Overview of Australian privacy law
The principal statute regulating the collection, use, storage and disclosure of ‘personal information’ is the Privacy Act 1988 (Cth) and in particular the 13 Australian Privacy Principles (APPs) that form part of that Act. The Privacy Act is administered by the Office of the Australian Information Commissioner and the Australian Privacy Commissioner within that office.
The Privacy Act applies to the handling of personal information by ‘APP entities’.
The term APP entity has an extensive definition and includes:
the Australian and Norfolk Island governments and government agencies; and
all private sector and non-profit organisations with an annual group global revenue of more than $3 million.
There are, however, numerous exceptions to the general scope of the Privacy Act. It does not apply to registered political parties, state or territory authorities or to the handling of personal information by an individual for the purposes of, or in connection with, the individual’s personal, family or household affairs.
In addition, the Act does apply to organisations with an annual group global revenue of less than $3 million if that organisation:
provides a health service and holds health information other than in an employee record;
discloses personal information about another individual for a benefit, service or advantage, or provides a benefit, service or advantage to collect personal information from anyone else, unless they do so with the consent of the individual or are required or authorised by legislation to do so; or
are contracted service providers for a Commonwealth contract.
The Privacy Act extends to an act done, or practice engaged in, outside of Australia if the organisation or small business operator has an Australian link, namely where it is:
an Australian citizen or a person whose continued presence in Australia is not subject to a legal time limitation;
a partnership formed, or a trust created, in Australia;
a body corporate incorporated in Australia; or
an unincorporated association that has its central management and control in Australia.
An organisation that does not fall within one of those categories will nevertheless have the requisite Australian link where:
it carries on business in Australia; or
it collected or held personal information in Australia either before or at the time of the act or practice.
The meaning of ‘carrying on a business in Australia’ is very broad and can apply to parent companies of Australian subsidiaries in some circumstances.
There are a range of laws in Australia, both at the federal and state and territory levels, which regulate or impact upon privacy and data protection.
Some Australian states and territories have enacted privacy statutes containing data protection principles broadly similar to the federal privacy principles. They govern acts and practices of Australian state and territory government and its agencies, and in some cases the handling by the private sector of personal information collected by the government or its agencies.
In addition, there are numerous federal and state and territory statutes that deal with aspects of privacy and data protection, including:
federal and state and territory statutory legislation applicable to specific industries, such as the health and telecommunications sectors;
the regulation of unsolicited commercial telephone calls and emails by the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth);
federal and state criminal laws dealing with unauthorised access to computer systems, including databases; and
developing judge-made law extending the equitable protection of confidential information to the misuse of private confidential information.
Privacy policies
The Privacy Act requires all APP entities to:
have a clearly expressed and up-to-date privacy policy about how the entity manages personal information; and
take reasonable steps to make its privacy policy available free of charge in an appropriate form (usually on its website) and, upon request, in a particular form (see APP 1.3-1.6).
The privacy policy of an APP entity must contain the following information:
the kinds of personal information collected and held by the entity, for example, contact details, employment history, health information and criminal records;
how the entity collects and holds personal information, including whether the personal information is stored by a third party data storage provider and is combined or linked to other information held about an individual;
the purposes for which the entity collects, holds, uses and discloses personal information;
how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
how an individual may complain about a breach of the APPs or a registered APP code that binds the entity, and how the entity will deal with such a complaint; and
whether the entity is likely to disclose personal information to overseas recipients and the countries in which such recipient are likely to be located.
The Privacy Commissioner has emphasised the importance of readily understandable disclosure as to privacy practices and a match of policies to practices. It has also made available a useful guide to developing a compliant privacy policy.
Generally, it is not a good idea to use a European privacy policy to comply with Australian privacy law requirements. European privacy laws use concepts such as ‘data processing’ and ‘data controller’ that are not used in Australian privacy law. Whilst European privacy policies can be adapted to comply with the Privacy Act, it is advisable to obtain legal advice prior to doing so.
What types of data are protected by the Privacy Act?
The Privacy Act regulates the way in which APP entities handle ‘personal information’. There are sub-sets of personal information, namely ‘sensitive information’ and ‘health information’, that are subject to a higher level of protection than personal information, about which it is advisable to obtain specialist legal advice.
Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable. It does not matter whether the information or opinion is true or whether the information or opinion is recorded in a material form.
