Due to technological advances and growing privacy concerns, in 2014, the 13 Australian Privacy Principles were introduced. These 13 privacy principles were introduced to replace the existing National Privacy Principles. These principles cover APP entities which are agencies or organisations. Show
These national principles outline how information should be gathered, used and protected by APP entities. These principles have been compiled from the Privacy Amendment (Enhancing Privacy Protection) Act 2012. In this article, we’ll provide a breakdown of each of the 13 Australian Privacy Principles. Read along! What are the 13 Privacy Principles?This principle states that APP entities are required to handle personal information openly and transparently. Furthermore, it states that APP entities are required to develop systems, procedures and practices in relation to their activities that will ensure their compliance with Australian privacy principles and registered APP codes binding to the entity. Additionally, entities need to ensure they can manage any complaints or inquiries they receive from individuals who have concerns about the entity’s compliance with the Australian Privacy Principles or APP codes. This principle also states that entities are required to have a privacy policy that outlines how personal information will be managed. This policy must include the following information:
APP entities are required to make accessing the privacy policy free and in an appropriate form. Furthermore, if an individual requests an entity’s privacy policy in a specific form, the entity must provide the form in the format that it has been requested. 2. Anonymity and PseudonymityAPP entities must accept that people can be anonymous or use a pseudonym when dealing with them regarding specific problems. However, there are some circumstances where this principle cannot be applied. Individuals cannot use pseudonyms or remain anonymous when dealing with an APP entity if the entity is required by a court order, tribunal order, or Australian law to only deal with identified individuals. Furthermore, individuals cannot remain anonymous or use pseudonyms if it is unreasonable for the APP entity to deal with them anonymously. This principle states that APP entities, which are agencies and organisations, are prohibited from collecting personal information (other than sensitive information) if the information isn’t directly related to the entity’s activities or functions or if the information isn’t reasonably required to be collected by the entity. In regard to sensitive information, the law slightly differs depending on whether the entity is an agency or an organisation. This principle states that APP entities can’t obtain sensitive information from individuals unless they have provided consent. More specifically, agencies can only collect sensitive information unless it’s necessary or related to one of their activities or functions. Contrastingly, organisations are only allowed to collect sensitive information if it is reasonably required for one of their activities or functions.
4. Dealing with Unsolicited Personal InformationIn a situation where an APP entity receives personal information they did not ask for, they will be required to, within a reasonable period of time, determine whether they would have been able to obtain this information pursuant to principle three if they had requested it. This determination will determine whether the APP entity can use or disclose the unsolicited information that they have received. If the APP entity makes a finding that they wouldn’t have been able to collect this information using principle three and that the information can’t be found in a Commonwealth record, the entity must take either of the following steps. The entity can choose to erase the information provided that it’s reasonable and legal, or they can choose to de-identify the information. 5. Notification of the Collection of Personal InformationWhen an individual’s personal information is collected by an APP entity, the entity is required to during, before or after( within a reasonable period of time), notify the individual of the following matters or make sure they’re aware of the following matters:
6. Use or Disclosure of Personal InformationThis principle states that information that has been collected by an APP entity for a particular purpose which is its primary purpose isn’t used or disclosed for a secondary purpose. There are two exceptions to this principle that allows the use or disclosure of personal information for a secondary purpose. These are:
Subclause 6.2 states that personal information can be used or disclosed in the following situations:
Subclause 6.3 allows an agency to disclose personal information regarding an individual in the following circumstances:
The APP entity can only use information relevant to its purpose. This is unless the individual has consented. The information can be used or disclosed if the individual expects it to be used for another person as long as:
The information can also be used if the entity is not an enforcement body and the information is biometric, the receiver is an enforcement body, and the use of it complies with the guidelines of the Commissioner. These rules do not apply to direct marketing or government-related identifiers. 7. Direct MarketingOrganisations generally can’t use an individual’s personal information they have for direct marketing. However, there are a few exceptions to this principle, these include the following:
The individual should be able to make a request not to receive direct marketing communications free of charge. 8. Cross-border Disclosure of Personal InformationPrior to when an APP entity discloses personal information to an overseas recipient, they will need to ensure that the overseas recipient will not breach Australian Privacy Principles. Overseas recipients refer to individuals or entities that aren’t located in Australia or an external territory and who aren’t the app entity or individual. However, there are several exceptions to this principle, These include the following:
The entity must make sure that any overseas recipient of the information complies with the Privacy Principles, except for where they are bound by laws that protect information. However, this must be similar to the protection provided by the Principles. Similarly, if the individual gives consent to the disclosure or if the disclosure is necessary under Australian law, they are also exempt. 9. Adoption, Use or Disclosure of Government-Related IdentifiersOrganisations can’t adopt an individual’s government-related identifier from as their own unless an exception applies. The exceptions are that the adoption was necessary or authorised by a court order, tribunal order or by an Australian law. Furthermore, organisations are prevented from using or disclosing an individual’s government-related identifier unless an exception applies. The exceptions that can apply include the following:
10. Quality of Personal InformationAny information obtained by the APP entity must be correct, complete, and up to date. An APP entity can only disclose and use the information once they ensure it’s accurate, relevant and complete. 11. Security of Personal InformationAn APP entity must protect information from misuse, loss, interference, disclosure, modification or unauthorised access. Furthermore, if an APP entity is holding an individual’s personal information, they must destroy the information or de-identify the information if the following conditions apply:
12. Access to Personal InformationIndividuals must be able to access their personal information when they request it. However, exceptions apply to both agencies and organisations. The exceptions for agencies include the following:
Organisations can refuse an individual’s request to access personal information in the following circumstances:
13. Correction of Personal InformationThe entity must ensure that they are satisfied the information they collect about individuals are accurate, up-to-date, complete, relevant and not misleading. APP entities must also correct information about an individual if the information is incorrect. Furthermore, APP entities must also notify other affected APP entities of the changes and corrections to the information. If an APP entity refuses to correct information, then they must notify the individual and provide a written explanation as to why there was a refusal to correct the information. The written notice must also outline how an individual can make a complaint about the refusal to correct the information. When a request to correct information is made by an individual, agencies must respond to the request within 30 days. Whereas organisations are required to respond to a request within a reasonable period. What is an APP entity?According to section 6 of the Privacy Act 1988, an APP entity is an organisation or an entity. ConclusionThese 13 principles are essential for any business, company or organisation that deals with the personal information of individuals to understand. Privacy is a very serious matter, and the penalties for not complying are severe.
|