Privacy Act

The Privacy Act 1988 (Cth) (the Act) is responsible for much of the privacy regulation in Australia. As such, it is important to understand some key concepts from the Act in order to understand its effect on your business.  

The Act is primarily concerned with the behaviour of “APP Entities”. This term typically refers to a legal entity that: 

• generates more than $3M in turnover annually; 
• is a private sector health service provider; 
• buys or sells personal information; or 
• is a contracted service provider for an Australian Government contract. 

For a regular APP entity, the primary form of information regulated by the Act is referred to as “personal information”. This can include, but is not limited to, an individual’s: 

• name, address, phone number, or DOB; 
• credit information; 
• photographs; 
• employee record information; 
• IP addresses; or 
• location information. 

Typically, where an APP Entity has collected an individual’s personal information, they will only be permitted to use it for: 

1. the purpose for which it was originally collected;  
2. a related purpose that the individual would reasonably expect; or  
3. any other purpose that the individual has consented to.  

Privacy Policy

It is crucial that any APP Entity maintains a current and compliant privacy policy. This is effectively a guide to how that entity will handle and store personal information.   

A privacy policy should be written in plain English and should include the following details: 

• Business name and contact details. 
• How/what personal information will be collected and stored. 
• Why the entity needs to collect personal information. 
• How people can access their personal information. 
• The entities complaint lodgement process.  
• If personal information is likely to be disclosed outside Australia (and where).  

To ensure compliance, privacy policies should be regularly updated, particularly after any significant changes to the entity’s business practices.  

Sending Information Overseas

Where an APP Entity wishes to disclose information to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient complies with the Australian Privacy Principles (APPs).  

Some foreign countries or regions have strict privacy regulations that closely align with the APPs, such as the EU’s “General Data Protection Rules”. As such, when disclosing information to parties in these regions, it is important to ensure that the privacy regulations relevant in Australia are diligently followed in order to ensure that the risk of non-compliance with, for example, the GDPR is minimised. 

However, if disclosing information to a foreign country with less regulation, extra steps should be taken to ensure compliance (such as direct contracts with the receiving party that require their compliance with the APPs).  

Direct Marketing 

The Act also stipulates additional requirements for any APP Entity wishing to use personal information for direct marketing. These requirements fluctuate depending on the circumstances of the data collection. 

If an individual would reasonably expect that their personal information would be used for direct marketing, the information can be used for that purpose by the party that collected the information. Although the individual must be given a clear “opt out” option (a common example is an ‘unsubscribe’ option in the footer of any electronic direct mail/emails).    

However, if: 

1. an APP Entity collects information from a third party; or  
2. the individual would not reasonably expect for their information to be used for direct marketing,  

the APP Entity must gain the consent of the individual before using the information for direct marketing. In these circumstances, the APP Entity must also take additional steps to ensure that the individual is aware of their ability to “opt out”.  

The use of an individual’s personal information is significantly affected by what that individual may “reasonably expect”. The easiest way to ensure that an APP Entity satisfies this requirement is by: 

1. ensuring that their privacy policy adequately describes their intended uses of information; and  
2. issuing a notice to individuals when collecting personal information that sets out their intended uses of the information and allows them to positively consent.  

Wrapping Up

The above points represent a snapshot of the regulations that govern information handling practices in Australia. However, there are many other ways in which these regulations could impact on your business’s operations.