What are the Australian Privacy Principles and do I need to comply with them?
13 March 2023
The Privacy Act
In Australia, the Privacy Act 1988 (Cth) regulates how personal information is handled by Australian Government agencies and businesses.
Does my business need to comply with the Privacy Act?
The Privacy Act applies to most Australian Government agencies, all private-sector and not-for-profit organizations with an annual turnover of more than AUD 3 million, as well as some smaller businesses that handle certain types of personal information, such as health information. Some organisations may be exempt from certain provisions of the Act if they fall under specific categories, such as political parties or religious organisations. It is important to note that compliance with the Privacy Act is mandatory for those organisations that are required to adhere to it.
What are the APPs?
The APPs (Australian Privacy Principles) are a set of guidelines that govern the collection, use, and disclosure of personal information by organisations that are required to comply with the Privacy Act. The APPs aim to protect individuals' privacy by ensuring that organisations are accountable for the personal information they collect and use, and that individuals have control over their personal information. There are 13 principles in total:
APP 1: Open and transparent management of personal information
Organizations must have clear and transparent policies and procedures for managing personal information.
APP 2: Anonymity and pseudonymity
Individuals have the option to remain anonymous or use a pseudonym when dealing with an organization.
APP 3: Collection of solicited personal information
Personal information must only be collected if it is reasonably necessary for the organization's functions or activities.
APP 4: Dealing with unsolicited personal information
If an organization receives unsolicited personal information, they must determine whether the information could have been lawfully collected and whether it is needed for their functions or activities.
APP 5: Notification of the collection of personal information
Individuals must be notified about the collection of their personal information, including the purposes for which it will be used.
APP 6: Use or disclosure of personal information
Personal information can only be used or disclosed for the purposes for which it was collected, unless an exception applies.
APP 7: Direct marketing
Organizations must give individuals the option to opt-out of receiving direct marketing communications.
APP 8: Cross-border disclosure of personal information
Organisations must take reasonable steps to ensure that personal information sent overseas is protected by privacy laws similar to Australia's.
APP 9: Adoption, use or disclosure of government-related identifiers
Organizations cannot adopt, use or disclose government-related identifiers (e.g., driver's license numbers) unless it is necessary to fulfill their functions or activities.
APP 10: Quality of personal information
Organizations must take reasonable steps to ensure that personal information collected is accurate, up-to-date, and complete.
APP 11: Security of personal information
Organizations must take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure.
APP 12: Access to personal information
Individuals have the right to access their personal information and request corrections if necessary.
APP 13: Correction of personal information
If an individual's personal information is incorrect, the organization must take reasonable steps to correct it.
What happens if my business does not comply with the APPs?
Failing to comply with the Australian Privacy Principles (APPs) can result in penalties and other enforcement measures under the Privacy Act 1988 (Cth). The penalties and enforcement measures that may apply include:
Reprimands: The Privacy Commissioner may issue a reprimand to an organisation that has breached the APPs.
Enforceable undertakings: The Privacy Commissioner may accept a written undertaking from an organisation to take specific actions to address a breach of the APPs. If the organisation fails to comply with the undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court for an order to enforce it.
Civil penalties: An organisation that breaches certain provisions of the Privacy Act may be subject to civil penalties of up to AUD 2.1 million for companies and AUD 420,000 for individuals per breach. The maximum penalty amounts may be increased in certain circumstances, such as where the breach is intentional or the organisation has previously been penalized for similar breaches.
Injunctions: The Federal Court or Federal Circuit Court may grant an injunction to prevent an organisation from engaging in conduct that breaches the APPs.
It is important to note that the specific penalty or enforcement measure that may apply in a particular case will depend on the nature and severity of the breach, as well as other factors such as the organisation's compliance history and willingness to cooperate with the Privacy Commissioner.