The 13 Australian Privacy Principles (APPs) are the cornerstone of the country’s privacy protection framework under the Privacy Act 1988. If you are an Australian organization with an annual turnover of more than AUD 3 million, you should pay close attention. A breach of the Australian Privacy Principles can lead to not only regulatory action but, since the spring of 2023, to even higher maximum penalties.
In this article, we will explore the 13 Privacy Principles, their purpose, the recent Privacy Act Review Report, compliance, and penalties.
What are the Australian Privacy Principles?
As any comprehensive data protection regulation would, the Australian Privacy Act governs the collection, use, and disclosure of personal data.
The 13 Privacy Principles within the Privacy Act promote transparency, fairness, and respect for individuals' privacy, while allowing organizations the flexibility to adapt their information handling practices to meet the needs of their business models and the people they serve. They are also technology-neutral, meaning that they can adapt to changing technologies. Leave it to Australia to create a friendly security regulation!
In a nutshell, the APPs encompass these areas of data protection:
- Collection, use, and disclosure of personal information: The APPs set standards for how organizations can collect, use, and share personal information. It ensures that personal data is obtained fairly and used for legitimate purposes.
- Organization and agency governance: The principles emphasize the importance of accountability and responsible management of personal information by organizations.
- Integrity and correction of personal information: Individuals have the right to access and correct their personal information to ensure its accuracy and completeness.
- Rights of access to personal information: Individuals have the right to request access to the personal information that organizations hold about them.
We’ll take a look at each of the 13 principles below.
The Purpose of the Australian Privacy Principles
The core objective of the Australian Privacy Principles is to find a harmonious balance between safeguarding personal information and allowing organizations the flexibility to adapt their data handling practices to their business needs. By achieving this balance, the APP aims to address two key aspects:
Empowering individuals: The APP grants individuals control over the personal data that gets shared and handled by organizations. This empowerment promotes transparency and enables individuals to make informed decisions about how their data is used.
Enforcing accountability: The principles lay down clear obligations for organizations to be accountable for their data processing activities. By setting standards for data collection, use, and disclosure, the APP ensures that businesses handle personal information responsibly and ethically. This fosters trust between organizations and their customers.
The APPs are designed to be principles-based rather than overly prescriptive, allowing organizations to adapt their personal information handling practices to suit their specific business models. This flexibility ensures that data privacy regulations can effectively keep pace with changing technologies and evolving business environments while also being easier to comply with.
Scope: Who do the Australian Privacy Principles apply to?
APPs apply to both government and private sector organizations in Australia. To be covered by the APPs, an organization has an annual turnover of AUD 3 million or more.
Additionally, some other organizations, such as private health service providers, credit reporting bodies, and individuals handling tax file number information, are also subject to the APPs.
But there are also certain exceptions to the APPs. For example, political parties, registered charities, and certain employee records of organizations may be exempt from certain provisions of the APPs.
An Overview of the 13 Australian Privacy Principles
So, what exactly are these magical rules that keep Australia’s personal data safe? Let's take a brief look at each of the 13 APPs:
APP 1: Openness and transparency
APP 2: Anonymity and pseudonymity
Wherever possible, organizations should give individuals the option to interact anonymously or using a pseudonym.
APP 3: Collection of solicited personal information
For non-sensitive information, collection is allowed if reasonably necessary for the organization’s functions. Sensitive information can only be collected if the individual explicitly consents to it.
APP 4: Unsolicited personal information
If the information is not collected under APP 3, it must be promptly destroyed or de-identified if reasonable. Otherwise, it can be retained and managed under other APPs.
APP 5: Notification of data collection
Organizations have to inform the individual about the organization’s identity and the purpose of data collection. This has to be done before or at the time of collection, or as soon as practicable afterwards if not possible at the time.
APP 6: Use and disclosure
Personal information should be used or disclosed only for the purposes for which it was collected, unless an exception applies or the individual consents to another use or disclosure.
APP 7: Direct marketing
Organizations are required to obtain the individual's consent before using their personal information for direct marketing purposes.
APP 8: Cross-border disclosure
Before disclosing personal information to a foreign recipient, organizations must ensure that the recipient adheres to similar privacy standards or obtain the individual's consent.
APP 9: Government identifiers
Organizations should not adopt government identifiers (such as tax file numbers) as their own identification systems.
