• Aditya Joseph (AJ)

Australian Privacy Laws and Its Importance

Updated: Apr 28, 2019

Australia has a uniform over-arching privacy law legislated by the federal government, which is laid down in Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP) made pursuant to the statute. If a business in anyway collects, uses or discloses personal information of its customers or people engaged with its business, then it is always recommended that the business have a privacy policy. The aim of Australian Privacy Principles is to foster transparent information handling practices and business accountability around data handling. A privacy policy in essence informs the discloser about how the business collects, secures, uses and discloses personal information. Privacy policies among other things, are required to inform the discloser about:

1. What kind of personal information does the business collect?

2. What will the business use the personal information for?

3. Specific consents from the discloser to utilise the personal information for certain activities.

4. How is the personal information stored by the business?

5. What measures does the business take to secure the personal information?

6. Methods by which the discloser can ensure that their personal information is current and up-to-date?

Australian Privacy Principles provides businesses with the flexibility to tailor their personal information handling practices to their diverse needs and business models. The Australian Privacy Principles are also technology neutral, applying equally to paper-based and digital environments. Following are the kinds of businesses in Australia which are required to comply with Australian Privacy Principles:

1. businesses which have a turnover of more than AUD $3 million;

2. businesses which operate in the health industry;

3. businesses which trade in personal information;

4. if your business is related to a larger body corporate that is subject to the Privacy Act, e.g. if it’s a holding company or a subsidiary of another body corporate;

5. if your business is a Commonwealth contracted service provider, which includes sub-

contractors, where you provide services to or on behalf of the Australian or Norfolk Island

government agencies;

6. if you are a reporting entity or authorised agent of a reporting entity under the Anti-Money

Laundering and Counter-Terrorism Financing Act 2006 (Cth) or its Regulations or Rules;

7. if your business operates a residential tenancy database;

8. if your business carries on a credit reporting business;

9. if your business is an employee association registered or recognised under the Fair Work

(Registered Organisations) Act 2009 (Cth);

10. if your business is a protected action ballot agent for a protected action ballot conducted

under Part 3-3 of the Fair Work Act 2009 (Cth);

11. if your business is a service provider that is required to comply with the data collection

and retention provisions in Part 5-1A of the Telecommunications (Interception and

Access) Act 1979 (Cth); and

12. if your business voluntarily opts to comply with the Privacy Act 1988 (Cth).

Notwithstanding the different applicable legal thresholds mentioned above, it is an accepted fact that when a business has a privacy policy, it instills a lot of trust and confidence in its customers. This notion of trust is extremely important in today’s context, when we consider the extensive misuse of personal information by various businesses, including those whose business model is about providing a service where they utilise that very service to collect intricate personal information from its customers. This method of collection creates a huge reservoir of data ranging from basic information like names, addresses, email ID’s, phone numbers, etc to sophisticated stuff like online browsing patterns of people, likes and dislikes of individuals, etc. So in order to keep up with the current trends of technology and not to lose the trust reposed by people, it is imperative for businesses to have a privacy policy for their customers on their website and offline when engaging with them.     When a Privacy Policy is created for a business, the Australian Privacy Principles should be carefully observed, including the specific requirements laid down in each of the principles below:    

APP1: Open and transparent management of personal information APP2: Anonymity and pseudonymity APP3: Collection of solicited personal information APP4: Dealing with unsolicited personal information APP5: Notification of the collection of personal information APP6: Use or disclosure of personal information APP7: Direct marketing APP8: Cross-border disclosure of personal information APP9: Adoption, use or disclosure of government related identifiers APP10: Quality of personal information APP11: Security of personal information APP12: Access to personal information APP13: Correction of personal information

APP's overseas applicability Any personal information of Australians which is sent overseas to be stored on servers or data centres will also need to comply with Australian Privacy Principles.  APP may also apply to businesses conducted on a world-wide basis, which are not Australian based but target various countries including people in Australia by collecting their personal information. Also, there are additional factors which need to be considered before concluding whether Australian Privacy Principles applies to an overseas business.

Reporting Breaches From 22nd February 2018 onwards, any breaches caused to the personal information stored by an APP entity, will need to be reported to the Office of the Australian Information Commissioner (OAIC). Under the current law, government agencies and businesses covered by the Privacy Act are required to notify as soon as practicable any individuals affected by a data breach that is likely to result in serious harm. The OAIC must also be notified of such data breaches. Failure to report eligible data breaches will be considered to be an interference with the privacy of an individual affected by the breach and will result in civil penalties of up to AUD $2.1 million for serious or repeated interferences. Complying with Overseas Privacy Laws Australian businesses who collect personal information from customers, clients or end-users located in other countries, will need to comply with the privacy laws of all those countries. The recent European Union’s General Data Protection Regulation (GDPR) which came into effect on 25th May 2018 is an example of the far reaching consequences of privacy laws on Australian businesses. The GDPR applies to businesses that:

1. are established in the European Union (EU);

2. offers goods or services to EU-based individuals (free or paid), including accepting

payment in euros; or

3. monitors EU residents’ behaviour.

The details of the applicability and compliance of the EU GDPR will be dealt in another article. The best way to ensure your business is in compliance with applicable privacy laws is to contact AJR Lawyers for bespoke advice and services regarding your business. 

2 views0 comments