Australian Privacy Laws and Its Importance
Updated: Apr 28, 2019
1. What kind of personal information does the business collect?
2. What will the business use the personal information for?
3. Specific consents from the discloser to utilise the personal information for certain activities.
4. How is the personal information stored by the business?
5. What measures does the business take to secure the personal information?
6. Methods by which the discloser can ensure that their personal information is current and up-to-date?
Australian Privacy Principles provides businesses with the flexibility to tailor their personal information handling practices to their diverse needs and business models. The Australian Privacy Principles are also technology neutral, applying equally to paper-based and digital environments. Following are the kinds of businesses in Australia which are required to comply with Australian Privacy Principles:
1. businesses which have a turnover of more than AUD $3 million;
2. businesses which operate in the health industry;
3. businesses which trade in personal information;
4. if your business is related to a larger body corporate that is subject to the Privacy Act, e.g. if it’s a holding company or a subsidiary of another body corporate;
5. if your business is a Commonwealth contracted service provider, which includes sub-
contractors, where you provide services to or on behalf of the Australian or Norfolk Island
6. if you are a reporting entity or authorised agent of a reporting entity under the Anti-Money
Laundering and Counter-Terrorism Financing Act 2006 (Cth) or its Regulations or Rules;
7. if your business operates a residential tenancy database;
8. if your business carries on a credit reporting business;
9. if your business is an employee association registered or recognised under the Fair Work
(Registered Organisations) Act 2009 (Cth);
10. if your business is a protected action ballot agent for a protected action ballot conducted
under Part 3-3 of the Fair Work Act 2009 (Cth);
11. if your business is a service provider that is required to comply with the data collection
and retention provisions in Part 5-1A of the Telecommunications (Interception and
Access) Act 1979 (Cth); and
12. if your business voluntarily opts to comply with the Privacy Act 1988 (Cth).
APP1: Open and transparent management of personal information APP2: Anonymity and pseudonymity APP3: Collection of solicited personal information APP4: Dealing with unsolicited personal information APP5: Notification of the collection of personal information APP6: Use or disclosure of personal information APP7: Direct marketing APP8: Cross-border disclosure of personal information APP9: Adoption, use or disclosure of government related identifiers APP10: Quality of personal information APP11: Security of personal information APP12: Access to personal information APP13: Correction of personal information
APP's overseas applicability Any personal information of Australians which is sent overseas to be stored on servers or data centres will also need to comply with Australian Privacy Principles. APP may also apply to businesses conducted on a world-wide basis, which are not Australian based but target various countries including people in Australia by collecting their personal information. Also, there are additional factors which need to be considered before concluding whether Australian Privacy Principles applies to an overseas business.
Reporting Breaches From 22nd February 2018 onwards, any breaches caused to the personal information stored by an APP entity, will need to be reported to the Office of the Australian Information Commissioner (OAIC). Under the current law, government agencies and businesses covered by the Privacy Act are required to notify as soon as practicable any individuals affected by a data breach that is likely to result in serious harm. The OAIC must also be notified of such data breaches. Failure to report eligible data breaches will be considered to be an interference with the privacy of an individual affected by the breach and will result in civil penalties of up to AUD $2.1 million for serious or repeated interferences. Complying with Overseas Privacy Laws Australian businesses who collect personal information from customers, clients or end-users located in other countries, will need to comply with the privacy laws of all those countries. The recent European Union’s General Data Protection Regulation (GDPR) which came into effect on 25th May 2018 is an example of the far reaching consequences of privacy laws on Australian businesses. The GDPR applies to businesses that:
1. are established in the European Union (EU);
2. offers goods or services to EU-based individuals (free or paid), including accepting
payment in euros; or
3. monitors EU residents’ behaviour.
The details of the applicability and compliance of the EU GDPR will be dealt in another article. The best way to ensure your business is in compliance with applicable privacy laws is to contact AJR Lawyers for bespoke advice and services regarding your business.