Dissecting Australian Data Privacy: The Privacy Act 1988
“While it offers tremendous opportunities, the shift to the digital economy is not without its risks and requires an upgraded privacy framework that reinforces trust and security in the digital world.”
Australia's data privacy landscape is one of meticulousness and aims to put citizens first. They have two key data laws: the Privacy Act 1988 and the Freedom of Information Act 1982.
However, there has been a demand for updates to the Privacy Act to bring it into the 21st century.
As a result, Australia is currently in the process of trying to update this privacy legal framework. This includes reevaluating the entire scope and application of the Act: including whether or not the Act effectively protects personal information and promotes good privacy practices.
This is all happening alongside the Online Privacy Bill (i.e. the Privacy Legislation Amendment: Enhancing Online Privacy and Other Measures Bill 2021). This bill is considering introducing a right to the erasure of an individual's personal information, and increased penalties for breaches by tech companies.
“By embedding strong accountability measures, businesses and other organisations can build a reputation for strong and effective privacy management, which is essential for meeting community expectations and realising the benefits of the personal information they hold.”
These updates are in the hopes of promoting further accountability by companies for how they handle customer data. And to empower Australians to feel their data is being handled responsibly and ethically.
Despite these exciting updates, it's still important to understand the current governing data protection laws. Introducing our breakdown of the Australian Privacy and FOIA Acts.
What is The Privacy Act 1988?
This Act is one of the cornerstones of the data privacy framework in Australia. The 13 Australian Privacy Principles “APPs” are at the heart of this Act, making sure to govern that personal and sensitive information is only collected in “fair and lawful” means.
To promote the privacy of individuals
to promote transparent handling of personal information
to give individuals a means of redress and complaint for breaches of their privacy, and
To facilitate a smooth transfer of personal data across borders.
The Act defines personal information as information or an opinion about an alive, identifiable individual. This is irrespective of whether the information is true, or recorded in a material form or not.
Sensitive information is also given extra safeguards. This relates to information about a person’s race, ethnicity, sexual orientation, political opinions, religion, health, genetics, biometrics, and criminal record.
The repercussions of mishandling personal and sensitive data can be severe. As a result, such sensitive information cannot be collected unless there is explicit consent and there is a reasonable need to collect it. One exception is that collecting, using or disclosing personal information is allowed for personal or household affairs.
Who has to comply with the Act?
Interestingly, unlike other data protection acts like the GDPR, this Act does not distinguish between data processors and data controllers.
The Privacy Act instead covers the holding, use or disclosure of personal information by APP entities.
An APP entity is:
an agency (a federal government entity and/or office holder) or,
an organisation (an individual, body corporate, partnership, unincorporated association, or trust) with a turnover of AU$3 million or more, or
Organisations with “an Australian link”. - i.e. if the organisation was created in Australia, has central management and control in the country, and/or collects and holds personal information in Australia. This includes extraterritorial businesses offering goods and services to Australians from outside the country.
Bodies that are not APP entities include small businesses (businesses with a turnover of less than $3 million), political parties, or a state or territory authority.
What are the APPs?
The Australian Privacy Principles (APPs) are the main privacy protection framework established by the Privacy Act and apply to all the APP entities that fall under the Act.
All entities need to show they are complying with the APPs by following the APP code: a written code of practice relating to that specific entity or their industry. They are:
Correct practices in place for open and transparent management of personal information.
Individuals have the right to anonymity and pseudonymity.
APP entities can only collect personal information directly relating to the individual, when consent is given, and when it is reasonably necessary.
Entities that receive unsolicited personal information must have legitimate grounds to collect it, and if not, destroy/de-identify the information.
Individuals must be notified before their data is collected, including third parties.
Entities cannot use or disclose personal information for purposes other than why it was collected.
Personal information cannot be used for direct marketing unless the individual reasonably expects or consents to it. “Opt out” processes have to be in place.
Entities must ensure any personal information transferred overseas is secure and does not breach the APPs.
APP entities cannot adopt, use or disclose a government-related identifier (numbers assigned by a government agency, e.g a licence number) unless it is necessary or authorised by law.
Entities need to take reasonable steps to ensure the information it collects, use, disclose, and holds is accurate, up to date, and complete.
Entities must protect information from misuse interference and loss from unauthorised access - as much as they can. They have to also destroy or anonymise personal information that is no longer required.
If individuals request it, APP entities must provide them access to their personal information.
Entities must correct personal information it holds wherever possible when an individual requests it.
As of 2018, breach notification is also compulsory. If there is a data breach that is likely to cause serious harm to an individual, APP entities have 30 days to assess the breach and act accordingly. They have to notify the Australian Information Commissioner and affected individuals. A serious breach could include instances of identity theft, financial loss through fraud, serious harm to an individual reputation, and serious psychological harm.
What happens if organisations breach the Privacy Act?
The Office of the Australian Information Commissioner (OAIC) is responsible for enforcing the Privacy Act and conducting investigations into breaches. This includes seeking penalties for serious or repeated breaches of the APPs - where the entity has not attempted to implement remedial measures.
This could result in a fine of up to $1.8 million for corporate bodies and/or $360,000 for non-corporate bodies, i.e. sole traders, trusts, government departments, etc.