Since 2014, Australia’s overarching privacy protection framework is currently contained within the Australian Privacy Principles (APPs). There are 13 APPs that govern standards, rights and obligations concerning:
- how personal information is collected, used and disclosed;
- how organisations or agencies are kept accountable when collecting information; and
- how individuals can access, correct or request deletion of their personal information; The APPs are designed to be flexible to accommodate for changing technologies and different types of business models whilst still being compliant with the Privacy Act 1988 (the Act).
Does the APP apply to my business?
The APP applies to “APP entities”. The Act defines APP entities as agencies or organisations.
Is my organisation an APP entity?
Under the Act, APP entities are organisations including:
- an individual (including a sole trader)
- a body corporate
- a partnership
- any other unincorporated association, or
- a trust
However, the organisation will NOT be called an APP entity if it is:
- a small business operator (whose turnover is $3 million or less in a financial year and does not provide health services, information broking services or are contracted service providers for the Commonwealth);
- a registered political party;
- a State or Territory authority; or
- a prescribed instrumentality of a State.
Is my agency an APP entity?
The Act and the APPs also apply to an agency, referring to the Australian Government agencies but not the State and Territory agencies (as seen in the exception above).
An ‘agency’ includes:
- a Minister or a government department;
- a body established for a public purpose or by the Commonwealth;
- a federal court;
- the Australian Federal Police;
- a Norfolk Island agency; or
- the service operator under the Healthcare Identifiers Act 2010.
Where do the APPs apply?
The APPs extend anything done by an APP if they have an “Australian link”.
Does my business have an Australian link? An APP entity has an Australian link where it is:
- an Australian citizen or permanent resident;
- a partnership formed, or a trust created, in Australia;
- a company incorporated in Australia;
- an unincorporated association managed in Australia; or
- It carries on business in Australia and collects or holds personal information in Australia. Some factors that show an entity is carrying on business in Australia include:
- If the entity has a place of business in Australia;
- If the people who undertake the business are located in Australia;
- If the entity has a website offering goods and services in Australia;
- If Australia appears in the drop-down menu of the website;
- If the entity has any Australian trademarks;
- If business or purchase orders are assessed or acted upon in Australia.
- If the entity has a place of business in Australia;
What are the principles?
A summary of each principle can be seen in the below table:
| Principle | Purpose |
| APP 1: Open and transparent management of personal information | Ensures that APP entities manage personal information openly and transparently through a clearly expressed privacy policy. |
| APP 2: Anonymity and pseudonymity | Ensures that APP entities give individuals the choice to remain anonymous or use a pseudonym |
| APP 3: Collection of solicited personal information | Outlines when APP entities can permissibly collect personal information for its functions or activities |
| APP 4: Dealing with unsolicited personal information | Outlines how APP entities should deal with personal information they did not ask for |
| APP 5: Notification of collection of personal information | Outlines when APP entities must notify individuals about collecting certain personal information |
| APP 6: Use or disclosure of personal information | Outlines when APP entities can use or disclose the personal information it holds |
| APP 7: direct marketing | Outlines when personal information can be used for marketing purposes |
| APP 8: Cross-border disclosure of personal information | Outlines what measures APP entities must take to protect personal information before it is disclosed overseas |
| APP 9: Adoption, use or disclosure of government related identifiers | Outlines the limited circumstances when an APP entity can use a government related identifier as its own identifier |
| APP 10: Quality of personal information | Ensures that APP entities keep their information as accurate, complete and relevant as possible |
| APP 11: Security of personal information | Ensures that APP entities protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. Outlines when APP entities must destroy or deidentify personal information |
| APP 12: Access to personal information | Outlines APP entities’ obligations when individuals request to access their own personal information held by them |
| APP 13: Correction of personal information | Outlines APP entities’ obligations when individuals seek to correct their personal information |
What happens if I breach an APP?
If an APP is breached, then they are considered to have interfered with the privacy of an individual. If this occurs, the Information Commissioner has the power to investigate this interference of privacy, either on its own initiative or following a complaint lodged by the affected individual.
The Information Commissioner has wide powers to help rectify the situation, including an injunction ensure the breach of the APP in question does not continue and compensation for harm suffered due to the interference. If an APP entity is involved in a serious or repeated interference with an individual’s privacy, they could face a fine of up to (as of 20 September 2020):
- $2.1 million for corporate bodies; or
- $420,000 for non-corporate bodies (including government departments/agencies, sole-traders, partnerships, trusts, unincorporated associations).
In addition to compensation, the Information Commissioner may award the following remedies including:
- an apology;
- a requirement that the organisation adopts and implements particular remedial measures in response to privacy breaches;
- a requirement that the organisation reviews its privacy/information handling policies and procedures and conduct staff training and make necessary changes to ensure information is accurate, complete and up-to-date;
- a requirement that the organisation undertake an independent audit of its policies and operation processes;
- a requirement that the organisation reviews new remedial measures adopted and reports the findings of that review to the OAIC; or
- reimbursement of reasonably incurred costs and expenses.
