APP 1: Management of personal information
APP 1 requires that APP entities (see ‘Entities to which the Privacy A written law made by parliament. Also called an ‘Act of parliament’, ‘statute’ or legislation. applies’, above) take reasonable steps to implement practices, procedures and systems to ensure they comply with the APPs. APP 1 also requires every APP entity to have a clear policy about the entity’s management of personal information that addresses a list of prescribed matters. The policy must be made available free of (1) A statement giving the details of a crime an accused person is claimed to have committed. (2) A personal property security. (3) A judge’s directions to a jury at the end of a case. and in an appropriate form (e.g. by publishing on the entity’s website). Prescribed matters include:
- the kinds of personal information that the entity collects and holds;
- how the entity collects and holds personal information;
- the purposes for which the information is collected, held, used and disclosed;
- how an individual may access and, if necessary, correct the information;
- how an individual can complain about the entity’s use of the information; and
- whether the entity is likely to disclose the information to overseas recipients, and if so, the countries in which such recipients are likely to be located (if it is practicable to specify those countries in the policy).
APP 2: Anonymity
APP 2 states that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity. However, this requirement does not apply where it is impracticable for an APP entity to deal with individuals who have not identified themselves, or where the APP entity is permitted by law to deal with individuals who have identified themselves.
APPs 3, 4 and 5: Collection of personal information
APPs 3, 4 and 5 cover the collection of personal information.
APP 3 states that an APP entity must only collect personal information by lawful and fair means, and must (where reasonable and practicable) collect personal information about an individual directly from that individual. Further, an APP entity must not collect personal information unless the information is reasonably necessary for one or more of the APP entity’s functions or activities (in the case of a government agency, collection is also permitted where the information is directly related to one of those functions or activities). The entity collecting the information must demonstrate that a reasonable person who is properly informed would agree that the collection is necessary.
The APP guidelines refer to previous decisions where an entity’s collection of information was not reasonably necessary (e.g. it was not reasonably necessary for a bank to collect information about a person’s marital status to open a bank account).
In addition, ‘sensitive information’ may generally only be collected if the individual about whom the information relates has consented to the collection.
There are limited exceptions where To agree to something being done, to approve an action or arrangement. See also informed consent. is not required to collect sensitive information, including where the collection of the information is required by law, or is required to prevent a serious threat to health or safety. There is also an exception permitting not-for-profit organisations to collect sensitive information if it relates solely to the members of the organisation, or to people who have regular contact with it for the purpose of its activities. Also, private sector organisations can collect health information from an individual in certain circumstances in connection with providing a health Formal delivery of legal documents to a person to tell them there are court proceedings against them which they must defend, or to make sure a witness in a case knows when they have to go to court to give evidence..
APP 4 states that if an APP entity receives personal information that it has not solicited from an individual, it must first determine whether or not it could have collected the information under APP 3 if it had solicited the information. If not, the entity must destroy or de-identify the information.
APP 5 requires that, when an entity collects personal information about an individual, it must take reasonable steps to notify the individual or otherwise ensure they are aware of certain matters, including:
- the organisation’s identity and contact details;
- the fact that the entity has collected the information;
- any law that requires the information to be collected;
- the purposes for which the information is collected;
- the consequences for the person if the information is not collected;
- the organisations to which the information is usually disclosed;
- how the individual can access and, if necessary, correct the information;
- how the individual can complain about the entity’s use of the information; and
- whether the entity is likely to disclose the information to overseas recipients and, if practicable, the countries where they are located.
Often, entities A document that sets out what a person wants to happen to their money and other property after they die. notify individuals about the above by providing a privacy notice at the time of collection, such as on a form used to collect personal information, or in a script read over the telephone.
APP 5 recognises that it may not be reasonable to take any steps to provide notice or to ensure awareness of APP 5 matters. The APP guidelines provide a number of examples of when it may be reasonable; for example, if notification may pose a serious threat to an individual’s health and safety, or to public health or safety.
APP 6: Use and disclosure of personal information
APP 6 regulates organisations’ use and Providing information to another person or institution as required by a contract or other legal process. of personal information. APP 6 states that an entity should only use (or disclose) personal information for the purpose for which it was collected.
An entity can use or disclose personal information about an individual for another purpose if:
- the individual consents; or
- the individual would reasonably expect the organisation to use or disclose the information for a secondary purpose, and the secondary purpose is related to the primary purpose (or directly related in the case of sensitive information).
An example of a related secondary purpose is where an entity collects personal information to provide a service and uses that information to evaluate or improve that particular service.
In the case of F v Medical Specialist  PrivComr A17, a medical specialist collected health information from an individual but decided (for ethical and therapeutic reasons) to not treat the patient. The medical specialist referred the matter to the clinic manager so that the patient could receive treatment from another consultant. The Privacy Commissioner decided that the disclosure was directly related to the purpose for which it was collected, and would be within an individual’s reasonable expectation. (The case is reported on www.austlii.edu.au – see the federal Privacy Commissioner’s case notes.)