Common types of personal information are an individual’s name, address, telephone number, date of birth, signature, medical records, bank account details and employment details.
Whether a person is ‘reasonably identifiable’ from particular information will depend on a range of considerations, including:
the nature and amount of information;
the circumstances of its receipt;
who will have access to the information;
other information held by or available to the APP entity that holds the information;
whether it is possible for the individual or entity that holds the information to identify the individual using available resources, as well as the practicability, time and costs involved in using the available resources; and
if the information is publicly released, whether a reasonable member of the public who accesses that information would be able to identify the individual.
The Privacy Act does not apply to a deceased person, although it is possible that information about a deceased person may also constitute personal information about a living person, for example, if the deceased person suffered from a genetic disorder.
Images
Images of individuals in photographs or videos are personal information where the person’s identity is clear or can reasonably be worked out from that image. Images of individuals may also contain sensitive information if, for example, the person’s race or ethnic origin or religious beliefs are apparent from the image. An APP entity may only collect images of identifiable individuals if it is reasonably necessary for the organisation’s functions or activities. Consent will be required to collect the image if the image also records sensitive information.
De-identification
Personal information that has been ‘de-identified’ will no longer constitute personal information for the purposes of the Privacy Act. De-identification occurs if the individual to whom the information relates is no longer identifiable or reasonably identifiable from the information. It requires the removal of personal identifiers, such as an individual’s name, address or date of birth and the removal or alteration of other information that may allow an individual to be identified.
If you are engaging in de-identification, it is important to be aware of the risk of re-identification. There may, for example, be a possibility that another dataset or other information could be matched with the de-identified information. This risk must be actively assessed and managed when dealing with de-identified information.
Sensitive information under the Privacy Act means:
information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious belief or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices or criminal record if that is also personal information;
health information about an individual;
genetic information about an individual that is not otherwise health information;
biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
biometric templates.
Health information under the Privacy Act means personal information about:
the health or a disability (at any time) of an individual;
an individual’s expressed wishes about the future provision of health services to that individual;
a health service provided, or to be provided, to an individual;
other personal information collected to provide, or in providing, a health service;
other personal information about an individual collected in connection with the donation or intended donation by the individual of their body parts, organs or body substances; or
genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Examples of health information include information about a person’s physical or mental health, appointment and billing details, dental records, records held by a fitness club about an individual and any other personal information collected for the purpose of providing a health service.
Collection of personal information
You will be collecting personal information and therefore must comply with the Privacy Act if:
you are an APP entity; and
you are collecting the personal information for inclusion in a record or generally available publication.
A record includes a document or an electronic or other device, but excludes anything kept in a library, art gallery or museum for the purposes of reference, study or exhibition.
A generally available publication means a magazine, book, article, newspaper or other publication that is, or will be, generally available to members of the public.
The collection of personal information involves the gathering, acquiring or obtaining of personal information from any source and by any means. It can include the collection of the information from individuals, other entities, generally available sources, such as newspapers or websites, surveillance cameras and the metadata generated by web browsing.
In general, it is not necessary to obtain consent to collect most types of personal information. However, consent must be obtained to collect sensitive information about an individual, unless one of a number of exceptions set out in APP 3.4 applies, for example:
the collection of the information is required or authorised by Australian law or court order;
the APP entity is an enforcement body and reasonably believes that the collection of the information is reasonably necessary for or directly related to one or more enforcement related activities conducted by the entity; and
the APP entity is a non-profit organisation and the information relates to the activities of the organisation and relates solely to the members of the organisation, or individuals who have regular conduct with the organisation in connection with its activities.
Where consent is required, it is possible to obtain either express or implied consent. However, it is generally advisable to obtain express consent to the collection of personal information. This could include a handwritten signature or use of an electronic medium or voice signature to signify agreement. Whilst oral consent is sufficient to meet the requirement of express consent, it can be risky and does not constitute best practice in this area.
The Privacy Commissioner has identified 4 elements of consent:
the individual is adequately informed before giving consent;
the individual gives consent voluntarily;
the consent is current and specific; and
the individual has the capacity to understand and communicate their consent.
You should not infer consent merely because you have provided an individual with notice of a proposed collection of personal information. Consent also may not be implied if an individual’s intent is ambiguous or subject to reasonable doubt.
