The Law Handbook 2024

Chapter 12.2: Privacy and your rights 1103 Sensitive information can only be used for direct marketing with the individual’s consent. Consent must be obtained even if the individual and the organisation have a pre-existing relationship. An individual can ask an organisation to stop direct marketing or stop facilitating it. The organisation must stop the direct marketing within a reasonable period and must not charge for doing so. An individual can ask an organisation to identify the source of personal information it uses or discloses for direct marketing; the organisation must disclose the source unless it can show it is unreasonable or impracticable to do so. APP 7 generally applies only to private sector organisations; however, it can apply to the Australian Government agencies named in the FoI Act (Cth) (sch 2) and its regulations. There are also exceptions to the prohibition on direct marketing in APP 7, such as where the direct marketing is necessary for an entity to fulfil its obligations under a government contract. Other laws containing specific provisions regarding direct marketing (such as the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth)) override the more general rules in APP 7. APP 8: Cross-border disclosure of personal information APP 8 covers the disclosure of personal information outside of Australia. It is particularly relevant in today’s context where an increasing number of entities use information technology services that disclose or transfer personal information to overseas recipients (e.g. outsourcing, off-shoring and cloud computing). Subject to certain exceptions, before an APP entity makes personal information available to a third party located outside of Australia, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs. This usually involves the APP entity entering into an enforceable contract with the overseas recipient requiring the recipient to handle the personal information in accordance with the APPs. An APP entity may be deemed liable for a breach committed by the overseas recipient (even if the entity took reasonable steps to ensure the overseas entity complied with the APPs). Where an APP entity discloses personal information to an overseas recipient, it also needs to comply with APP 6. Disclosure of personal information is permitted with an individual’s consent provided they have been expressly informed that if they consent, then APP 8 will not apply. An APP entity may disclose personal information to an overseas recipient without complying with APP 8, where the disclosure is required/authorised by Australian law or by a court or tribunal. An example of a law that may require/authorise disclosure to an overseas recipient is the Mutual Assistance in Criminal Matters Act 1987 (Cth). An example of a permitted disclosure to a foreign government is under the Anti- Money Laundering and Counter-terrorism Financing Act 2006 (Cth). APP 9: Government-related identifiers APP 9 limits the use of government-related identifiers (e.g. passport, Medicare and driver licence numbers) by private sector organisations. The purpose of APP 9 is to ensure that government-related identifiers do not become universal identifiers, and to prevent government- related identifiers from being used for data-matching. As such, APP 9 generally prohibits an entity from adopting government-related identifiers as its own way to identify an individual. There are exceptions where using an identifier is reasonably necessary for certain purposes, such as verifying the identity of an individual. An individual cannot consent to the adoption, use or disclosure of their government-related identifier. Some government-related identifiers are regulated by other laws that restrict the way entities collect, use or disclose the particular identifier (see ‘Tax file numbers’ and ‘Healthcare identifiers’, below). APP 10: Quality of personal information APP 10 requires APP entities to take reasonable steps to ensure that the personal information they collect, use and disclose is accurate, up-to-date and complete. The reasonable steps required depend on a range of factors, such as: • the use to which the information is put; • any direct impacts for the individual if the information is inaccurate or incomplete; and