The Law Handbook 2024

Chapter 12.2: Privacy and your rights 1101 Summary of the Australian Privacy Principles APP 1: Management of personal information APP 1 requires that APP entities (see ‘Entities to which the Privacy Act applies’, above) take reasonable steps to implement practices, procedures and systems to ensure they comply with the APPs. APP 1 also requires every APP entity to have a clear policy about the entity’s management of personal information that addresses a list of prescribed matters. The policy must be made available free of charge and in an appropriate form (e.g. by publishing on the entity’s website). Prescribed matters include: • the kinds of personal information that the entity collects and holds; • how the entity collects and holds personal information; • the purposes for which the information is collected, held, used and disclosed; • how an individual may access and, if necessary, correct the information; • how an individual can complain about the entity’s use of the information; and • whether the entity is likely to disclose the information to overseas recipients, and, if so, the countries in which such recipients are likely to be located (if it is practicable to specify those countries in the policy). APP 2: Anonymity APP 2 states that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity. However, this requirement does not apply where it is impracticable for an APP entity to deal with individuals who have not identified themselves, or where the APP entity is permitted by law to deal with individuals who have identified themselves. APPs 3, 4 and 5: Collection of personal information APPs 3, 4 and 5 cover the collection of personal information. APP 3 states that an APP entity must only collect personal information by lawful and fair means, and must (where reasonable and practicable) collect personal information about an individual directly from that individual. Further, an APP entity must not collect personal information unless the information is reasonably necessary for one or more of the APP entity’s functions or activities (in the case of a government agency, collection is also permitted where the information is directly related to one of those functions or activities). The entity collecting the information must demonstrate that a reasonable person who is properly informed would agree that the collection is necessary. The APP guidelines refer to previous decisions where an entity’s collection of information was not reasonably necessary (e.g. it was not reasonably necessary for a bank to collect information about a person’s marital status to open a bank account). In addition, ‘sensitive information’ may generally only be collected if the individual about whom the information relates has consented to the collection. There are limited exceptions where consent is not required to collect sensitive information, including where the collection of the information is required by law, or is required to prevent a serious threat to health or safety. There is also an exception permitting not-for-profit organisations to collect sensitive information if it relates solely to the members of the organisation, or to people who have regular contact with it for the purpose of its activities. Also, private sector organisations can collect health information from an individual in certain circumstances in connection with providing a health service. APP 4 states that if an APP entity receives personal information that it has not solicited from an individual, it must first determine whether or not it could have collected the information under APP 3 if it had solicited the information. If not, the entity must destroy or de-identify the information. APP 5 requires that, when an entity collects personal information about an individual, it must take reasonable steps to notify the individual or otherwise ensure they are aware of certain matters, including: • the organisation’s identity and contact details; • the fact that the entity has collected the information; • any law that requires the information to be collected; • the purposes for which the information is collected; • the consequences for the person if the information is not collected; • the organisations to which the information is usually disclosed;