Australia has a data privacy law, and if you do business there, you must comply with it.

But first, let’s see whether it applies to you and what you need to do to comply.

What is the Australia Privacy Act 1988?

The Australia Privacy Act 1988 (Cth) is the primary legislation regulating the handling of personal information in Australia. It sets out standards, rights, and obligations regarding the collection, use, storage, and disclosure of personal information by government agencies and private sector organizations. Key aspects include:

The Act includes thirteen principles that apply to the handling of personal information. These principles cover various aspects such as open and transparent management of personal information, anonymity and pseudonymity, collection of solicited personal information, dealing with unsolicited personal information, notification of the collection of personal information, and more.

It also establishes the Office of the Australian Information Commissioner (OAIC). The OAIC is responsible for enforcing the Privacy Act. It provides guidance, investigates complaints, and can take enforcement action for breaches of the Act.

Does the Australia Privacy Act apply to my business?

The APA generally applies to businesses with an annual turnover of more than $3 million. However, there are specific exceptions where the Act applies regardless of turnover. Health service providers, businesses trading in personal information, contractors to the Australian government, and others have to comply with the law no matter what their turnover is.

Then, the next criteria is where your business operates from and where your users are located. The APA applies to:

• Australian entities operating in Australia, or
• Overseas entities processing the personal data of Australian residents.

What is personal data under the APA?

Under the Act "personal information" is broadly defined as "information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not." 

Examples of personal information include a full name, phone numbers, email addresses, residential addresses, date of birth, driver's license number, passport number, bank account details, credit card numbers, financial records, job titles, employment history, salary details, medical records, health insurance details, IP addresses, cookie identifiers, social media handles, fingerprints, and facial recognition data.

Sensitive information is also defined under the law. It includes details about an individual's racial or ethnic origin, political opinions, membership of a political association, professional or trade association, or trade union, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, health information, genetic information, and biometric information for automated biometric verification or identification. 

It is important to note that a piece of information is considered personal if an individual can be reasonably identified from the data, either alone or in combination with other information.

What are the 13 Australian Privacy Principles?

The thirteen Australian Privacy Principles are as follows:

1. Open and Transparent Management of Personal Information. Entities must manage personal information in an open and transparent way. This includes having a clearly expressed and up-to-date privacy policy.
2. Anonymity and Pseudonymity. Individuals must have the option of not identifying themselves, or of using a pseudonym, unless it is impractical or required by law.
3. Collection of Solicited Personal Information. Entities must only collect personal information that is reasonably necessary for their functions or activities. Sensitive information must be collected with consent and only when reasonably necessary.
4. Dealing with Unsolicited Personal Information. If an entity receives unsolicited personal information, it must determine whether it could have collected the information under APP 3. If not, the information must be destroyed or de-identified.
5. Notification of the Collection of Personal Information. Entities must notify individuals when they collect personal information, including the purpose of collection, and how the information will be used and disclosed.
6. Use or Disclosure of Personal Information. Personal information can only be used or disclosed for the primary purpose for which it was collected, or for a secondary purpose if the individual has consented or an exception applies.
7. Direct Marketing. Personal information must not be used for direct marketing purposes unless specific conditions are met, including providing an opt-out option.
8. Cross-border Disclosure of Personal Information. Before disclosing personal information to an overseas recipient, entities must take reasonable steps to ensure the recipient does not breach the APPs.
9. Adoption, Use or Disclosure of Government Related Identifiers. Entities must not adopt, use, or disclose a government-related identifier unless certain conditions are met.
10. Quality of Personal Information. Entities must take reasonable steps to ensure the personal information they collect, use, or disclose is accurate, complete, and up-to-date.
11. Security of Personal Information. Entities must take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure. They must also take reasonable steps to destroy or de-identify information no longer needed.
12. Access to Personal Information. Individuals have the right to access their personal information held by an entity, and entities must respond to access requests within a reasonable period.
13. Correction of Personal Information. Entities must take reasonable steps to correct personal information to ensure it is accurate, up-to-date, complete, relevant, and not misleading. Individuals have the right to request corrections, and entities must respond within a reasonable period.

Do we need to obtain consent for data processing?

In general, explicit consent is not required for collection and processing of personal data in Australia.

You need to collect consent for the use of sensitive data, though.

If your website collects personal information through cookies, such as advertising or analytics cookies, it is enough to inform users about the activities, No need to obtain explicit consent for opt-in.

Do we need a privacy policy for Australia?

Yes, under the APA and the APP, having a privacy policy that contains specific information is required by law for organizations that are covered by the Act. Specifically, APP 1 (Open and Transparent Management of Personal Information) mandates that entities must have a clearly expressed and up-to-date privacy policy about how they manage personal information.

