The Data Protection Act (DPA) 2018 is the UK’s updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom’s exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]
The Australian Privacy Act 1988: What You Need to Know
What is the Australian Privacy Act 1988 and how does it apply to you and your business?
The Australian Privacy Act of 1988 is an act which helps to protect the privacy of the individual by regulating how personal data is is collected, used, disclosed, processed and stored. Personal data is defined as any information which can identify or be traced back to the individual such as full name, email address, or home address.
It applies to most Australian, Australian Capital Territory and Norfolk Island government agencies as well as any private or not for profit organizations with an annual turnover of $3 million or more, all private health service providers and some small businesses.
On this page
Who it Applies to
As stated above, the Australian Privacy Act applies to most Australian and Norfolk Island government agencies, organizations with an annual turnover of $3 million or more, private health service providers and some small businesses.
Under the Privacy Act an organization is any of the following:
- an individual or sole trader
- a corporate body
- a partnership
- any other unincorporated association
- a trust
The caveat is that this does not apply unless they are a small business operator, registered political party, state or territory authority or a prescribed instrumentality of a state.
Small businesses and the Privacy Act
Some small businesses with an annual turnover of less than $3 million are affected by the Privacy Act. These include:
- Health service providers such as medical practitioners, pharmacists, private hospitals, naturopaths, chiropractors, gyms and weight loss centers, child care centers, and private schools and tertiary institutions.
- any business that sells or purchases personal information
- a credit reporting body, which is any organization that gives information about the creditworthiness of an individual to another organization.
- a business that has opted-in to the Privacy Act (small businesses can choose to opt in which helps them gain customers trust.)
- any business that is related to a business which is covered by the Privacy Act.
- a business prescribed by the Privacy regulation 2013,
Some small business, who don’t meet the above requirements, have also opted to comply with the Australian Privacy Act as this increases customers confidence and trust in them.
The Australian Privacy Principles (APP’s)
There are 13 Australian Privacy Principles, or APP’s, under the Federal Privacy Act 1988, which outline how personal information needs to be handled in Australia. The principles are legally binding and cover how and why a business collects data, the use and disclosure of personal information, how the individual can access and have their personal information updated if it is incorrect.
The 13 Australian Privacy Principles are:
- APP 1: Open and transparent management of personal information
- APP 2: Anonymity and pseudonymity
- APP 3: Collection of solicited personal information
- APP 4: Dealing with unsolicited information
- APP 5: Notification of the collection of personal information
- APP 6: Use or disclosure of personal information
- APP 7: Direct marketing
- APP 8: Cross-border disclosure of personal information
- APP 9. Adoption, use or disclosure of government related identifiers
- APP 10: Quality of personal information
- APP 11: Security of personal information
- APP 12: Access to personal information
- APP 13: Correction of personal information
APP 1: Open and transparent management of personal information
Australian Privacy Principle 1 outlines that you need to manage personal information in an “open and transparent” way.
- what personal information you collect
- how you collect the personal information
- your purposes for collecting, holding, using or disclosing personal information
- how your users can access and amend the personal information you have
- how your users can make a complaint about a suspected breach of privacy laws
- whether you disclose personal information overseas and if so where
APP 2: Anonymity and Pseudonymity
The second Australian Privacy Principle allows individuals to have the option of using a pseudonym or being able to not identify themselves. However these options are not required when it is either impractical to deal with individuals who haven’t identified themselves or if the identity is required by law.
Measures that could be applied to websites and online services are
- posting that individuals may use the service without the need for disclosing personal information
- allowing pseudonyms to be used in place of names in the comment section
- allowing contact forms without the need for a name or address from the user
APP 3: Collection of solicited personal information
Australian Privacy Principle number 3 outlines when and how you can collect personal information from your users. The requirements are as follows:
- personal information may only be collected for purposes that are “reasonably necessary” to the functioning of your website or business
- personal information that is collected must relate to at least one of the business functions.
- sensitive information may only be collected with the individuals consent or where an exception applies
- The personal information must be collected by lawful and fair means and directly from the individual unless the organization has requested the personal information from another entity.
What is considered reasonably necessary personal information can be determined by what activity the personal information has been collected for and whether or not the activity could be carried out without the personal information. For example it would not be reasonably necessary for you to request your users bank details in order to send them a free sample but it would be reasonably necessary to collect them in order to process a purchase request.
Personal Information that relates to at least one business function can be determined by whether or not there is a clear connection between the information that you are requesting and the activity it will be used for. For example the date of birth of your user would not be necessary in order for you to process a payment on your website but it would be necessary if you offered a birthday bonus through your business.
Sensitive information is different to personal information. Examples of sensitive information are race, sexual orientation and criminal history.
APP 4: Dealing with unsolicited personal information
Unsolicited personal information can be defined as any personal information that has been received by you without your request. The fourth Australian Privacy Principle requires that you destroy or de-identify unsolicited personal information unless you could have collected this information under APP3. The unsolicited personal information must be destroyed or dis-identified as quickly as is “practicable”.
APP 5: Notification of collection of personal information
- your identity and contact details
- how you collect personal information
- why personal information is collected
- what the personal information is used for
- how the personal information is kept secure
- any disclosure to third parties of personal information
- whether you disclose personal information overseas
- consequences if personal information is not collected
APP 6: Use or disclosure of personal information
This sixth Australian Privacy Principle states that personal information may only be used for the purpose for which you collected it and if you wish to use it for another purpose these are the guidelines you need to follow:
- Get consent for the secondary purpose
- the secondary purpose is one that the individual would reasonably expect that you may use their information for
- the secondary purpose is required by law
- the secondary purpose is in relation to a permitted health situation
- you believe that the secondary use is necessary in relation to the activities carried out by your website
APP 7: Direct marketing
According to the Australian Privacy Principle 7, you may only use personal information for the purpose of direct marketing in these circumstances:
- the individual consents to their personal information being used for direct marketing
- the individual would reasonably expect that their personal information would be used for the purpose of direct marketing
- You provide a simple way for your user to opt out of direct marketing and
- Your user has not chosen to opt out
In the case of sensitive information, the only time you may use this information in relation to direct marketing is with the consent of the individual.
