The Australian Privacy Principles (APPs) commenced on 12 March 2014.
The APPs apply to specified private sector organisations and Commonwealth government agencies (APP entities).
Whilst the APPs contain many principles which are the same as or similar to the earlier National Privacy Principles and Information Privacy Principles, they also contain several additional principles which APP entities must also comply with.
The maximum civil penalties for breaches of the APPs range from $340,000 (in the case of an entity which is not a body corporate) up to $1.7 million (in the case of a body corporate).
This article highlights the significant privacy obligations imposed on APP entities by the APPs and recommends steps that APP entities should take to comply with these privacy obligations.
TechComm Legal has developed an Australian Privacy Principles Checklist to assist APP entities to take appropriate steps to comply with the privacy obligations imposed upon them by the APPs.
Introduction
The Australia Privacy Principles (APPs) commenced on 12 March 2014. The APPs apply to specified private sector organisations and Commonwealth government agencies (APP entities). The introduction of the APPs by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) was the most significant reform of Australia's privacy laws since the Privacy Act 1998 (Cth) (Privacy Act) separately introduced the National Privacy Principles (NPPs) and Information Privacy Principles (IPPs) that applied to private and public sector organisations respectively.
Whilst the APPs contain many principles which are the same as or similar to the earlier NPPs and IPPs, they also contain several additional principles which APP entities need to comply with. The maximum civil penalties for serious and repeated breaches of the APPs range from $340,000 (in the case of an entity which is not a body corporate) up to $1.7 million (in the case of a body corporate). This article highlights the significant privacy obligations imposed on APP entities by the APPs and recommends steps that APP entities should take to comply with these privacy obligations.
APP Entities covered by Australian Privacy Principles
Private sector organisations subject to the APPs include individuals, companies, associations, partnerships, trusts and other bodies which have an annual turnover of more than $3 million. In addition, other private sector organisations subject to the APPs, regardless of their annual turnover, include: (i) health service providers; (ii) organisations which collect or disclose personal information for a benefit, service or advantage; and (iii) contracted service providers for Commonwealth contracts (whether or not a party to the contract). Commonwealth government agencies subject to the APPs include all Commonwealth government departments and bodies established or appointed for a public purpose by or under a law of the Commonwealth.
APP 1 - Open and transparent management of personal information
Under APP 1 an APP entity is required to implement practices, procedures and systems to ensure that it complies with the APPs and is able to deal with inquiries and complaints about its compliance with the APPs. The implementation of such practices, procedures and systems may include staff training and establishing procedures to identify and manage privacy risks.
Under APP 1 an APP entity is also required to have a clearly expressed and up‑to‑date privacy policy about its management of personal information which must include details of: (i) the kinds of personal information which it holds; (ii) how it collects and holds personal information; (iii) the purposes for which it collects, holds, uses and discloses the personal information; (iv) how a person may access and seek correction of his or her personal information held by it; (v) how a person may complain about a breach of the APPs; (vi) whether it is likely to disclose personal information to overseas recipients; and (vii) if it is likely to disclose personal information to overseas recipients – the countries in which any such overseas recipients are likely to be located where practicable to specify such countries. In addition, under APP 1 an APP entity is required to make its privacy policy available free of charge and in an appropriate form.
A definition of “holds” has been inserted into section 6 of the Privacy Act which provides that an APP entity holds personal information if it has possession or control of a record that contains personal information. An APP entity will hold personal information where it has the right or power to deal with the information even if it does not physically possess the information or the medium on which the information is stored. For example, an APP entity will hold personal information where the information is in the possession of a third party contractor (e.g. outsourced IT service provider) but the APP entity retains the right to control how the information is handled by the contractor.
APP 2 - Anonymity and pseudonymity
Under APP 2 an APP entity is required to give a person the option of using a pseudonym in addition to the option of remaining anonymous when dealing with it where practicable unless the APP entity is required or authorised by law to deal with identified persons.
APP 3 - Collection of solicited personal information
APP 3 clarifies that an APP entity may collect sensitive information about a person if the person consents and the collection of the information is reasonably necessary for the APP entity’s functions or activities. Under APP 3 an APP entity may also collect sensitive information about a person in specified circumstances where it reasonably believes that the collection is necessary for it to: (i) take appropriate action in relation to unlawful activity or misconduct of a serious nature relating to its functions or activities; or (ii) assist with locating a missing person.
