Quantcast

05 Jul 2012

The Australian Privacy Principles - one set of privacy principles to rule us all Part 1

by Avinesh Chand

The new Australian Privacy Principles attempt to keep pace with changing technology, emerging privacy issues and developments in privacy law in Australia and internationally.

The proposed amendments to the Privacy Act 1988 currently before the Australian Parliament will, when enacted, end complexity and confusion in the application of privacy laws by creating a single set of Australian Privacy Principles ("APP") that will apply to both Commonwealth agencies and private sector organisations.

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 seeks to implement the Government's first stage response to the recommendations made by the Australian Law Reform Commission following its inquiry into Australian privacy laws by amongst other things, amending the Privacy Act to consolidate the current Information Privacy Principles ("IPPs") and National Privacy Principles ("NPPs") into the APPs. The consolidation of the privacy principles, the cornerstone of the privacy protection framework of the Privacy Act 1988, will foster national and international consistency in privacy regulation and simplify the application of privacy laws.

As with the IPPs and NPPs, when enacted, the APPs will regulate the collection, holding, use and disclosure of personal information that is included in records. The APPs will apply to government agencies to which the IPPs currently apply and to private sector organisations to which the NPPs currently apply (collectively referred to as APP entities in the Bill).

Most of the APPs are based to some extent on the existing IPPs and NPPs. However, the APPs also include some significant changes from the IPPs and NPPs in order to keep pace with changing technology, emerging privacy issues and developments in privacy law in Australia and internationally.

We look at the first half in this edition, with the rest to be considered in the next edition of Insights.

APP 1 – Open and transparent management of personal information

APP 1 requires APP entities to manage personal information in an open and transparent way. This includes APP entities being required:

  • to take reasonable steps to implement practices, procedures and systems relating to the entity's functions or activities that will ensure that it will comply with the APPs; and
  • to having a clearly expressed and up-to-date policy about the management of personal information. An entity's privacy policy must contain information about the kinds of personal information the entity collects; how the entity collects and holds personal information; how an individual may seek access to personal information held by the entity or seek correction of such information; how an individual may complain about the breach of an APP and how the entity will deal with such a complaint; whether the entity is likely to disclose personal information to overseas recipients and if so, the countries in which such recipients are likely to be located, if it is practicable to specify those countries (APP 1.4).

APP 1 is based on NPP 5. There is no current equivalent of APP 1 in the IPPs.

APP 2 – Anonymity and pseudonymity

Under APP 2, individuals must have the option of dealing with an APP entity anonymously or through the use of a pseudonym in relation to a particular matter unless:

  • the APP entity is required or authorised by or under an Australian law or a court/tribunal order to deal with individuals who have identified themselves; or
  • it is impracticable for the APP entity to deal with individuals who have not identified themselves.

APP 2 is based on NPP 8. Again, there is no current equivalent of APP 2 in the IPPs.

APP 3 – Collection of solicited personal information

APP 3 applies to personal information solicited by an APP entity. Under it: 

  • if an APP entity is an agency, it must not collect personal information (other than sensitive information) unless the information is reasonably necessary for or directly related to, one or more of the entity's functions or activities;
  • if an APP entity is an organisation, it must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity's functions or activities.

In relation to sensitive information (currently defined at section 6 of the Privacy Act and which includes information relating to racial or ethnic, political opinion, religious beliefs, sexual preferences and health information), an APP entity must not collect sensitive information about an individual unless:

  • the individual consents to the collection and;
    • if the entity is an agency, the information is reasonably necessary for or directly related to, one or more of the entity's functions or activities; or 
    • if the entity is an organisation, the information is reasonably necessary for one or more of the entity's functions or activities; or
  • one of the exceptions at APP 3.4 applies.

An APP entity can solicit sensitive information in some cases without complying with APP 3.3, including where the collection is required or authorised by or under an Australian law or a court/tribunal order.

APP 3 is based on IPP 2 and NPP 1.

APP 4 – Dealing with unsolicited information

Where an APP entity receives personal information and the entity did not solicit the information, the entity must, within a reasonable period of time determine whether or not it could have collected the information under APP 3 if the information had been solicited by the entity (APP 4.1).

Where the APP entity determines that it could not have collected the personal information and the information is not contained in a Commonwealth record, it must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or de-identify it (APP 4.3).

If APP 4.3 does not apply to the personal information, then APPs 5-13 apply to the information as if it had been collected under APP 3.

There is no current IPP or NPP equivalent of APP 4.

APP 5 – Notification of collection of personal information

An APP entity collecting personal information must notify or make individuals from whom it is collecting information aware that it is doing so, either at or before the collection of a number of matters set out at APP 5.2. If that is not practicable, it must do so as soon as practicable after the collection. APP 5 is based on IPP 2 and NPP 1. The matters set out at APP 5.2 are generally matters currently listed in IPP 2 and NPP 1.

APP 6 – Use and disclosure of personal information

If an APP entity holds personal information about an individual that was collected for a particular purpose, the entity must not use or disclose it for another purpose unless:

  • the individual has consented to the use or disclosure; or
  • the use or disclosure of the information falls within the exceptions in APP 6.2 or 6.3.

APP 6 is based on IPP 10 and 11 and NPP 2. The exceptions at APP 6.2 and 6.3 are very similar to the exceptions set out at IPP 10 and 11 and NPP 2.

Next edition we'll look at the remaining APPs and, in particular, their effect on direct marketing.

 

You might also be interested in...

Related Knowledge

Get in Touch

Get in touch information is loading

Disclaimer

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.