From your regular fitness club to your favourite e-commerce page (or even your local law firm!) most organisations can be observed to be complying with the Federal legislation that governs the handling of personal information within Australia.
In complying with these frameworks, organisations are required to publish their privacy policies in a clearly expressed manner. This is usually the hyper-link located at the very bottom of an organisation’s landing page labelled “Privacy”.
But why do these organisations even bother with publishing this (frequently overlooked) material? Are they even required to do so? And what does it mean for us as individuals?
This article will explore the Federal privacy legislation, explain the circumstances in which a privacy policy is required, and provide a summary of privacy policy frameworks that operate within Australia.
The Privacy Act 1988 (Cth) (the Act) was introduced at a federal level in 1988, giving effect to Australia’s agreement to implement international guidelines for the protection of privacy and personal data.
The key objectives of the Act include the protection of individuals’ privacy and to establish a regulatory framework that dictates the handling of personal information.
Thanks to the Act, individuals within Australia must be informed:
‘Personal information’ is defined as “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
For example, personal information includes an individual’s name, date of birth, address, details of employment, medical history and so on. Personal information will also include information about the individual, for example their attitude and opinion.
The Act requires the compliance of organisations that are classified as “APP Entities”.
An “APP Entity” includes an individual, a body corporate, a partnership, any other unincorporated association or a trust. An agency (for example, a federal government entity) may also be considered an APP Entity in certain circumstances.
An APP Entity does not include a small business operator (being the operator of a business with an annual turnover of $3million or less for a financial year, unless the below exception applies), a registered political party, or a State and Territory Authority.
According to section 6D of the Act a small business operator will be considered an APP Entity (meaning they will be required to comply with the Act) if the operator of that business:
The Act includes 13 mandatory Australian Privacy Principles (APPs) that are imposed on APP Entities.
The APPs set out the standards, rights and obligations that govern the way APP Entities collect, use, store and disclose personal information.
In summary, the APPs provide as follows:
Pursuant to APP1, APP Entities must take reasonable steps to ensure that the entity complies with the APPs and is able to deal with enquiries or complaints from individuals under the Act.
This is the principle that requires APP Entities to have a clearly expressed and up to date privacy policy.
APP2 requires APP Entities to provide individuals with the option of not identifying themselves when providing personal information, or using a pseudonym (subject to limited exceptions).
An APP Entity is permitted to collect personal information from individuals by APP3 if it is reasonably necessary for or directly related to one or more of the APP Entities functions or activities. The collection of the information must be direct (i.e. the entity has requested the individual to provide the particular information).
The collection of sensitive information (including information about an individual’s race or ethnic origin, political opinion, sexual orientation and so on) is only permitted if the individual consents to its collection (subject to limited exceptions).
APP4 contemplates the scenario where an APP Entity receives personal information and the entity did not solicit that information (i.e. it did not try to obtain the personal information that has been collected).
In these circumstances, the APP Entity must determine whether or not it could have collected that information via the means of APP3 (i.e. would the individual have provided that information had it been asked to do so?).
If the entity determines that it would have obtained that information had the individual been asked, then it must comply with the remaining APPs.
If the APP Entity determines that it could not have obtained the information in accordance with APP3, then it must destroy the information or ensure the information is de-identified.
According to APP5, the APP Entity must ensure that when personal information is collected (or as soon as reasonably practicable after), the entity notifies the individual or otherwise ensures that the individual is made aware of certain information, including but not limited to:
APP6 outlines the circumstances in which an APP Entity will be permitted to disclose the personal information that it has collected from individuals.
Here, information that was collected by an APP Entity for a particular reason (the primary purpose), must not be used or disclosed for another purpose (the secondary purpose), unless certain exceptions apply (for example, the individual has consented to the disclosure).
Unless certain exceptions apply, APP Entities must not use or disclose personal information for direct marketing purposes under APP7.
‘Direct marketing’ is when an entity uses your personal information to communicate with you directly for sales or advertising purposes.
A few of the exceptions to this prohibition include circumstances where the individual would reasonably expect the organisation to use or disclose the information for that purpose, or the individual provides its consent to that use/disclosure.
If an APP Entity intends to disclose an individual’s personal information to an overseas recipient, then the entity must take reasonable steps to ensure the recipient complies with the APPs (except for APP1). There are a number of circumstances in which this APP will not apply that entities should be mindful of when contemplating the disclosure of information.
The limited circumstances in which an organisation may adopt, use or disclose a government related identifier are set out in APP9.
APP10 requires APP Entities to ensure that the personal information it collects is accurate, up to date and complete.
APP Entities are required to take reasonable steps to ensure that the personal information they collect is protected from misuse, interference, loss, accessed by unauthorised entities, modified and disclosed.
Further, if an APP Entity holds personal information and the information is no longer required by that entity, then they must ensure that information is destroyed or the individual is de-identified.
APP12 sets out the criteria in which an APP Entity must provide an individual with access to their personal information, should they request it. In general, an APP Entity must provide an individual with access to their personal information unless certain exceptions apply.
An APP Entity must take reasonable steps to correct an individual’s personal information if:
The individual should be notified of any correction that is made to personal information held by an APP Entity, and if the entity refuses to make a requested correction then that entity must give the individual the reasons for its refusal.
If the APPs apply to you, we are able to provide advice in relation to your obligations, assistance with the preparation of your privacy policy or a detailed review and reconciliation of your current practices, procedures and systems to ensure you are complying with your privacy obligations. For further information, please contact our experienced Corporate and Commercial Department today.