The definition of “sensitive information” contained in section 6 of the Privacy Act has been extended to include: (i) biometric information that is to be used for the purpose of biometric verification or identification; and (ii) biometric templates. Examples of biometric information include fingerprints, iris scans and face photographs. A biometric template is a stored record of a person’s biometric information that may be used for biometric verification or identification purposes.
APP 4 - Dealing with unsolicited personal information
Under APP 4 an APP entity is required within a reasonable period after receipt to determine whether or not it could have collected unsolicited personal information under APP 3. If the APP entity determines that it could not have collected the unsolicited personal information under APP 3 and the information does not form part of a Commonwealth record then the APP entity must destroy or de‑identify the personal information as soon as reasonably practicable.
APP 5 - Notification of collection of personal information
Under APP 5 an APP entity is required at or before (or, if not practicable, as soon as practicable after) collecting personal information to take reasonable steps to notify the person concerned, or otherwise ensure that he or she is made aware, that: (i) its privacy policy contains information about how he or she may access and seek correction of his or her personal information and complain about a breach of the APPs; and (ii) whether it is likely to disclose his or her personal information to overseas recipients and the countries in which any such recipients are likely to be located where practicable to specify such countries.
APP 6 - Use and disclosure of personal information
Under APP 6 an APP entity is permitted to use and disclose personal information in specified circumstances where: (i) it reasonably believes that the use or disclosure is necessary for it to assist with locating a missing person; (ii) reasonably necessary for the establishment, exercise or defence of a legal or equitable claim; or (iii) reasonably necessary for a confidential alternative dispute resolution process.
APP 7 - Direct marketing
Under APP 7 an APP entity (which is a private sector organisation) is permitted to use and disclose for direct marketing personal information (excluding sensitive information) collected directly from the person concerned where: (i) he or she would reasonably expect such use or disclosure; (ii) it provides a simple means by which he or she can easily request not to receive direct marketing communications; and (iii) he or she has not made such a request.
Under APP 7 an APP entity (which is a private sector organisation) is also permitted to use and disclose for direct marketing personal information (excluding sensitive information) collected directly from a person (where he or she would not reasonably expect such use or disclosure) or from a third party where: (i) he or she has consented or it is impracticable to obtain his or her consent; (ii) it provides a simple means by which he or she can easily request not to receive direct marketing communications; (iii) each direct marketing communication includes a prominent statement, or draws his or her attention to the fact, that he or she may make such a request; and (iv) he or she has not made such a request.
Under APP 7 an APP entity is only permitted to use and disclose sensitive information about a person for direct marketing where he or she has consented to such use or disclosure.
In addition, under APP 7 a person has the right to request that an APP entity (which is a private sector organisation) not use his or her personal information to facilitate direct marketing by other organisations and provide its source for his or her personal information in addition to the right to request that the APP entity not send him or her any more direct marketing communications. If a person makes such a request then the APP entity must not charge for the making or giving effect to the request and comply with the request within a reasonable period.
APP 8 - Cross-border disclosure of personal information
Under APP 8 an APP entity is required to take reasonable steps to ensure that an overseas recipient of personal information will not breach the APPs before disclosing the information to the overseas recipient unless an exception applies. Specified exceptions allow an APP entity to disclose personal information to an overseas recipient without taking such steps where: (i) the overseas recipient is subject to a law or binding scheme which the person concerned can enforce to protect his or her personal information in a way similar to the APPs; (ii) the person concerned consents to the disclosure of his or her personal information to the overseas recipient after being expressly informed that the APP entity will not be required to take such steps under APP 8; (iii) required or authorised by law; (iv) necessary to lessen or prevent a serious threat to life, health or safety; (v) necessary to take appropriate action in relation to unlawful activity or misconduct of a serious nature relating to its functions or activities; or (vi) reasonably necessary to assist with locating a missing person.
