- to-date, complete, relevant and not misleading, if either:
  • the organisation is satisfied that it needs to be corrected, or
  • an individual requests that it be corrected.
• If requested by the individual, organisations generally need to notify other entities that have been provided with the PI of any correction.
• If the organisation refuses to correct the information, and the individual requests a statement to be associated, an organisation must:
  • do so within a reasonable period after the request is made (similar to NPP 6);
  • not charge the individual for making the request, correcting the PI or for associating the statement with the PI; and
  • provide the individual with written reasons for the refusal and notify them of available complaint mechanisms.

[1] The Australian Privacy Principles are found in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).

[2] This summary is primarily based on information made publicly available by the Office of the Australian Information Commissioner (‘OAIC‘), at http://www.oaic.gov.au/images/documents/privacy/privacy-guides/comparison_guide_APP_NPP.pdf.