the australian privacy principles protecting information rights – advancing information policy

The Australian Privacy PrinciplesProtecting information rights – advancing information policy

Australian Privacy Principles• Changes commenced on 12 March 2014

• 13 new Australian Privacy Principles (APPs)

• Government agencies and private sector organisations referred to as ‘APP entities’

• APPs replace the IPPs and NPPs

Australian Privacy Principlesguidelines

APP 1 — Open and transparent management of personal informationEnsures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed andup-to-date APP privacy policy

APP 2 — Anonymity and pseudonymity

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym unless identification is required

APP 3 – Collection of solicited personal information

An APP entity can solicit personal information under certain circumstances.

Higher standards apply to thecollection of ‘sensitive’information

APP 4 — Dealing with unsolicited personal information

If an APP entity receives unsolicited personal information, it must assess whether it could have collected the information underAPP 3

APP 5 — Notification of the collection of personal information

If an APP entity that collects personal information they must notify an individual of certain matters, including their contact details, the purpose of the collection and information about theirAPP privacy policy

APP 6 — Use or disclosure An APP entity can only use or disclose personal information for a purpose for which it was collected or for a secondary purpose if an exception applies

APP 6 — Use or disclosure An APP entity can only use or disclose personal information for a purpose for which it was collected or for a secondary purpose if an exception applies

APP 7 – Direct marketingAn organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met

APP 8 – Cross border disclosure of personal information

Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information

APP 9 — Adoption, use or disclosure of government related identifiers

An organisation may only adopt a government related identifier of an individualas its own identifier, or use or disclose a government relatedidentifier of an individual, in very limited circumstances

APP 10 — Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up-to-date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up-to-date, complete and relevant, having regard to thepurpose of the use or disclosure

APP 11 — Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal informationin certain circumstances

APP 12 — Access to personal information

An APP entity must provide an individual with access to the person information they hold about them, unless a specific exceptionapplies

APP 13 — Correction of personal information

An APP entity must take reasonable steps to correct an individual’s personal information on request, or ifthe entity is satisfied that theinformation is inaccurate, out-of-date, incomplete,irrelevant or misleading

An APP entity must take reasonable steps to correct an individual’s personal information on request, or ifthe entity is satisfied that theinformation is inaccurate, out-of-date, incomplete,irrelevant or misleading

APP 13 — Correction of personal information

OAIC’s powers• Privacy performance assessments

• Privacy impact assessment directions (for agencies only)

• Enforceable codes

• Complaint investigations

• Commissioner initiated investigations

• Enforceable undertakings

• Determinations

• Injunctions and civil penalty orders

OAIC’s powers• Privacy performance assessments

• Privacy impact assessment directions (for agencies only)

• Enforceable codes

• Complaint investigations

• Commissioner initiated investigations

• Enforceable undertakings

• Determinations

• Injunctions and civil penalty orders

Need further information?• Visit the OAIC website — www.oaic.gov.au

• General guidance

• Guidance on APPs

• Guidance on credit reporting, external dispute resolution schemes, codes, health research and missing persons