From 12 March 2014, the Australian Privacy Principles (‘APPs’) replace the National Privacy Principles (‘NPPs’) and apply to some private sector organisations as well as most Government agencies[1].
APP entities are obliged to comply with the APPs, which impose positive obligations to implement practices, procedures and systems to ensure compliance with the new privacy laws.
This overview will assist private sector organisations to put in place the necessary practices and procedures for compliance with the APPs, and Australian privacy law generally.
Privacy in Australia relates to the core concept of protection of ‘personal information’ (‘PI’).
The Privacy Act defines PI as: “…information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.”
Common examples of PI are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about an individual.
For more information, check out our analysis of what counts as personal information.
The 13 Australian Privacy Principles broadly cover the following key principles:
Below is a summary of the main differences and changes between the old NPPs and the new APPs[2].
APP 1 requires organisations to have in place ongoing practices and policies to ensure they manage PI in an open and transparent way.
The principle introduces more prescriptive requirements for privacy policies than the existing requirements (NPP 5.1).
An organisation must have a privacy policy that contains specified information, including:
An organisation needs to take reasonable steps to make its privacy policy available free of charge and in an appropriate form.
The principle also introduces a positive obligation for organisations to implement practices, procedures and systems that will ensure compliance with the APPs and any registered APP codes.
APP 2 maintains the existing requirement that organisations provide individuals with the option of dealing with them anonymously.
It sets out a new requirement that an organisation provide individuals with the option of dealing with it using a pseudonym (e.g. The Tessernator101).
Both requirements are subject to certain limited exceptions, including where it is impracticable for the organisation to deal with an individual who has not identified themselves, or where the law or a court/tribunal order requires or authorises the organisation to only deal with individuals who have identified themselves.
APP 3 outlines when and how an organisation may collect personal and sensitive information that it solicits from an individual or another entity.
An organisation must only collect PI:
‘Sensitive information’ is a form of PI which includes information about an individual’s:
APP 4 creates new obligations in relation to the receipt of PI which is unsolicited by the organisation.
Where an organisation receives unsolicited PI, it must determine whether it would have been permitted to collect the information as solicited PI under APP 3. If the information:
APP 5 specifies certain matters about which an organisation must generally make an individual aware at the time of collection, or as soon as practicable thereafter.
In addition to the matters listed in NPP 1.3, APP 5 requires organisations to notify individuals about:
APP 6 outlines the circumstances in which an organisation may use or disclose PI.
APP 6 generally reflects NPP 2 that PI only be used or disclosed for the purpose for which it was collected, but introduces new exceptions where the use or disclosure is reasonably necessary:
Use and disclosure for direct marketing is now addressed in a discrete privacy principle (rather than as an exception in NPP 2).
Generally, organisations may only use or disclose PI for direct marketing where, either:
APP 8 and a new s 16C introduce an accountability approach to organisations’ cross-border disclosures of PI.
Before an organisation discloses PI to an overseas recipient, the organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to that information.
In some circumstances an act done, or a practice engaged in, by the overseas recipient that would breach the APPs, is taken to be a breach of the APPs by the organisation.
There are a number of exceptions to these requirements.
APP 9 prohibits an organisation from adopting, using or disclosing a government related identifier unless an exception applies. APP 9 generally retains the same exceptions as NPP 7, with some additions and amendments.
Under APP 10, an organisation must take reasonable steps to ensure the PI it collects is:
APP 11 requires an organisation to take reasonable steps to:
APP 12 provides that:
APP 13 introduces new obligations in relation to for correcting PI, which differ from those in NPP 6:
[1] The Australian Privacy Principles are found in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).
[2] This summary is primarily based on information made publicly available by the Office of the Australian Information Commissioner (‘OAIC‘), at http://www.oaic.gov.au/images/documents/privacy/privacy-guides/comparison_guide_APP_NPP.pdf.