Home > News > Australian Privacy Principles – Still confused about whether the new Privacy legislation applies to you?

Australian Privacy Principles – Still confused about whether the new Privacy legislation applies to you?

Spread the love

By Louise Wolf, Senior Associate, MST Lawyers

Further to MST Lawyers’ previous article “Australian Privacy Principles – Are you Ready?“, it is important to understand whether the privacy legislation applies to your organisation.

The current privacy legislation and the new privacy legislation both apply to businesses with turnover of $3 million per annum or more and to several types of businesses with less than $3 million per annum turnover.

You are required to comply with privacy legislation even if your business turns over less than $3 million per annum if your organisation falls within one of the following categories:

  • health service providers;
  • those trading in personal information (e.g. buying or selling mailing lists);
  • a related body corporate of a business that turns over $3 million or more;
  • a contractor that provides services under a Commonwealth contract;
  • a reporting entity for the purpose of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006; and
  • an operator of a residential tenancy database.

However, many Australian consumers are concerned about privacy and have an expectation that all organisations will respect and protect their privacy.  So even if your business turns over less than $3 million per annum, privacy should be something that concerns you too.

The key considerations for each aspect of the Australian Privacy Principles (APPs) are explained below to assist you in reviewing your policies and procedures relating to privacy.  We recommend that you commence this process as soon as possible.

Collection

When collecting personal or sensitive information, the key considerations are:

  1. You are required to provide an individual with the option of not identifying themselves or of using a pseudonym when dealing with you, unless identification is required by law or it is impracticable for you to deal with individuals who have not fully identified themselves (APP 2);
  2. You must not collect personal information (not sensitive information) unless it is reasonably necessary for one or more of your functions or activities (APP 3.2);
  3. You must not collect sensitive information unless the individual has consented and the information is reasonably necessary for one or more of your functions or activities or certain other exceptions apply (APP 3.3 and 3.4);
  4. You may only collect personal information by lawful and fair means (APP 3.5);
  5. Personal information must be obtained from the individual themselves unless the individual has consented to the collection of the information from someone else; you are required to collect such information from others by law or it is unreasonable or impracticable to do so (APP 3.6);
  6. If you receive personal information without soliciting such information, within a reasonable period of receipt you must determine whether if you had solicited the information, APP 3 would have allowed you to collect such information.  If not, and if the information is not contained in a Commonwealth record, you are required to destroy or de-identify the information as soon as practicable, provided it is not unlawful or unreasonable to do so (APP 4);  and
  7. When you collect personal information, or as soon as practicable after, you must take reasonable steps to notify the individual or ensure they are aware of your identity and contact details, of circumstances of the collection, and many of the matters that must also be included in your privacy policy.  If collection is required by law or court order, the individual must be made aware of particular relevant details.  This applies even where you have collected an individual’s information from a third party (APP 5).

Use and Disclosure

When using and disclosing personal or sensitive information, the key considerations are:

  1. You must not use or disclose information for any purpose other than the particular purpose for which it was collected unless the individual has consented to such other use or disclosure or an exception applies.  The most notable exception is that the individual would reasonably expect the personal information to be used for the secondary purpose and the secondary purpose is related the primary purpose (APP 6);
  2. You must not use personal information for direct marketing unless: you collected the information yourself; the individual would reasonably expect you to use or disclose the personal information for that purpose; you have provided a simple means by which the individual can request not to receive direct marketing communications and the individual has not already made such a request (APP 7.2);
  3. If an individual would not reasonably expect the information to be used or disclosed for direct marketing or if you obtained the personal information from a third party, you must not use or disclose the information for direct marketing purposes unless: the individual consents, it is impracticable to seek consent, there is a simple means by which the individual can opt out of direct marketing, there is a prominent statement in each direct marketing communication advising the individual of the ability to opt out, and no opt out request has been made (APP 7.3);
  4. You must not use sensitive information for direct marketing unless consent has been given by the individual (APP 7.4);
  5. Individuals now have the right to ask you to provide the source of the personal information you hold about them and you must comply with such requests (unless it is impracticable or unreasonable to do so) within a reasonable period and free of charge (APP 7.6 and 7.7); and
  6. Despite APP 7, use of direct marketing will not be permitted if Do Not Call Register Act 2006 and Spam Act 2003 apply.