APP 8: Cross-border disclosure of personal information
This Australian Privacy Principle requires that prior to disclosing any of your users personal information to an overseas recipient, you take measures to ensure that the recipient doesn’t breach any of the Australian Privacy Principles in relation to that information.
Any personal information that you disclose to an overseas recipient must be disclosed only for the purpose which it was collected for originally.
APP 9: Adoption, use or disclosure of government related identifiers
The ninth Australian Privacy Principle states that you are unable to adopt, use or disclose a government related identifier unless an exception apples.
A government related identifier is any number, letter or symbol, or combination of these that can be used to identify or verify the identity of a person.
Exclusions to government identifiers are a persons name and an Australian Business Number (ABN).
APP 10: Quality of personal information
Australian Privacy Principle 10 requires you to take reasonable steps to ensure that the personal information you collect, use and disclose is correct, up to date, complete and relevant.
Information that is correct is defined as: personal information that contains no errors and is not misleading. Correct information is factual and is not an opinion or advice.
Information that is up to date is defined as: facts and information that are current and have not been superseded by a new event.
Information that is complete is defined as: information that presents a true and full picture.
Information that is relevant is defined as: information that has a bearing upon or connection to the purpose for which it was collected or disclosed.
It is advised that you take regular checks of the information that you are holding to ensure that it still meets the above requirements.
APP 11: Security of personal information
The 11th Australian Privacy Principle states that you must take reasonable steps to protect personal information that you store from misuse, interference, loss, and from unauthorized access, modification and disclosure.
There are a number of security measures that you can undertake to ensure the above. This depends on the size of your business but could include some of the following:
- documents containing personal information bare to be kept in locked drawers or cabinets
- placing access restriction on documents or electronic systems
- placing computer screens out of view of others
- limiting the use of portable storage devices
- using encryption measures
- encrypting emails which contain personal information
- having confidentiality clauses in agreements with others who have access to personal information
- have security measures in places on your website such as HTTPS (Hypertext Transfer Protocol Secure)
- understand how a third party provider handles, stores deals with personal information
This Privacy Law also requires that you do not hold onto personal information for longer than is required for lawful business purpose. You need to destroy or de-identify any personal information that you no longer require.
APP 12: Access to personal information
Australian Privacy Principle 12 requires that you allow access to personal information that you hold about a person to that person upon their request. You need to respond to that request in a “reasonable” time frame and also take care to not disclose any third party information in disclosing the information.
There are certain circumstances in which you can refuse an individuals request for their personal information, such as in the circumstance that providing the information would be considered unlawful. If you do refuse disclosure of personal information then you are required to give written notice to the person and include the reason for refusal.
APP 13: Correction of personal information
The final Australian Privacy Principle outlines your obligations with regards to correcting the personal information you hold about your users.
If an individual shows that the personal information you hold on them is inaccurate, out of date, incomplete or irrelevant then you must take reasonable steps to correct the information you have and also notify any third parties you may have shared this information with, if any.
If you have reason to believe that the corrected information is in any way inaccurate, then you must provide the individual with written reasons as to why you have refused to correct their information. Include in your response how they may make a complaint and also a statement that the individual claims the information is incorrect or incomplete.
You are required to make it clear to your users how they may contact you in order to access and correct their personal information.
Best Compliance Practices
To ensure your business or website is complying with the Australian Privacy Act of 1988 here are some best compliance practices you can follow:
Collection of Personal Information
Only collect the personal information that is necessary for you to be able to complete the functions of your website or business. For example if your website runs a monthly email newsletter but doesn’t sell and products that require sending to your customers, you only require email addresses from your users, not their full names or street addresses.
Ensure that any personal information that you collect has been obtained by “lawful and fair means”. Do not obtain users personal data through means that would be considered illegal or deceptive.
Only collect the personal information directly from the person who it relates to and not from a third party, unless this is impossible to do.
Only collect the personal information directly from the person who it relates to and not from a third party, unless this is impossible to do.
Be clear about how you will be using the personal information which you have obtained from your users.
Getting consent from your users when obtaining their personal information is good practice. Consent when obtaining sensitive or health related personal information is a requirement.
Consent must comply with the following:
- the individual being informed before giving consent
- the consent is given voluntarily
- the consent is relating to current and specific circumstances
- the individual needs to have the capacity to understand and communicate their consent to you.
Disclosing personal information overseas
Before you disclose any personal data to an overseas recipient you are required to make your best effort to ensure that the overseas recipient is held to the Privacy Act (see APP 8).
Overseas partners who are located in the United states, the United Kingdom, Canada and Europe are usually safe. These countries all have strict privacy laws which comply with what’s required by the Australian Privacy Act of 1988.
Your users may need to reach out to you for information, to send requests, to make a complaint or to request a correction of their personal information. For this reason you must ensure that your contact information is easily available to your users.
- your business name and contact details
- what personal data you collect
- how you collect personal data
- why you collect personal data
- how you use the personal data you collect
- do you disclose the personal data to a third party?
- if so what third parties
- do you disclose personal data outside of Australia?
- if so what countries do you disclose it to
- how can your users access their personal data
- how can your users lodge a complaint if they think you have mishandled their personal data