APP 1: Management of personal information
APP 1 requires that APP entities (see ‘Entities to which the Privacy Act applies’ in ‘Commonwealth privacy legislation: Privacy Act 1988‘) take reasonable steps to implement practices, procedures and systems to ensure they comply with the APPs.
APP 1 also requires every APP entity to have a clear policy about the entity’s management of personal information that addresses a list of prescribed matters. The policy must be made available free of charge and in an appropriate form (e.g. by publishing on the entity’s website).
Prescribed matters include:
- the kinds of personal information that the entity collects and holds;
- how the entity collects and holds personal information;
- the purposes for which the information is collected, held, used and disclosed;
- how an individual may access and, if necessary, correct the information;
- how an individual can complain about the entity’s use of the information; and
- whether the entity is likely to disclose the information to overseas recipients, and if so, the countries in which such recipients are likely to be located (if it is practicable to specify those countries in the policy).
APP 2: Anonymity
APP 2 states that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity.
However, this requirement does not apply where it is impracticable for an APP entity to deal with individuals who have not identified themselves, or where the APP entity is permitted by law to deal with individuals who have identified themselves.
APPs 3, 4 and 5: Collection of personal information
APPs 3, 4 and 5 cover the collection of personal information.
APP 3 states that an APP entity must only collect personal information by lawful and fair means, and must (where reasonable and practicable) collect personal information about an individual directly from that individual. Further, an APP entity must not collect personal information unless the information is reasonably necessary for one or more of the APP entity’s functions or activities (in the case of a government agency, collection is also permitted where the information is directly related to one of those functions or activities). The entity collecting the information must demonstrate that a reasonable person who is properly informed would agree that the collection is necessary.
The APP guidelines refer to previous decisions where an entity’s collection of information was not reasonably necessary (e.g. it was not reasonably necessary for a bank to collect information about a person’s marital status to open a bank account).
In addition, ‘sensitive information’ may generally only be collected if the individual about whom the information relates has consented to the collection.
There are limited exceptions where consent is not required to collect sensitive information, including where the collection of the information is required by law, or is required to prevent a serious threat to health or safety. There is also an exception permitting not-for-profit organisations to collect sensitive information if it relates solely to the members of the organisation, or to people who have regular contact with it for the purpose of its activities. Also, private sector organisations can collect health information from an individual in certain circumstances in connection with providing a health service.
APP 4 states that if an APP entity receives personal information that it has not solicited from an individual, it must first determine whether or not it could have collected the information under APP 3 if it had solicited the information. If not, the entity must destroy or de-identify the information.
APP 5 requires that, when an entity collects personal information about an individual, it must take reasonable steps to notify the individual or otherwise ensure they are aware of certain matters, including:
- the organisation’s identity and contact details;
- the fact that the entity has collected the information;
- any law that requires the information to be collected;
- the purposes for which the information is collected;
- the consequences for the person if the information is not collected;
- the organisations to which the information is usually disclosed;
- how the individual can access and, if necessary, correct the information;
- how the individual can complain about the entity’s use of the information; and
- whether the entity is likely to disclose the information to overseas recipients and, if practicable, the countries where they are located.
Often, entities will notify individuals about the above by providing a privacy notice at the time of collection, such as on a form used to collect personal information, or in a script read over the telephone.
APP 5 recognises that it may not be reasonable to take any steps to provide notice or to ensure awareness of APP 5 matters. The APP guidelines provide a number of examples of when it may be reasonable; for example, if notification may pose a serious threat to an individual’s health and safety, or to public health or safety.
APP 6: Use and disclosure of personal information
APP 6 regulates organisations’ use and disclosure of personal information.
APP 6 states that an entity should only use (or disclose) personal information for the purpose for which it was collected.
An entity can use or disclose personal information about an individual for another purpose if:
- the individual consents; or
- the individual would reasonably expect the organisation to use or disclose the information for a secondary purpose, and the secondary purpose is related to the primary purpose (or directly related in the case of sensitive information).
An example of a related secondary purpose is where an entity collects personal information to provide a service and uses that information to evaluate or improve that particular service.
In the case of F v Medical Specialist  PrivComr A17, a medical specialist collected health information from an individual but decided (for ethical and therapeutic reasons) to not treat the patient. The medical specialist referred the matter to the clinic manager so that the patient could receive treatment from another consultant. The Privacy Commissioner decided that the disclosure was directly related to the purpose for which it was collected, and would be within an individual’s reasonable expectation. (The case is reported on www.austlii.edu.au – see the federal Privacy Commissioner’s case notes.)
