ACAS Staff Induction Readings
Australian Privacy Principles (APP): A summary
The new Privacy Act came into force on 12 March 2014. It now has thirteen principles (APP). In general, the new amendments to the Privacy Act apply only to:
- Businesses with an annual turnover to $3,000,000 or more, and
- Some specific kinds of businesses.
APP 1. Open and transparent management of personal information
Ensures that organizations manage personal information in an open and transparent way. This includes having a clearly expressed and up to date privacy policy.APP 2. Anonymity and pseudonymity
Requires organizations to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.APP 3. Collection of solicited personal information
Outlines when an organization can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.APP 4. Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information.APP 5. Notification of the collection of personal information
Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.APP 6. Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.APP 7. Direct marketing
An organization may only use or disclose personal information for direct marketing purposes if certain conditions are met.APP 8. Cross-border disclosure of personal information
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.APP 9. Adoption, use or disclosure of government related identifiers
Outlines the limited circumstances when an organization may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.APP 10. Quality of personal information
An organization must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.APP 11: Security of personal information
An organization must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorized access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.APP 12: Access to personal information
Outlines an organization’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.APP 13: Correction of personal information
Outlines an organization’s obligations in relation to correcting the personal information it holds about individuals.
Previous version: Ten National Privacy Principles
The act is based on ten principles, although there are exemptions for some kinds of organizations.
1: Collection
Collection of personal information must be fair, lawful and not intrusive. A person providing personal information must give their consent and must be advised
- the organisation’s name;
- the purpose of collection of personal information;
- that they can access the information; and
- the implications for the person if he/she does not provide the information.
2: Use and disclosure
Information should only be used and disclosed for the purpose for which it was collected unless the person has consented.
3: Data quality
Reasonable steps must be taken to ensure personal information collected, used or disclosed is accurate, complete and up to date.
4: Data security
Reasonable steps must be taken to protect information from misuse, loss, unauthorised access or disclosure.
5: Openness
An organisation must have a policy document available outlining information handling practices.
6: Access and correction
Individuals must be given access to personal information on request. (Note that employee records are exempt).
7: Identifiers
An identifier assigned by a Commonwealth government agency must not be adopted, used or disclosed (e.g Medicare or Tax File Numbers).
8: Anonymity
People must be given the option to interact anonymously.
9: International transactions
Personal information can only be transferred internationally if there is appropriate privacy protection in the recipient country.
10: Sensitive information
Sensitive information must not be collected unless the individual has consented, it is required by law, or in special circumstances such as health services provision.
For more information, see the Privacy Kit produced by the Uniting Church in Victoria, which is available over the Internet.