The Key Principles of Australia’s Privacy Act

The Privacy Act of Australia was finalized in 1988 and provides information about the privacy rights of individuals. This Act also reveals the commitment of Australian government agencies and organizations in keeping private individual information safe and secure.

The Personal Privacy Act includes 13 Australian Personal Privacy Principles (Applications), which apply to specific economic sector organizations and most Australian federal government firms. These are jointly described as APP entities. The Personal Privacy Act also controls the individual privacy component of non-mortgage consumer debt reporting systems, tax file numbers, health and wellness information, and clinical study data.

To succssfully comply with the Australia's privacy law, let's dig deeper!

Who has rights under Australia's Privacy Act?

The Personal Privacy Act of Australia controls the way personal information is handled.

As an individual, the Personal Privacy Act provides you with greater control over how your individual information is managed. The Privacy Act allows you to:

  • Recognize why your information is being collected, how it will be used, and who it will be divulged to.
  • Have the choice to not identify yourself or to use a pseudonym.
  • Request access to your details (including your health and wellness details).
  • Halt unwanted direct marketing.
  • Ask for incorrect information to be corrected.
  • If you think an organization has mishandled your information, you can make a grievance concerning an organization or company covered by the  Privacy Act.

Who has responsibilities under the Privacy Act?

Australian government agencies have an annual turnover of more than $3 million, which means they must fulfill specific responsibilities. The Privacy Act of Australia outlines these responsibilities and duties; however, they are subject to some exceptions.

It is important to remember that Australia's Privacy Act directly applies to government and private sector organizations. The definition of an organization is defined by the Australian Privacy Act.

What is an organization?

According to the Australian Privacy Act, an organization includes the following terms:

  • Any single entity, such as an individual or a sole trader. However, the individual will not be considered an organization if he/she acts in their own capacity and does not have much exposure to the outside world.
  • An association
  • A trust

Are small businesses covered?

This is a fundamental question because many small businesses and startups want to understand and follow the Australian Privacy Act rules and regulations.

The answer to this question is that the Australian Privacy Act covers all small businesses with an annual turnover equal to or less than $3 million.

Significant Principles of the Australian Privacy Act

The key principles covered by the Act include data security and privacy. These principles are known as Australian privacy principles or APPs and include the following concepts:

  • The Australian Privacy Act’s primary rule is openness and transparency. Without transparency, an organization cannot be considered compliant with the Australian Privacy Act. Openness and transparency mean providing any relevant information about how an organization will utilize customers' data.
  • Solicited and unsolicited personal information requires very careful handling by the organizations.
  • Australian privacy principles also covers correction of personal data whenever a mistake is found.

The above image summarizes 13 Australian privacy principles as described by the Australian Privacy Act

These principles are intended to allow the organizations to make adequate adjustments to follow the security procedures based on their specific business needs and customers' demands. The consequences of not following these Australian privacy principles are quite reasonable, and organization may face various legal issues if it is found non-compliant.

Let's discuss some of the Australian privacy principles in detail.

1. Anonymity and pseudonymity

According to this principle, it is the individual’s decision to reveal their identity. If the individual does not want to identify themselves, they can choose anonymity. On the other hand, pseudonymity is when the individual chooses to use a constant identifier or fake name instead of their real name.

2. Collection of solicited personal information

Organizations do not have the right to collect personal information unless the information is required for necessary reasons. For this purpose, organizations must mention that the sensitive information will be used for a lawful reason. No matter how necessary it is to collect sensitive information, it cannot be contained and utilized without the individual's consent.

Moreover, the means of personal information collection should also be legit and fair. It simply means that an organizations should collect the information directly from the individual and not from other sources.

3. Notification of the collection of personal information

According to the Australian Privacy Act, it is the organization's responsibility to notify the individual about the collection of personal information. In other words, the individual should know that the data is being collected. If the individual is not aware of such activity, the organization may face legal consequences.

4. Use or disclosure of personal information

If information was collected from an individual for a particular purpose, the organization can utilize that information for only that purpose. Otherwise the individual has a right to take legal action. Australia's Privacy Act defines the main purpose of utilizing information as the primary purpose. In contrast, if information is used for another purpose separate from the initial purpose, it is known as a secondary purpose.

Organizations do not have any right to use the information for secondary purposes, unless they have received approval from the individual.

An entity or organization must take reasonable steps to ensure that information is de-identified if it is unlawfully collected or is no longer being used.

5. Direct marketing

Information taken from an individual by an organization should not be used for marketing purposes. The Australian Privacy Act has stringent rules and regulations regarding this practice. Remember that an act or practice of an agency is observed as the act or practice of an organization.

But, there is an exception: an organization can share information if it is not sensitive and the individual has no objection to sharing such information. Sometimes, while providing personal information to a marketing agency or business, the individual already knows that there are chances of disclosing this information for marketing purposes. If the individual does not request keeping the information de-identified and hidden, the marketing agency or organization can utilize it.

6. Cross-border disclosure of personal information

Sometimes an entity discloses the personal information of an individual who does not live in Australia. At this stage, we call such a person or entity as the overseas recipients.

State government data protection legislation

Some states have their own data protection legislation, so this Australian Privacy Act is not equally applicable to all parts of Australia. Instead, other privacy acts cover the Northern Territory, Australian Capital Territory, Tasmania, and Victoria.

After going through the basic details of the Australian Privacy Act and the principles that it covers, it has become evident that the Australian government has stringent policies regarding the privacy of customers and ordinary people. Organizations can face severe consequences and legal troubles if they are non-compliant with Australian privacy laws.

The Australian Privacy Act originated from the Privacy Act 1988, which was focused on handling individuals’ personal information. It covers all the minor details regarding the collection, utilization, disclosure, and transparency of an individual’s personal data within an organization.

The Australian Privacy Act is based on old regulations and terms and it does not cover the online privacy of individuals. Thus, both businesses and individuals who are worried about their online privacy and want to know the Australian rules and policies regarding online security need to learn about the latest laws set for online privacy purposes.