For an example of where the secondary purpose was found to be not related, see E v Insurance Company  Priv Cmr A5.
An entity may also be able to disclose personal information for some secondary purposes related to the public interest (e.g. law enforcement, public safety, research purposes and emergency situations).
APP 7: Direct marketing
APP 7 concerns the circumstances in which an entity can use personal information for direct marketing. The term ‘direct marketing’ is not defined in the PA 1988; however, the Explanatory Memorandum to the Act states that it involves ‘communicating directly with a Under the Australian Consumer Law, a person who buys goods or services for less than $40 000 or for personal or home use. to promote the sale of goods and services to the consumer’. The APP guidelines state that direct marketing can be through ‘a variety of channels, including telephone, SMS, mail, email and online advertising’.
APP 7 prohibits private sector organisations from using personal information for direct marketing except in certain limited circumstances; if personal information has been collected directly from an individual, direct marketing is only permitted where:
- the individual would reasonably expect the information to be used for the purpose of direct marketing; and
- the entity includes a simple means to opt-out of the direct marketing communications (and the individual has not made a request to opt-out).
The APP guidelines state that an organisation should not assume that an individual would reasonably expect their information to be used for direct marketing just because the organisation assumes the individual would welcome it.
According to the APP guidelines, for ‘a means to opt-out’ to be ‘simple’, it should require minimal time and effort. It should be clear, easily understood, accessible and free (or involve no more than a nominal cost; for example, a standard text message charge). If an individual has opted-out of receiving direct marketing from an entity, the entity must not use or disclose the individual’s personal information for the purpose of direct marketing.
Additional restrictions apply to using personal information for direct marketing if the individual would not reasonably expect their personal information to be used for direct marketing, or if the personal information was collected from a third A person or organisation directly involved in a court case. Parties include the plaintiff or applicant, the defendant, and any third party added to the action, but not independent witnesses..
Sensitive information can only be used for direct marketing with the individual’s consent. Consent must be obtained even if the individual and the organisation have a pre-existing relationship.
An individual can ask an organisation to stop direct marketing or stop facilitating it. The organisation must stop the direct marketing within a reasonable period and must not charge for doing so.
An individual can ask an organisation to identify the source of personal information it uses or discloses for direct marketing; the organisation must disclose the source unless it can show it is unreasonable or impracticable to do so.
APP 7 generally applies only to private sector organisations; however, it can apply to the Australian Government agencies named in the The right of any person to access documents held by government agencies, except documents excluded by legislation. Act 1982 (Cth) (sch 2) and its regulations.
There are also exceptions to the An order made by the Supreme Court of Victoria or the High Court of Australia prohibiting a body from acting outside its authority. See also jurisdiction; prerogative writ; ultra vires. on direct marketing in APP 7, such as where the direct marketing is necessary for an entity to fulfil its obligations under a government An agreement that the law will enforce..
Where other laws apply that contain specific provisions regarding direct marketing (such as the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth)), these provisions displace the more general rules in APP 7.
APP 8: Cross-border disclosure of personal information
APP 8 covers the disclosure of personal information outside of Australia. It is particularly relevant in today’s context where an increasing number of entities use information technology services that disclose or transfer personal information to overseas recipients (e.g. outsourcing, off-shoring and cloud computing).
Subject to certain exceptions, before an APP entity makes personal information available to a third party located outside of Australia, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs. This usually involves the APP entity entering into an enforceable contract with the overseas recipient requiring the recipient to handle the personal information in accordance with the APPs. An APP entity may be Treated by the law as if something is the case, even if that is not the reality. For example, children may be deemed to have the same home as their parents, whether they actually live there or not. Or a person may be deemed to have given their consent to something if they hear about it and do not object. Compare rebuttable. liable for a breach committed by the overseas recipient (even if the entity took reasonable steps to ensure the overseas entity complied with the APPs).
Where an APP entity discloses personal information to an overseas recipient, it also needs to comply with APP 6. Disclosure of personal information is permitted with an individual’s consent provided they have been expressly informed that if they consent, then APP 8 will not apply.
An APP entity may disclose personal information to an overseas recipient without complying with APP 8, where the disclosure is required/authorised by Australian law or by a An independent body that hears legal claims brought by parties and decides between them. Serious cases are heard by a judge and jury, or just a judge. Less-serious cases are heard by a magistrate. or A body set up to hear and decide disputes, usually with less formality and less strict rules of evidence than in a court proceeding.. An example of a law that may require/authorise disclosure to an overseas recipient is the Mutual Assistance in Criminal Matters Act 1987 (Cth). An example of a permitted disclosure to a foreign government is under the Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth).
APP 9: Government-related identifiers
APP 9 limits the use of government-related identifiers (e.g. passport, Medicare and driver licence numbers) by private sector organisations. The purpose of APP 9 is to ensure that government-related identifiers do not become universal identifiers, and to prevent government-related identifiers from being used for data-matching. As such, APP 9 generally prohibits an entity from adopting government-related identifiers as its own way to identify an individual.
