On 12 March 2014 there will be some changes to the way that agencies and organisations can collect and deal with personal information. Thirteen ‘Australian Privacy Principles’ will replace the National Privacy Principles and Information Privacy Principles in the current legislation.
The Australian Privacy Principles (APPs) will apply to ‘APP entities’, which are either Agencies or Organisations.
An Agency includes Ministers, Departments, a federal court, the Australian Federal Police or other bodies established or appointed for a public purpose under a Commonwealth enactment.
An Organisation includes individuals, bodies corporate, partnerships, unincorporated associations and trusts, but specifically excludes small business operators (having an annual turnover of less than $3 million).
APP 1 – open and transparent management of personal information
APP 2 – anonymity and pseudonymity
When information about an individual is collected by an APP entity the individual must have the option of being anonymous or using a pseudonym unless the APP entity is authorised by law not to give this option, or if it is impracticable to deal with an individual who has chosen not to identify themselves.
APP 3 – collection of solicited personal information
An APP entity must not collect information about an individual unless the information is reasonably necessary to carry out a function or activity of that APP entity. If the APP entity is an Agency, then the information could be directly related to the Agency’s function instead, even if not reasonably necessary to perform that function.
In the case of sensitive information (information relating to health, genetics, race, sexual preference, union or political membership, criminal record, beliefs etc) an APP entity can only collect the information with the consent of the individual concerned, in addition to the information needing to be reasonably necessary or directly related (in the case of an Agency).
Certain exceptions apply to the above, mainly in the case of an Agency being authorised by law to collect the information.
Unless otherwise authorised, or unless it is unreasonable or impracticable to do so, an APP entity can only collect information directly from the individual. In any case, the APP entity may only use lawful and fair means to collect such information.
APP 4 – dealing with unsolicited personal information
If an APP entity comes into possession of personal information, it must first determine whether or not it could legally collect that information under APP 3. If the answer is yes, then it may treat the information as if it had collected it. If the answer is no, then the APP entity must take steps to destroy the information or to de-identify it.
APP 5 – notification of the collection of personal information
An APP entity which collects personal information must, as soon as practicable, take reasonable steps to notify the person, about whom the information is collected, of several matters, including the identity of the APP entity and the fact that it collects personal information, whether the collection is authorised by any law or tribunal, the purpose for the information being collected and the person’s right to access or seek to correct the information.
APP 6 – use or disclosure of personal information
If an APP entity has collected personal information for a purpose, it cannot use or disclose that information for any other purpose unless one of several exceptions applies. These exceptions include, where the individual concerned has given permission for the secondary use, where the individual would reasonably expect the use or disclosure (and the use or disclosure is related to the primary purpose – or directly related to the primary purpose where the information is sensitive), or where the use or disclosure is reasonably necessary for an enforcement related activity conducted by an enforcement body.
In certain situations, held information must be de-identified by the APP entity before using or disclosing it for a secondary purpose.
This APP does not apply to use of information for direct marketing.
APP 7 – direct marketing
An APP entity may not use any personal information it holds for the purpose of direct marketing unless an exception applies. One exception is where the information is not sensitive and where the entity gives a clear, simple option to the individual not to receive the direct marketing communications from the entity. An APP entity may only use sensitive information for direct marketing where the individual has consented.
The Do Not Call Register Act and the Spam Act continue to apply and take precedence over this APP, as does any other Commonwealth Act or Regulation.
APP 8 – cross-border disclosure of personal information
An APP entity can disclose personal information to an overseas recipient only if the APP entity takes reasonable steps to ensure that the overseas recipient complies with the Australian privacy law principles as set out in the APPs. In certain circumstances, a breach by an overseas recipient of an APP will amount to a breach on the part of the APP entity. If, however, the APP entity informs the individual that the provisions of this APP will not apply, and the individual gives consent, the APP can still disclose the information to the overseas recipient.
Enforcement bodies assisting similar overseas agencies in enforcement activities are not bound by this APP, nor are Agencies who are complying with Australia’s international obligations under information sharing agreements.
APP 9 – adoption, use or disclosure of government related identifiers
An APP entity is not to use or adopt a government related identifier of an individual as its own. An APP entity must also not use or disclose a government related identifier of an individual unless one of a specific range of criteria are met.
APP 10 – quality of personal information
An APP entity must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, up-to-date and complete.
APP 11 – security of personal information
If an APP entity holds personal information it must take reasonable steps to ensure that the information is secure.
When an APP entity no longer needs the personal information it holds, and provided that the entity is not required by law to retain the information, it must ensure it is either destroyed or de-identified as long as the information is not held in a Commonwealth record.
APP 12 – access to personal information
The general rule is that if an APP entity holds personal information about an individual, the individual is entitled to have access to that information.
An Agency can refuse access if it is permitted to do so pursuant to the Freedom of Information Act or other Commonwealth Act.
An Organisation may only refuse access on a limited range of grounds, including in circumstances where the access would pose a serious threat to safety, where the giving of access is unlawful, where access would infringe upon the privacy of others, where the access would prejudice enforcement activities or where the request for access is frivolous or vexatious.
An APP entity must respond to a request for access within 30 days (in the case of an Agency) or within a reasonable time (in the case of an Organisation).
Only an Organisation is allowed to charge a reasonable fee for giving access to information. Agencies cannot charge for this, and neither APP entity can charge for making the request for access.
Where an APP entity refuses access to personal information, it must notify the individual in writing and, where reasonable, give a reason for the refusal.
APP 13 – correction of personal information
If an APP entity holds information that, it is aware, is inaccurate, out-of-date, or incomplete, or where an individual makes a request to correct information, the APP entity must take reasonable steps to correct the information and ensure it is accurate, up-to-date, complete and not misleading.
An APP entity which has disclosed personal information to another APP entity in the past is only obliged to notify the other APP entity of a correction to that information if the individual makes a request for the APP entity to do so.
Where an APP entity refuses to correct information pursuant to a request, it must notify the individual of its reasons for refusal unless it would be unreasonable to do so.
Where an APP entity refuses to correct information, it must, upon request, associate a statement with the information to the effect that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. This statement must be apparent to users of the information.
An APP entity must not charge a fee for making a request to correct information, for correcting information or for associating a statement with information. An Agency must respond to a request within 30 days and an Organisation must respond within a reasonable period.