When organisations collect people’s personal information, they are responsible for the handling and protection of the information, and are bound by the Privacy Act and other privacy laws. The Privacy Act sets out 13 Australian Privacy Principles (APPs).
Who is subject to the APPs?
Both government agencies and private sector organisations meeting certain annual turnover limits need to comply with the APPs. A failure to comply is a breach of the law.
Do you and your employees understand your obligations under the Privacy Act? Privacy compliance training may be an effective way to reduce the risk of breaching the law.
What are the 13 APPs?
The APPs are complex and set various obligations for both employers and employees. Below is a summary to provide guidance on the basic framework of the principles. However, this is simply an outline. It is important that organisations have an in-depth understanding of the APPs and their corresponding obligations.
APP1: Open and transparent management of personal information
Under APP1, organisations must have a clear and current Privacy policy, and take additional steps in relation to complaints handling.
APP2: Anonymity and pseudonymity
Under APP2, individuals may choose to remain anonymous or use a pseudonym (alternative name) when transacting with an organisation. However, this only applies in certain circumstances.
APP3: Collection of solicited personal information
Under APP3, organisations must be aware of the restrictions imposed on collection, use, and disclosure of sensitive information.
APP4: Dealing with unsolicited personal information
Under APP4, organisations must take certain steps when receiving personal information that they did not request.
APP5: Notification of the collection of personal information
Under APP5, organisations need to notify customers about various details surrounding the collection of their personal information.
APP6: Use and disclosure of personal information
Under APP6, organisations are subject to restrictions on how information collected can be used and disclosed.
APP7: Direct marketing
Under APP7, organisations must refrain from using and disclosing personal information for direct marketing purposes, unless an exception applies.
APP8: Disclosing Personal information overseas
Under APP8, organisations must take certain steps prior to disclosing information to an online recipient.
APP9: Adoption, use or disclosure of government-related identifiers
Under APP9, organisations are subject to strict requirements surrounding collection, recording, use and disclosure of government-related identifiers such as tax file numbers.
APP10: Quality of personal information
Under APP10, organisations must ensure that personal information in their possession is accurate, complete, up-to-date and relevant for any purpose for which it is disclosed.
APP11: Security of personal information
Under APP11, organisations must take reasonable steps to protect information from a range of issues including loss, interference, and unauthorised disclosure.
APP 12: Access to personal information
Under APP12, organisations must provide access to a customer’s information in certain situations, such as where the customer makes a request for access.
APP 13: Correction of personal information
Under APP13, organisations must correct personal information on record – allowing incorrect or poor quality information to remain on record may be a breach of this APP.
Where to from here?
The Office of the Australian Information Commissioner (OAIC) administers the Privacy Act, and offers this advice to businesses wanting to safeguard people’s privacy:
- Only collect necessary information.
- Tell people what their information will be used for and give them access to it if they request it…
- Store personal information securely, and keep it accurate and up to date
- Consider making someone in your organisation responsible for privacy.
The penalties for non-compliance with privacy legislation range from significant fines to imprisonment. Businesses breaching privacy laws also risk loss of reputation and significant brand damage.
Online compliance training can provide an effective method for ensuring that all employees within an organisation understand their responsibilities under applicable Privacy laws, including the APPs. This can allow businesses to customise their requirements to a learning management system, and track the progress of staff in different areas of privacy knowledge.
Note: Additional responsibilities for Victorian public sector organisations and those contracting with the Victorian Government
For public sector organisations in Victoria, or organisations who enter a contract with the Victorian Government, further privacy laws apply. Click here to view a summary of the additional responsibilities imposed upon these organisations.