There are exceptions where using an identifier is reasonably necessary for certain purposes, such as verifying the identity of an individual. An individual cannot consent to the adoption, use or disclosure of their government-related identifier.
Some government-related identifiers are regulated by other laws that restrict the way entities collect, use or disclose the particular identifier (see ‘Tax file numbers’ and ‘Healthcare identifiers’, below).
APP 10: Quality of personal information
APP 10 requires APP entities to take reasonable steps to ensure that the personal information they collect, use and disclose is accurate, up-to-date and complete. The reasonable steps required depend on the sensitivity of the information.
APP 11: Security of personal information
APP 11 concerns the Money or property promised to be handed over as a guarantee for repayment of a loan, or as a guarantee that a defendant will meet their bail conditions. of personal information held by APP entities. It requires APP entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss and from unauthorised access, modification and disclosure. The term ‘holds’ extends beyond the (1) Having control over property. Possession is not the same as ownership. For example, a bicycle you have borrowed from a friend is in your possession but you do not own it. (2) Having illegal drugs on your person or property. of a record to include records an APP entity has the right or power to deal with. For example, where an entity has outsourced storage of its records to a third party but retains the right to deal with the information.
Further, an APP entity must take reasonable steps to destroy or de-identify information it no longer needs. This requirement does not apply to personal information contained in a Commonwealth record, or if a court or tribunal requires the information to be retained. Commonwealth information is dealt with under the Archives Act 1983 (Cth).
A more detailed discussion of the requirements of APP 11 can be found in the OAIC’s Guide to Securing Personal Information (published June 2018) (available at www.oaic.gov.au/privacy/guidance-and-advice).
APPs 12 and 13: Access to, and correction of, personal information
APP 12 states that an APP entity must, upon request, give an individual access to any personal information that the entity holds about them. An entity ‘holds’ personal information if it has possession or control over it. The information does not have to be in the physical possession of the entity (e.g. where it has outsourced storage of the information but retains control over it).
All APP entities must allow individuals to request access to their personal information for free. Australian Government agencies must also provide access for free. Whereas, private sector organisations may charge for providing access, but the charge cannot be excessive. The APP guidelines suggest that a charge is excessive if it exceeds the actual cost of giving access.
APP 12 sets time periods within which entities must respond to requests for access. Australian Government agencies must respond to requests within 30 days of the request. Private sector organisations must deal with requests within a reasonable time period.
APP entities must take reasonable steps to give access, which may mean providing access through an agreed intermediary. If the entity refuses access on the basis of an exception, the individual is entitled to receive a written notice setting out the reasons for the refusal and how they can complain about the refusal.
There are several exceptions to APP 12 that permit an entity to refuse access to personal information. These exceptions differ depending on whether the entity is a private sector organisation or an Australian Government agency. This is because agencies have responsibilities to provide access to information under other Commonwealth Statutory rules made by parliament or by bodies the parliament delegates power to, for example a local council or a registration authority. See delegated legislation; statute., such as the Freedom of Information Act 1982 (Cth) (‘FoI Act (Cth)’). The intention of APP 12 is that individuals should rely on the FoI Act (Cth) as the primary way to seek access to their personal information held by agencies. APP 12 lists several grounds upon which an agency can refuse access, which cross-reference the FoI Act (Cth) and other Commonwealth legislation. However, a request for access under APP 12 is a decision made under the PA 1988, not the FoI Act (Cth), and so the agency is still obliged to provide reasons for the refusal, and an individual is entitled to complain to the Privacy Commissioner.
Private sector organisations can also refuse access in some circumstances – for example, if:
- it would be unlawful to provide the information;
- it would have an unreasonable impact on the privacy of another individual;
- it would pose a serious and imminent threat to the life or health of any individual;
- the request is frivolous or Causing trouble without good legal reason. A vexatious litigant repeatedly starts court cases that have no chance of succeeding. Vexatious litigation is a court action that is unnecessary or undertaken only to cause trouble, embarrassment or inconvenience for the other party.; or
- giving access would reveal evaluative information in connection with a commercially sensitive decision (in which case the entity’s reasons for refusal may include an explanation for the commercially sensitive decision).
APP 13 requires an APP entity to take reasonable steps to correct any personal information it holds if it is satisfied that the information is out of date, inaccurate, incomplete, irrelevant or misleading, or if an individual requests the information to be corrected. On request from the individual, the entity must also communicate the correction to third parties to whom it has previously disclosed the information.
If an entity refuses to correct the information, it must explain (in writing) the refusal and how the individual can complain about this refusal. The entity may also have to inform users of the information that the individual believes to be incorrect.
For government agencies, APP 13 operates alongside the right to amend or annotate personal information under Part V of the FoI Act (Cth).
Data breach notification
Since 22 February 2018, all APP entities are required to notify any affected individuals and the OAIC when a data breach occurs and is likely to result in serious harm to the individuals whose personal information is involved in the breach. For more information, see www.oaic.gov.au. Note that under the scheme, organisations (including Victorian public sector organisations) that are tax file number recipients are subject to the scheme.