For an example of where the secondary purpose was found to be not related, see E v Insurance Company  Priv Cmr A5.
An entity may also be able to disclose personal information for some secondary purposes related to the public interest (e.g. law enforcement, public safety, research purposes and emergency situations).
APP 7: Direct marketing
APP 7 concerns the circumstances in which an entity can use personal information for direct marketing.
The term ‘direct marketing’ is not defined in the PA 1988; however, the Explanatory Memorandum to the Act states that it involves ‘communicating directly with a consumer to promote the sale of goods and services to the consumer’. The APP guidelines state that direct marketing can be through ‘a variety of channels, including telephone, SMS, mail, email and online advertising’.
APP 7 prohibits private sector organisations from using personal information for direct marketing except in certain limited circumstances; if personal information has been collected directly from an individual, direct marketing is only permitted where:
- the individual would reasonably expect the information to be used for the purpose of direct marketing; and
- the entity includes a simple means to opt-out of the direct marketing communications (and the individual has not made a request to opt-out).
The APP guidelines state that an organisation should not assume that an individual would reasonably expect their information to be used for direct marketing just because the organisation assumes the individual would welcome it.
According to the APP guidelines, for ‘a means to opt-out’ to be ‘simple’, it should require minimal time and effort. It should be clear, easily understood, accessible and free (or involve no more than a nominal cost; for example, a standard text message charge). If an individual has opted-out of receiving direct marketing from an entity, the entity must not use or disclose the individual’s personal information for the purpose of direct marketing.
Additional restrictions apply to using personal information for direct marketing if the individual would not reasonably expect their personal information to be used for direct marketing, or if the personal information was collected from a third party.
Sensitive information can only be used for direct marketing with the individual’s consent. Consent must be obtained even if the individual and the organisation have a pre-existing relationship.
An individual can ask an organisation to stop direct marketing or stop facilitating it. The organisation must stop the direct marketing within a reasonable period and must not charge for doing so.
An individual can ask an organisation to identify the source of personal information it uses or discloses for direct marketing; the organisation must disclose the source unless it can show it is unreasonable or impracticable to do so.
APP 7 generally applies only to private sector organisations; however, it can apply to the Australian Government agencies named in the Freedom of Information Act 1982 (Cth) (sch 2) and its regulations.
There are also exceptions to the prohibition on direct marketing in APP 7, such as where the direct marketing is necessary for an entity to fulfil its obligations under a government contract.
Where other laws apply that contain specific provisions regarding direct marketing (such as the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth)), these provisions displace the more general rules in APP 7.
APP 8: Cross-border disclosure of personal information
APP 8 covers the disclosure of personal information outside of Australia.
It is particularly relevant in today’s context where an increasing number of entities use information technology services that disclose or transfer personal information to overseas recipients (e.g. outsourcing, off-shoring and cloud computing).
Subject to certain exceptions, before an APP entity makes personal information available to a third party located outside of Australia, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs. This usually involves the APP entity entering into an enforceable contract with the overseas recipient requiring the recipient to handle the personal information in accordance with the APPs. An APP entity may be deemed liable for a breach committed by the overseas recipient (even if the entity took reasonable steps to ensure the overseas entity complied with the APPs).
Where an APP entity discloses personal information to an overseas recipient, it also needs to comply with APP 6. Disclosure of personal information is permitted with an individual’s consent provided they have been expressly informed that if they consent, then APP 8 will not apply.
An APP entity may disclose personal information to an overseas recipient without complying with APP 8, where the disclosure is required/authorised by Australian law or by a court or tribunal. An example of a law that may require/authorise disclosure to an overseas recipient is the Mutual Assistance in Criminal Matters Act 1987 (Cth). An example of a permitted disclosure to a foreign government is under the Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth).
APP 9: Government-related identifiers
APP 9 limits the use of government-related identifiers (e.g. passport, Medicare and driver licence numbers) by private sector organisations. The purpose of APP 9 is to ensure that government-related identifiers do not become universal identifiers, and to prevent government-related identifiers from being used for data-matching. As such, APP 9 generally prohibits an entity from adopting government-related identifiers as its own way to identify an individual.
There are exceptions where using an identifier is reasonably necessary for certain purposes, such as verifying the identity of an individual. An individual cannot consent to the adoption, use or disclosure of their government-related identifier.
