Australian Privacy Act 1988
If you plan on selling goods or services to Australians, you must abide by the terms of the Australian Privacy Act 1988, follow the principles set out in this Act and apply to them any business you conduct online.
To help you comply with your responsibilities, here's a summary of how the Privacy Act works and a look at the steps you can take to ensure compliance.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. Introduction to the Australian Privacy Act 1988
- 2. Who Must Comply With the Privacy Act
- 3. The 13 Principles of the Australian Privacy Act
- 3.1. 1. Open and Transparent Management of Personal Information
- 3.2. 2. Anonymity and Pseudonymity
- 3.3. 3. Collection of Solicited Personal Information
- 3.4. 4. Dealing With Unsolicited Personal Information
- 3.5. 5. Notification of Collection of Personal Information
- 3.6. 6. Use of or Disclosure of Personal Information
- 3.7. 7. Direct Marketing
- 3.8. 8. Cross-border Disclosure of Personal Information
- 3.9. 9. Adoption, Use or Disclosure of Government Identifiers
- 3.10. 10. Quality of Personal Information
- 3.11. 11. Security of Personal Information
- 3.12. 12. Access to Personal Information
- 3.13. 13. Correction of Personal Information
- 4. How to Handle Data Breaches
- 5. Penalties for Breaching the Australian Privacy Act
- 6. Summary
Introduction to the Australian Privacy Act 1988
The Privacy Act aims to give Australians some control over their personal data. Under the Act, "personal information" is defined in Part II, Division I as any data you can use to identify or form an opinion about a certain individual:
Since the Privacy Act is broad in scope, there's a huge amount of data that could potentially count as personal information. If there's any chance you could identify someone from a piece of data, it's best to assume it's personal information and handle it accordingly.
We'll cover the details below, but in short:
- The Privacy Act gives Australians various rights, including the right to prevent companies from using their data for marketing reasons.
- There are 13 privacy "principles" you must abide by if the Privacy Act applies to your business.
- You must comply with certain breach reporting requirements if there's a data breach in your company.
Now, let's consider which companies must comply with the Act.
Who Must Comply With the Privacy Act
The Privacy Act applies to any organization with an annual turnover of at least AUD $3M. However, small businesses with less turnover must also comply if they:
- Operate in healthcare
- Buy or sell personal data
- Serve as a contracted service provider to the Australian Government
- Are accredited by the Consumer Data Right System
Seek legal advice if you're unsure whether the Privacy Act applies to your business.
The 13 Principles of the Australian Privacy Act
Complying with the Australian Privacy Act means understanding the Act's 13 privacy principles. Let's consider them in turn.
1. Open and Transparent Management of Personal Information
Under the Privacy Act, every Australian has the right to know:
- What personal data you collect
- Why you collect this data
- How you use the information
You must inform people of their data privacy rights and, where appropriate, help them to exercise these rights.
It then sets out in some detail the different ways it collects, processes and stores information to help people understand their rights.
2. Anonymity and Pseudonymity
According to Schedule 1, Part 1 of the Privacy Act, Australians have the right to stay anonymous or use a pseudonym. The right doesn't apply if:
- It's impractical for your business to allow this option e.g. you're a healthcare provider and you can't help someone who remains anonymous, or
- You're obliged by law to only deal with individuals who provide their full name
So, for example, if you run a social media or leisure app aimed at Australians, you may need to give users the option to stay anonymous, if they so wish.
3. Collection of Solicited Personal Information
You should only collect as much information as you need to complete your reasonable business activities. Unless you can justify why you need a piece of data, you shouldn't collect it.
What's more, you shouldn't collect any sensitive information unless:
- The individual gives express consent, and
- You need the information to perform a core activity or function
Sensitive information includes data such as religion or sexual orientation.
Smile.com, an Australian dental care provider, sets out the information it needs and why it collects this data. So, in other words, there's clear justification for why certain information is collected:
4. Dealing With Unsolicited Personal Information
If you receive information from a person which you did not collect intentionally, then it's considered "unsolicited" information. Although you didn't ask for it, you must treat this data responsibly.
First, you must consider if you could have collected this data by soliciting it from the person. In other words, consider whether it's appropriate for you to have the information even if you didn't collect it from them.
- If it's "appropriate" for you to have this data, you can probably keep it.
- If you shouldn't have any access to this data, you should destroy it or anonymize the information so the person can't be identified.
It might be appropriate for you to hold data you could've found in public records e.g. census information. However, delete data if you're in any doubt as to whether you should have it.
5. Notification of Collection of Personal Information
If you collect personal data, notify individuals either:
- At the point of data collection, or
- As soon as reasonably possible after collection
Here's an example from Wesfarmers:
Finally, if your data collection policies change, highlight this by sending email updates or using pop-up banners on your website.