APP 10: Data quality and security
Organizations must take reasonable steps to ensure that the personal information they collect is accurate, up-to-date, and securely protected from unauthorized access, misuse, or loss.
APP 11: Access to personal information
Individuals have the right to access the personal information held about them by an organization, subject to certain exceptions.
APP 12: Correction of personal information
If an individual's personal information is inaccurate, incomplete, or out-of-date, organizations must take reasonable steps to correct it upon request.
APP 13: Data retention
Personal information should not be kept longer than necessary for the purpose it was collected, unless the law requires retention or the individual consents to extended storage.
The Privacy Act Review Report
The Privacy Act Review Report, published by the Attorney-General in February 2023, presents 116 proposals aimed at revitalizing the Privacy Act 1988. The digital era is to thank for this overhaul.
Among these proposals, several noteworthy ones are:
- The statutory tort of privacy. The report suggests introducing a statutory tort (legal right) that addresses serious invasions of privacy, even if no actual damage occurs. Individuals could claim damages for emotional distress, and the Office of the Australian Information Commissioner (OAIC) may be allowed to intervene in the proceedings.
- Tighter timeframes for reporting data breaches. Organizations will need to report data breaches to the OAIC within 72 hours of becoming aware of them, and notify impacted individuals as soon as possible. This is a significant change from the current 30-day period, and it also requires organizations to give detailed information about their response to the breach.
- Amending consent definition. The proposal clarifies that consent must be voluntary, informed, current, specific, and unambiguous. The OAIC can offer guidance on how online services should seek consent, leading to possible UX redesigns.
- Regulation of targeted advertising. The report suggests prohibitions on using individuals' information, including personal, de-identified, and unidentified data (like internet tracking history), for targeted advertising, especially concerning children. Individuals would have the right to opt-out.
- Mandatory privacy impact assessments (PIAs) are proposed for activities with a high privacy risk. PIAs will assess potential privacy impacts and ways to mitigate these impacts.
The Privacy Act Review Report also proposes to strengthen enforcement by introducing new civil penalties and expanding the powers of the OAIC. Notably, the maximum penalties for serious or repeated interferences with privacy have been increased, with the potential for penalties to reach up to AUD 50 million or more. This is a step that’s meant to increase accountability and ensure organizations take privacy protection seriously.
Australian Privacy Principles: How to comply
If you’ve determined that your organization falls under the scope of APP, consider these steps to ensure compliance:
- Implement measures to detect and mitigate insider threats that could lead to data breaches or unauthorized data access. Consider dangers such as phishing campaigns and risks related to remote employees.
- Obtain informed and specific consent for data collection, especially for sensitive information.
- Handle unsolicited personal information appropriately, either destroying it or de-identifying if necessary.
- Implement robust security measures to safeguard data from breaches and unauthorized access. A data loss protection software such as Safetica’s is one of the ways to facilitate this.
- Conduct privacy impact assessments for high-risk activities.
- Provide privacy notifications to inform individuals about data collection.
- Respond promptly to data breaches, notifying affected parties and the OAIC.
- Train employees on data protection and privacy practices.
- Appoint a privacy officer to oversee compliance and data protection matters.
By following these steps and regularly reviewing your privacy practices, you can enhance your organization’s compliance with the APPs and build trust with your customers. If that sounds overwhelming to take on on your own, consider leveraging the features of data loss prevention software. Which leads us to...
How Safetica's DLP solutions can help with APP compliance
Having an experienced partner may help to give you peace of mind. Using a robust DLP solution will make dealing with data loss protection easier, more effective, and less time-consuming. Safetica has tools for data encryption, access controls, and monitoring data movement to prevent unauthorized access to sensitive information. More specifically:
- Organizations can effectively protect sensitive information with data encryption and access controls.
- Data monitoring and real-time alerting help in detecting potential data breaches and responding promptly to incidents.
- Privacy impact assessments can be conducted efficiently with Safetica's data monitoring and analysis capabilities.
- Safetica's employee training support aids in raising awareness about data protection and privacy best practices.
- Insider threat detection features help identify and prevent potential internal risks.
With Safetica's DLP solutions, organizations can enhance their data security, mitigate privacy risks, maintain compliance with the APPs, and safeguard the privacy of individuals' personal information.