July 26, 2021
Australia's Privacy Act
Australia’s robust Privacy Act addresses the way that organizations can handle personal data about Australian individuals. It comes with a number of requirements, stipulations and compliance points that you’ll need to be aware of if you deal with personal data from anyone located in Australia.
Let’s take a look at the Act, its requirements, and how you can comply.
Table of Contents
First, let’s look at who Australia’s Privacy Act applies to.
Three groups must follow the rules when handling personal data. The first group is Australian Government agencies and the administration in Norfolk Island.
Note that state and territory government agencies are exempt from the Privacy Act in most cases unless they have been specifically listed (prescribed) as covered under the Privacy Regulation 2013. Public sector bodies in the Australia Capital Territory must follow local rules which are broadly similar to the Privacy Act.
The second group is all organizations that have an annual turnover of $3 million (AUD). This covers any type of business, including individuals such as sole traders acting in a business capacity.
The third group is organizations with an annual turnover of less than $3 million (AUD) that fall into any of the following categories:
- Health service providers in the private sector
- Credit reporting bodies
- Businesses carrying out an Australian government contract
- Businesses selling or buying personal information
- Any business handling data relating to anti-money laundering rules, residential tenancy databases or consumer credit reporting
- Handling some data including tax file numbers, consumer credit reporting, spent convictions, health information that falls under the My Health Records Act 2012, or personal information from the Personal Property Securities Register
The Privacy Act distinguishes between the first group (agencies) and the second and third groups (organizations) in some requirements, as we’ll detail.
Unlike some privacy laws, Australia’s Privacy Act doesn’t distinguish between data processors and data handlers. Any organization that handles data (including collection, use or disclosure) is treated the same way.
The Privacy Act covers personal information about any living individual who is an Australian resident. It doesn’t matter where the organization handling the data is based. The act doesn’t cover deceased people or legal entities such as corporations.
Under the Privacy Act, personal information is any information or opinion about an individual who is either identified or “reasonably identifiable.” Incorrect or untrue information can still count as personal information for the purposes of the Act.
Deidentified or anonymized information doesn’t come under the rules unless there’s a reasonable way to reidentify it.
The 13 Principles of Australia’s Privacy Act
The Privacy Act is based around 13 privacy principles designed to protect the privacy of individuals. Each principle comes with specific measures that organizations must take. These measures may change in the future as technology develops.
Open and Transparent Management of Information
- What types of personal information you collect and hold
- How you collect and hold personal information
- Why you collect, hold, use or disclose personal information
- How people can access the personal information you hold about them and how they can ask you to correct any errors
- How people can complain about you breaching the privacy principles
- Whether you are likely to disclose the personal information to somebody in another country and if so, which countries
Collection of Solicited Personal Information
You can only collect personal information where doing so is necessary to carry out one of your functions or activities.
You must collect information by fair and lawful means.
You can normally only get personal information from the individual (rather than somebody else) unless doing so is impractical or unreasonable. However, an agency can get the information from somebody else if the individual gives permission or if a court or tribunal order says so.
Some personal information is classed as sensitive personal information. This includes information about the following:
- Criminal record and health information
- Genetic or biometric information used for automated verification of identification
- Membership of a political association
- Membership of a professional or trade association
- Membership of a trade union
- Philosophical beliefs
- Political opinions
- Racial or ethnic origin
- Religious beliefs or affiliations
- Sexual orientation or practices
Collecting sensitive personal information normally requires the consent of the individual.
Exceptions include the following:
- To comply with a court or tribunal order
- The information is necessary to carry out enforcement activities
- You are a non-profit organization and the individual is a member who has regular contact with you
- In a range of specific situations detailed in the Privacy Act which include protecting somebody’s health, life or safety; searching for a missing person; as part of legal action
- In medical situations where the person cannot give consent and a carer has given consent on their behalf
Dealing With Unsolicited Personal Information
If you receive personal information without soliciting it, you will need to review whether it would have been lawful to get the information if you had solicited it. If not, you must destroy or de-identify the information as soon as possible.
Notification of the Collection of Personal Information
Whenever you are about to collect personal information, you must give the individual the following details:
- Your identity and contact details
- The fact you are collecting the information (if the individual doesn’t already know)
- If a law, a court order or a tribunal order says you have to collect the information. (If so, provide the details.)
- Why you are collecting the information
- What happens if you don’t or can’t collect the information
- Who you usually share this type of information with
- Whether it’s likely you’ll share the information with an overseas recipient and, if so, in which countries
Use or Disclosure of Personal Information
When you collect information for one stated purpose, you can’t use it for another purpose unless one of the following applies:
- The individual consents to the other purpose
- The other purpose is related to the stated purpose and the individual could reasonably expect you’d use it for the other purpose as well
- A law, court or tribunal order says you must use the information for the other purpose
- The other purpose is one of the specific situations where you don’t need consent
In most cases, you can’t use personal information for direct marketing.
You can use personal information for direct marketing if all of the following apply:
- The individual provided the data and would reasonably expect you to use it for direct marketing
- You offer a simple opt-out mechanism
- The individual hasn’t used the opt-out mechanism
You can never use sensitive personal information for direct marketing unless you have the individual’s explicit consent.
Cross-Border Disclosure of Personal Information
You must not disclose personal information to somebody outside of Australia unless one of the following applies:
- You have taken reasonable steps to make sure the recipient will follow the privacy principles,
- You believe the recipient is covered by laws in their own country offering similar protection,
- The individual has specifically consented to the disclosure, or
- You are legally required to do so
Adoption, Use or Disclosure of Government Related Identifiers
You can’t use a government related identifier (such as a passport number) as your own method of identifying an individual unless you’re legally required to do so.