6. Use of or Disclosure of Personal Information
If you have someone's personal data for one purpose (e.g. processing an order) you can't use it for another purpose (e.g. sending marketing emails) unless you have the person's consent.
This rule doesn't apply if there's a reasonable expectation that you would share their data in this way, or if you're legally required to share it with another organization.
Here's an example of how Goodlife Health Clubs uses member information:
7. Direct Marketing
Under the Privacy Act, you can't use someone's data for direct marketing purposes unless you:
- Get their informed and express consent, and
- Give them the chance to opt out
8. Cross-border Disclosure of Personal Information
If you're disclosing Australian personal data overseas, you must still comply with the Australian Privacy Act, even if other laws, like the GDPR, apply.
- You must take reasonable steps to ensure your chosen partner company won't breach the Australian Privacy Principles.
9. Adoption, Use or Disclosure of Government Identifiers
You can't use or disclose someone's Australian Government identifiers e.g. any usernames assigned to someone by a state authority.
It's highly unlikely you'll ever come across this issue in practice, but you should be aware of the Privacy Principle anyway.
10. Quality of Personal Information
The personal data you have on file should be accurate, so far as possible.
- It's generally the individual's responsibility to notify you of any changes.
- If someone notifies you regarding out-of-date information, you're obliged to update your records.
Here's an example from Atlassian:
If someone submits changes to their personal data and you fail to update it and continue using outdated, inaccurate information, you may be found liable for damages caused by failing to update your records, and be violating the Privacy Act.
11. Security of Personal Information
It's your duty to take steps to keep the data provided to you safe from cyberattacks or data breaches.
The exact processes you use vary depending on the size and complexity of your business and the sensitivity of the data entrusted to you. However, steps you might take include:
- Multi-factor authentication
- Data encryption
- Secure cloud storage
- Physically restricted access
You must also have secure procedures for destroying data you no longer need.
12. Access to Personal Information
Under this principle, you must give people access to their personal data if they request it:
The only exception is if you're legally entitled to withhold the information e.g. it might cause the individual distress, or it could compromise legal proceedings between you and the individual.
In most cases, the exceptions won't apply to small businesses, so assume you must provide access unless you're advised otherwise.
13. Correction of Personal Information
Finally, you must have a clear procedure for correcting or updating personal information if you're asked to do so by a person, or if you discover you're using inaccurate data.
- Set out clearly on your website how users can inform you of inaccurate information.
- Put together a clear in-house process for correcting information as quickly as possible.
For example, here's a simple but effective clause from Aje, an Australian clothing brand:
In addition to the 13 principles, there are a few other key pieces of information you need to know regarding the Privacy Act.
How to Handle Data Breaches
If there's a data breach and it's likely to cause serious harm to the individuals affected, then you must:
- Inform the OAIC, and
- Tell affected users about the breach, and what steps they can take to minimize the damage
Confusingly, there's no clear definition as to what constitutes "serious harm", but it does include physical, financial, emotional, or reputational harm.
You might consider, for example:
- Who stole the data (this could determine how likely they are to misuse the data or cause harm to affected persons)
- The type of information stolen e.g. credit card details, email addresses, account details, or medical records
- Whether the data is protected by other security features e.g. if the files are encrypted, hackers may be unable to read them even if they steal them
You should consider if, from your perspective, it's reasonable to assume that someone could be seriously harmed due to this data breach. Seek legal advice if you're unsure, and always report the data breach if:
- You have identified a data breach,
- Objectively, it's likely that people could be seriously harmed by the breach, and
- You couldn't remedy the breach quickly enough to prevent this harm from taking place
You can report a data breach directly to the OAIC here.
Penalties for Breaching the Australian Privacy Act
If you don't comply with the Australian Privacy Act, affected individuals might be able to seek compensation from you for any damage caused. You may also face reputation damage, business losses, and financial penalties, depending on how badly you breached the Act and how many people were affected.
The financial penalties are set out in Section 4AA of the Crimes Act 1944. For now, you could be fined up to $2.1 million AUD for serious or repeat offenses, although this amount is set to rise to $10 million AUD or 10% of your annual domestic turnover.
The Australian Privacy Act 1988 (APA) is Australia's most significant privacy law. It regulates how certain companies use personal data, and gives Australians more control over their personally identifiable information.
There's no Australian law specifically dedicated to the online collection or processing of personal data, so the Privacy Act applies whenever you want to collect someone's personal data online.
To comply with the Australian Privacy Act, you must satisfy the 13 Privacy Principles. In short, you must:
- Be transparent about whether you collect personal data
- Explain how you use personal information processed by your website
- Allow people to reject the use of their data for direct marketing purposes
- Correct incorrect information, if requested
- Help people understand their privacy rights
- Facilitate the exercise of these rights