An APP entity has greater responsibility under the APPs for the acts and practices of overseas recipients to which the AAP entity discloses personal information. Pursuant to section 16C of the Privacy Act an act done, or practice engaged in, by an overseas recipient of personal information which breaches the APPs is taken to have been done or engaged in by the APP entity which disclosed the information unless an exception under APP 8 applied to the disclosure which allowed the APP entity to disclose the information without taking reasonable steps to ensure that the overseas recipient does not breach the APPs.
APP 9 - Adoption, use and disclosure of government related identifiers
APP 9 prohibits an APP entity adopting, using or disclosing a government related identifier of a person as its own identifier unless an exception applies. Specified exceptions allow an APP entity to use and disclose a government identifier of a person where: (i) reasonably necessary to verify the person’s identify for its activities or functions; (ii) reasonably necessary to fulfil its obligations to a Commonwealth, State or Territory agency; (iii) necessary to take appropriate action in relation to unlawful activity or misconduct of a serious nature relating to its functions or activities; (iv) reasonably necessary to assist with locating a missing person; or (v) reasonably necessary for law enforcement related activities conducted by a specified law enforcement body.
A definition of “identifier” has been inserted into section 6 of the Privacy Act which provides that an identifier can be a number, letter or symbol or a combination of any or all of those things that is used to identify or verify the identity of a person but does not include the person’s name or ABN. A definition of “government related identifier” has also been inserted into section 6 of the Privacy Act which providers that it is an identifier which has been assigned by a Commonwealth, State or Territory government agency.
APP 10 - Quality of personal information
Under APP 10 an APP entity is required to take reasonable steps to ensure that the personal information which it uses or discloses is relevant in addition to being accurate, up‑to‑date and complete.
APP 11 - Security of personal information
Under APP 11 an APP entity is required to protect personal information which it holds from interference in addition to protecting it from misuse and loss, and unauthorised access, modification or disclosure.
APP 12 - Access to personal information
APP 12 requires an APP entity to give a person access to his or her personal information that it holds unless an exception applies. The exceptions contained in APP 12 are substantially similar to the exceptions contained in NPP 6. Under APP 12 APP entities are required to respond to a request by a person for access to his or her personal within a reasonable period (in the case of private sector organisations) and 30 days (in the case of Commonwealth government agencies).
APP 12 also requires an APP entity to give a person access to his or her personal information in the manner requested if reasonable and practicable to do so. In addition, APP 12 requires an APP entity to take reasonable steps to give a person access to his or her personal information in a way that meets his or her needs which may include giving access through a mutually agreed intermediary.
If an APP entity refuses to give a person access to his or her personal information under APP 12 then it must provide the person with written reasons for the refusal and details of the available complaint mechanisms.
APP 13 - Correction of personal information
Under APP 13 an APP entity is required to take reasonable steps to correct personal information which it holds if satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading in addition to correcting personal information where the person concerned requests such correction. Under APP 13 private sector organisations and Commonwealth government agencies which are APP entities are required to respond to a request by a person to correct his or her personal within a reasonable period (in the case of private sector organisations) and 30 days (in the case of Commonwealth government agencies).
Under APP 13 an APP entity is also required to take reasonable steps to notify each other APP entity to which it has disclosed any incorrect personal information if requested by the person concerned. If an APP entity refuses to correct any personal information under APP 13 then it must provide the person concerned with written reasons for the refusal and details of the available complaint mechanisms.
Conclusion
All private sector organisation and Commonwealth government agencies which are subject to the APPs must take appropriate steps to comply with them. APP entities which fail to take such steps risk incurring substantial civil penalties in addition to significant reputational damage which may result in customer losses well in excess of any such civil penalties depending on the nature of the privacy breach.
We recommend that APP entities take the following minimum steps to comply with the privacy obligations imposed upon them by the APPs: (i) undertake a privacy audit to identify the personal information that they hold and the purposes for which they hold such personal information; (ii) update their practices, procedures and systems to comply with the requirements of the APPs in respect of their handling of such personal information; and (iii) update their privacy policy and collection notices to comply with the requirements of the APPs.
If you require any further information in relation to this Client Alert, or any assistance to comply with the Australian Privacy Principles, please do not hesitate to contact us.
Please note that the information contained in this Client Alert is provided for information purposes only and is not intended to be relied upon as legal advice for any particular purpose. You should seek your own independent legal advice for your specific circumstances.