The Privacy Commissioner’s policy is that use of an opt-out mechanism to infer an individual’s consent will only be appropriate in limited circumstances, as the individual’s intention in failing to opt-out may be ambiguous. Where an opt-out mechanism is used, the Commissioner has said that the following factors must be met:
the opt out option must be clearly and prominently presented;
it is likely that the individual received and read the information about the proposed collection, use or disclosure, and the option to opt out;
the individual was given information on the implications of not opting out;
the opt out option was freely available and not bundled with other purposes;
it was easy for the individual to exercise the option to opt out, for example, there was little or no financial cost or effort required by the individual;
the consequences of failing to opt out are not serious; and
an individual who opts out at a later time will, as far as practicable, be placed in the position as if they had opted out earlier.
Use and disclosure of personal information
APP entities must ensure that they comply with all requirements relating to the use and disclosure of personal information.
The use of personal information occurs when an APP entity handles and manages that information within the entity’s effective control. This includes accessing and reading personal information, making a decision based on personal information and passing personal information from one part of the entity to another.
The disclosure of personal information involves:
making the information accessible or visible to others outside of the APP entity; and
the release of subsequent handling of the personal information from its effective control.
Whilst it is not uncommon for APP entities to engage sub-contractors to handle personal information on their behalf, regard must be had to whether this involves the use or disclosure of that information, as different obligations under the Privacy Act will arise. Whether or not the provision of personal information will constitute use or disclosure depends on the circumstances of each case, having regard to the degree of control over the data held by the APP entity. For example, if the second party can fully access and edit the information, the provision of the personal information constitutes disclosure under the Privacy Act and is subject to relevant notice and consent requirements.
The Privacy Act does not prevent an APP entity from storing or processing personal information outside Australia, either by itself or through a third party service provider. The APP entity must comply with the APPs in sending personal information to an overseas cloud service provider or pursuant to any other overseas outsourcing arrangement.
Before disclosing personal information to an overseas recipient, APP 8.1 requires an APP entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to that information. It is very important to comply with this requirement, as in some circumstances an act done by the overseas recipient that would breach the APPs is taken to be a breach of the APPs by the disclosing entity.
There are a number of exceptions to APP 8.1. For example, APP 8.1 will not apply where:
the entity reasonably believes that the recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that is, overall, substantially similar to the APPs and there are mechanisms available to the individual to enforce that protection or scheme; or
an individual consents to the cross-border disclosure, after the entity informs them that APP 8.1 will no longer apply if they give their consent.
As set out above, an overseas transfer of personal information may not be a disclosure if the personal information at all times remains under the effective control of the APP entity.
Note also that some categories of personal information are subject to special or additional rules. Part IIIA of the Privacy Act regulates credit reporting and includes some restrictions on sending information held in the Australian credit reporting system overseas.
The general rule is that an organisation that holds personal information about an individual must not use or disclose that information for the purposes of direct marketing. There are, however, three major exceptions to the general rule, each of which are set out in APP 7.
First, if the organisation has collected personal information (other than sensitive information) directly from the individual and the individual would reasonably expect the organisation to use or disclose the information for that purpose, it may be used or disclosed for direct marketing. The organisation must also provide a simple means of opting out of the direct marketing communications.
Secondly, if the organisation has collected personal information (other than sensitive information) from the individual in circumstances where that individual would not reasonably expect the organisation to use or disclose the information for that purpose, or has collected the information from someone other than the individual, it may be used or disclosed for direct marketing if:
the individual has consented to the use or disclosure of the information for that purpose or it is impracticable to obtain that consent;
the organisation provides a simple means of opting out of the direct marketing communications; and
in each direct marketing communication, the organisation includes a prominent statement that the individual may make such a request.
Finally, in the case of sensitive information, the individual must have consented to the use or disclosure of the information for that purpose.
Breach of the Australian Privacy Principles
An act or practice of an APP entity that breaches an APP is considered ‘an interference with the privacy’ of the individual.
The Privacy Commissioner has significant investigation and enforcement powers in respect of interferences with the privacy of an individual. Where an individual makes a complaint, the Commissioner will generally attempt to conciliate the complaint, but it also has the power to:
seek civil penalties against an organisation for serious or repeated interferences up to $1.8 million; and
accept enforceable undertakings as to compliance with the Privacy Act.
The Privacy Commissioner also can and has sought orders requiring respondents to amend information handling procedures and to train staff in accordance with the revised procedures.