Quality of Personal Information
You must take reasonable steps to make sure personal information you collect is accurate, complete and up-to-date.
You must then take reasonable steps to make sure this is still the case when you use or disclose the information.
Security of Personal Information
You must take reasonable steps to protect personal information against misuse, interference or loss. You must also protect it against unauthorised access, modification or disclosure.
Once you no longer need personal information for the original purpose for which you acquired it, you must destroy or de-identify the information. The only exceptions are if the information is in a Commonwealth record or if a law, court order or tribunal order says you must keep it.
Access to Personal Information
As a general principle, you must give individuals access to the personal information you hold about them on request.
Agencies can refuse access requests only if another law (such as the Freedom of Information Act) lets them do so.
Organizations can refuse access requests if doing so would do any of the following:
- Pose a serious risk to health or safety
- Unreasonably compromise a third party’s privacy
- Compromise ongoing legal proceedings or business negotiations
- Break a law, court order or tribunal order
- Compromise potential action against the individual for unlawful activity or serious misconduct
- Prejudice law enforcement activities
When you refuse a request for one of the above reasons, you should give whatever degree of access is possible and reasonable. You must also give a written explanation of the refusal and explain how the individual can complain about your decision.
Agencies must respond to data access requests within 30 days. For organizations the response must be within a “reasonable period.”
You must give the information in a requested manner (such as email or written document) unless it’s unreasonable or impractical.
Agencies can’t charge for giving the information. Organizations can charge for giving the information but the cost must not be excessive. They can’t charge a fee to make the request.
Correction of Personal Information
If you hold personal information about somebody and they believe information is inaccurate or incomplete they can request that you correct it. The same is true if they believe the information is irrelevant, outdated or misleading.
Agencies must respond to correction requests within 30 days. For organizations the response must be within a “reasonable period.”
You must take reasonable steps to meet this request or give a written notice explaining why it is unreasonable to do so and how the individual can complain about your decision. They also have the right to attach a notice challenging the information. This notice must be available to anyone who uses the information.
If you correct personal information that you have previously disclosed the information to a third party, the individual can ask you to tell the third party about the correction. You must do so unless doing so would be impractical or unlawful.
Other Requirements of Australia’s Privacy Act
Since 2018, a Notifiable Data Breaches scheme has been in force as a new measure of the Privacy Act. This means you must sometimes tell the Office of the Australian Information Commissioner if you lose personal information or it is accessed or disclosed without authorization.
The threshold for making the notification is that the data breach is likely to cause serious harm to at least one person and that you haven’t been able to take remedial action to prevent this risk of harm. The notification should include details of the breach, the types of information involved, and what affected individuals can do to reduce the risk of harm.
You should also contact affected individuals directly to warn them of the risk of harm. If this isn’t practical, you should put a copy of the notification on your website and take “reasonable steps” to publicize its contents.
Enforcement of Australia’s Privacy Act
The Act is formally enforced by the Privacy Commissioner, whose work is officially overseen by the Information Commissioner (though at the time of writing the same person held both roles). Both are based within the Office of the Australian Information Commissioner.
The Privacy Commissioner’s powers include the following:
- Forcing organizations to take a particular action
- Awarding compensation
- Publicly stating that an organization has broken the rules
For cases involving serious or repeated breaches, the Privacy Commissioner can apply for a court to issue a fine. At the time of writing, the maximum fine is $2.1 million (AUD) for an organization and $420,000 (AUD) for an individual.
An ongoing review is considering government proposals to increase the maximum fine to whichever figure is largest of three options:
- $10 million (AUD)
- 10% of the organization’s annual revenue in Australia
- Three times the value of any benefit the organization got from breaking the rules
Let’s recap what you need to know about Australia’s Privacy Act:
- The Act applies to government agencies, organizations with a turnover of more than $3 million, and other organizations in specific categories including some credit and health activities.
- The Act covers personal information about Australian residents.
The Act is based on 13 privacy principles and associated requirements. To comply with the act you’ll need to do the following:
- Let users be anonymous or use a pseudonym where practical.
- Collect information lawfully and for necessary purposes, getting consent if the information is classed as sensitive.
- Destroy or de-identify information that you get without soliciting it unless it would have been lawful to solicit it.
- Only use the personal information for the stated purpose unless specific circumstances detailed in the Act apply.
- Let users opt out of direct marketing that uses their personal information and get advance consent before using sensitive personal information for direct marketing.
- Don’t disclose personal information to somebody in another county unless you know it will have a similar level of protection that the Act offers, you have the individual’s consent, or you’re legally required to make the disclosure.
- Make sure the personal information you hold is and remains accurate, complete and up to date.
- Secure the data against unauthorized access, alteration or destruction and then de-identify or destroy it when you no longer need it for the stated purpose.
- If users ask to know what personal information you hold about them, provide the information except in limited circumstances specified in the Act.
- If users ask to correct the personal information you hold about them, do so except in limited circumstances specified in the Act.
- You must notify the Office of the Australian Information Commissioner about a data breach that is likely to cause serious harm to at least one person unless you’ve taken remedial action to prevent this risk of harm.
- Breaching the Act and its principles can lead to a fine of $2.1 million for an organization and $420,000 for an individual. Proposed changes would increase this to the largest of $10 million, 10% of annual turnover in Australia, or three times the benefit that breaking the rules provided.