The privacy policy must include the following details as required by APP 1.4:

• Identity and Contact Details of the Entity
• Categories of Personal Information Collected and Held
• How Personal Information is Collected and Held
• Purposes for Collecting, Holding, Using, and Disclosing Personal Information
• Disclosure of Personal Information to Overseas Recipients
• Access to and Correction of Personal Information
• Complaints Handling Process
• Opt-Out Options for Direct Marketing

What are the data subject rights Australians are entitled to?

Under the Act, data subjects (individuals) have several rights regarding their personal information. These rights ensure individuals have control over their personal information and Right to be Informed. Individuals have the right to be informed about the collection and use of their personal information. Organizations must provide clear and accessible information about how personal information is collected, used, disclosed, and managed.

Right to Access. Individuals have the right to access the personal information that an organization holds about them. Organizations must respond to access requests within a reasonable period and provide the information in a suitable format.

Right to Correction. Individuals have the right to request correction of their personal information if it is inaccurate, out-of-date, incomplete, irrelevant, or misleading. Organizations must take reasonable steps to correct the information upon request.

Right to Complain. Individuals have the right to complain about a breach of the APPs or the organization's privacy policy. Organizations must have a transparent and accessible complaints handling process and address complaints in a timely manner.

Right to Anonymity and Pseudonymity. Individuals have the right to interact with organizations anonymously or using a pseudonym, where it is practical and lawful to do so.

Right to Opt-Out of Direct Marketing. Individuals have the right to opt-out of receiving direct marketing communications. Organizations must provide a simple and clear method for opting out of such communications.

Right to Information about Overseas Disclosure. Individuals have the right to know if their personal information is likely to be disclosed to overseas recipients and, if practicable, the countries where such recipients are located.

Right to Notification of Data Breaches. Under the Notifiable Data Breaches (NDB) scheme, individuals have the right to be notified if their personal information is involved in a data breach that is likely to result in serious harm.

What are the APP data breach notification requirements?

Under the Australia Privacy Act and the Notifiable Data Breaches (NDB) scheme, organizations must notify individuals and the Office of the Australian Information Commissioner (OAIC) when certain data breaches occur. 

Notification is required if a data breach is likely to result in serious harm to any individual whose personal information is involved. Serious harm can include physical, psychological, emotional, economic, and reputational harm. Upon suspecting a data breach, organizations must conduct a reasonable and expeditious assessment to determine if the breach is likely to result in serious harm, completing this assessment within 30 days.

If a data breach is likely to result in serious harm, organizations must promptly notify the affected individuals. The notification should include the identity and contact details of the organization, a description of the data breach, the kinds of personal information involved, and recommendations about the steps individuals should take in response to the breach. Organizations must also notify the OAIC, providing the same information given to the affected individuals.

Notifications should be direct, such as by email, phone, or mail. They should also maintain records of data breaches and their assessments, even if they do not meet the threshold for notification.

What data security measures are required?

Under the Australia Privacy Act 1988 (Cth) (APA) and the Australian Privacy Principles (APPs), organizations are required to take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure. Here are the key data security measures that organizations should implement such as access controls, encryption, secure storage, data minimization, having an incident response plan, and others.

Are we required to conduct DPIA?

Privacy Impact Assessments (PIAs) are not explicitly required by the law. However, the Office of the Australian Information Commissioner (OAIC) strongly recommends conducting PIAs as a best practice, particularly for projects that involve handling significant amounts of personal information or where there is a potential for privacy risks, particularly for projects that involve new or changed ways of handling personal information. This is especially relevant for initiatives that involve new technologies, significant data sharing, or major changes to existing processes.

Who enforces the APP and what are the penalties?

The Australian Privacy Principles (APPs) under the Australia Privacy Act 1988 (Cth) (APA) are enforced by the Office of the Australian Information Commissioner (OAIC). The OAIC is responsible for overseeing compliance with the Privacy Act, investigating complaints, conducting audits, and taking enforcement actions.

He has the power to investigate cases, make formal determinations, issue administrative remedies, and apply to the Federal Court or Federal Circuit Court for civil penalty orders.

For serious or repeated breaches, the Federal Court can impose significant fines. The maximum penalties for serious or repeated breaches of privacy laws can be substantial, with penalties for companies reaching up to AUD 10 million, three times the value of any benefit obtained through the misuse of information, or 10% of the annual domestic turnover, whichever is greater.

The OAIC can order organizations to pay compensation to individuals who have suffered loss or damage due to a privacy breach.

Of course, beyond financial penalties, non-compliance with the APPs can lead to significant reputational damage, loss of consumer trust, and potential loss of business.

How Secure Privacy can help you comply with the APA and APP?

Secure Privacy’s CMP has a built-in module for compliance with the APA and the APP. It will allow you inform your website visitors about your processing activities, serve them with a cookie notice and compliant privacy policy, and also help you respond to their data subject requests.