Some government-related identifiers are regulated by other laws that restrict the way entities collect, use or disclose the particular identifier (see ‘Tax file numbers’ and ‘Healthcare identifiers’ in ‘Privacy protection in Australia: Other Commonwealth legislation and guidelines‘).
APP 10: Quality of personal information
APP 10 requires APP entities to take reasonable steps to ensure that the personal information they collect, use and disclose is accurate, up-to-date and complete.
The reasonable steps required depend on the sensitivity of the information.
APP 11: Security of personal information
APP 11 concerns the security of personal information held by APP entities.
APP 11 requires APP entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss and from unauthorised access, modification and disclosure.
The term ‘holds’ extends beyond the possession of a record to include records an APP entity has the right or power to deal with. For example, where an entity has outsourced storage of its records to a third party but retains the right to deal with the information.
Further, an APP entity must take reasonable steps to destroy or de-identify information it no longer needs. This requirement does not apply to personal information contained in a Commonwealth record, or if a court or tribunal requires the information to be retained. Commonwealth information is dealt with under the Archives Act 1983 (Cth).
A more detailed discussion of the requirements of APP 11 can be found in the OAIC’s Guide to Securing Personal Information (published June 2018).
APPs 12 and 13: Access to, and correction of, personal information
APP 12 states that an APP entity must, upon request, give an individual access to any personal information that the entity holds about them. An entity ‘holds’ personal information if it has possession or control over it. The information does not have to be in the physical possession of the entity (e.g. where it has outsourced storage of the information but retains control over it).
All APP entities must allow individuals to request access to their personal information for free. Australian Government agencies must also provide access for free. Whereas, private sector organisations may charge for providing access, but the charge cannot be excessive. The APP guidelines suggest that a charge is excessive if it exceeds the actual cost of giving access.
APP 12 sets time periods within which entities must respond to requests for access. Australian Government agencies must respond to requests within 30 days of the request. Private sector organisations must deal with requests within a reasonable time period.
APP entities must take reasonable steps to give access, which may mean providing access through an agreed intermediary. If the entity refuses access on the basis of an exception, the individual is entitled to receive a written notice setting out the reasons for the refusal and how they can complain about the refusal.
There are several exceptions to APP 12 that permit an entity to refuse access to personal information. These exceptions differ depending on whether the entity is a private sector organisation or an Australian Government agency. This is because agencies have responsibilities to provide access to information under other Commonwealth legislation, such as the Freedom of Information Act 1982 (Cth) (‘FoI Act (Cth)’). The intention of APP 12 is that individuals should rely on the FoI Act (Cth) as the primary way to seek access to their personal information held by agencies. APP 12 lists several grounds upon which an agency can refuse access, which cross-reference the FoI Act (Cth) and other Commonwealth legislation. However, a request for access under APP 12 is a decision made under the PA 1988, not the FoI Act (Cth), and so the agency is still obliged to provide reasons for the refusal, and an individual is entitled to complain to the Privacy Commissioner.
Private sector organisations can also refuse access in some circumstances – for example, if:
- it would be unlawful to provide the information;
- it would have an unreasonable impact on the privacy of another individual;
- it would pose a serious and imminent threat to the life or health of any individual;
- the request is frivolous or vexatious; or
- giving access would reveal evaluative information in connection with a commercially sensitive decision (in which case the entity’s reasons for refusal may include an explanation for the commercially sensitive decision).
APP 13 requires an APP entity to take reasonable steps to correct any personal information it holds if it is satisfied that the information is out of date, inaccurate, incomplete, irrelevant or misleading, or if an individual requests the information to be corrected. On request from the individual, the entity must also communicate the correction to third parties to whom it has previously disclosed the information.
If an entity refuses to correct the information, it must explain (in writing) the refusal and how the individual can complain about this refusal. The entity may also have to inform users of the information that the individual believes to be incorrect.
For government agencies, APP 13 operates alongside the right to amend or annotate personal information under Part V of the FoI Act (Cth).
Data breach notification
Since 22 February 2018, all APP entities are required to notify any affected individuals and the Office of the Australian Information Commissioner when a data breach occurs and is likely to result in serious harm to the individuals whose personal information is involved in the breach.
For more information, see www.oaic.gov.au. Note that under the scheme, organisations (including Victorian public sector organisations) that are tax file number recipients are also subject to the scheme.