Data Quality and Data Security

Key considerations relating to data quality and security are:

  1. You are required to ensure that the personal information you hold is accurate, up-to-date and complete.  In addition, you are also required to ensure that it is relevant, having regard to the purpose for which it is used or disclosed (APP 10); and
  2. You must take reasonable steps to ensure that the personal information you hold is protected from misuse, interference and loss, from unauthorised access, modification or disclosure (APP 11.1); and
  3. If you no longer need the information for any purpose for which it was disclosed to you, and if it is not contained in a Commonwealth record and its retention is not required by law, you must take reasonable steps to destroy the information or ensure it is de-identified (APP 11.2)

Access and Correction

In relation to provision of access to and correction of personal information, the key considerations are:

  1. You must give an individual access to the information you hold about them (APP 12.1), except in certain circumstances which include where the request is frivolous or vexations, the information relates to existing or anticipated legal proceedings between you and the individual and would not be accessible by discovery during the proceedings; giving access would be unlawful (APP 12.3);
  2. In the absence of an exception, you must respond within a reasonable period and give access in the manner requested if it is reasonable and practicable to do so (APP 12.4);
  3. If you refuse access on one of the specified grounds, you must take reasonable steps to give access in a way that meets your needs and the needs of the individual (APP 12.5);
  4. Any charges for giving access must not be excessive and must not apply to the making of the request (APP 12.8);
  5. If you refuse to give access, you must give written reasons for the refusal, the mechanisms available for the individual to complain about the refusal (APP 12.9);
  6. If you are satisfied that certain personal information is inaccurate, out of date, incomplete, irrelevant or misleading or you have received a request for correction, you must take reasonable steps to correct, update and complete the information (APP 13.1);
  7. If you correct information you hold and you previously disclosed to another entity, and you receive a request to notify the other entity of such correction, you must take reasonable steps to comply unless it is impracticable or unlawful to do so (APP 13.2);
  8. If you refuse to correct the information, you must give written reasons for the refusal and the mechanisms available for the individual to complain about the refusal (APP 13.3);
  9. If you refuse to correct the information and the individual requests that a statement be attached to the record stating that the information is inaccurate, out of date, incomplete, irrelevant or misleading, you are required to attach it in a way that is apparent to other users of the information (APP 13.4); and
  10. You must respond to a correction request within a reasonable period, you must not charge the individual for making the request, for correcting the information or for associating a statement with the information (APP 13.5).

Cross-Border Disclosure

Disclosure of personal information about an individual to a third party who is not in Australia (cross-border disclosure), involves some new key considerations:

  1. Prior to making a cross-border disclosure, you must take reasonable steps to ensure that the overseas recipient does not breach the APPs other than APP 1 in relation to the information.  In certain circumstances, an act done, or a practice engaged in by the overseas recipient is taken to have been done or engaged in by you and to be a breach of the APPs by you (APP 8.1).
  2. There are a number of exceptions where APP 8.1 will not apply including where you reasonably believe the recipient is subject to a law that has the effect of protecting the information in a way that is substantially similar to the APPs and there are mechanisms available to the individual to enforce that protection or scheme (APP 8.2(a)) or the individual consents to the disclosure having been advised that APP 8.1 will no longer apply if they give their consent (APP 8.2(b)).

Further Steps

Once you have reviewed your privacy notifications and policies, there are a number of other areas for your attention:

  1. Review all processes for handling, storage and security of personal and sensitive information within your organisation;
  2. Review practices for outsourcing functions where personal information is disclosed to third parties and foreign entities and ensure that all contracts with such parties protect your interests as much as possible, including warranties, conditions and indemnities for loss suffered by you as a result of breach of the APPs by such third parties or foreign entities; and
  3. Review commercial and consumer credit applications and arrangements, particularly if you conduct consumer credit checks.

For further information please contact our Corporate Advisory team on ​ 03 8540 0200 or email the author of this article, Louise Wolf.