Other forms of data are protected. They include guidelines on handling tax file numbers, with criminal sanctions; data-matching for tax and other government purposes; National Health and Medical Research Council research guidelines; treatment of personally controlled electronic health records; Pharmaceutical Benefits and Medicare guidelines; use of old criminal records; information about financial securities; and telecommunications codes including the Do not call register.
APP 1: Management of personal information
APP 1 requires that APP entities (see “Entities to which the Privacy Act applies”) take reasonable steps to implement practices, procedures and systems to ensure they comply with the APPs. APP 1 also requires every APP entity to have a clear policy about the entity’s management of personal information that addresses a list of prescribed matters. The policy must be made available free of charge and in an appropriate form (e.g. by publishing on the entity’s website). Prescribed matters include:
• the kinds of personal information that the entity collects and holds;
• how the entity collects and holds personal information;
• the purposes for which the information is collected, held, used and disclosed;
• how an individual may access and, if necessary, correct the information;
• how an individual can complain about the entity’s use of the information; and
• whether the entity is likely to disclose the information to overseas recipients, and if so, the countries in which such recipients are likely to be located (if it is practicable to specify those countries in the policy).
APP 2 states that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity. However, this requirement does not apply where it is impracticable for an APP entity to deal with individuals who have not identified themselves, or where the APP entity is permitted by law to deal with individuals who have identified themselves.
APPs 3, 4 and 5 cover the collection of personal information.
APP 3 states that an APP entity must only collect personal information by lawful and fair means, and must (where reasonable and practicable) collect personal information about an individual directly from that individual.
Further, an APP entity must not collect personal information unless the information is reasonably necessary for one or more of the APP entity’s functions or activities (in the case of a government agency, collection is also permitted where the information is directly related to one of those functions or activities). The entity collecting the information must demonstrate that a reasonable person who is properly informed would agree that the collection is necessary.
The APP guidelines refer to previous decisions where an entity’s collection of information was not reasonably necessary (e.g. it was not reasonably necessary for a bank to collect information about a person’s marital status to open a bank account).
In addition, “sensitive information” may generally only be collected if the individual about whom the information relates has consented to the collection. “Sensitive information” is information about an individual’s racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual orientation or practices; criminal record; personal health information; genetic background, or biometric identification (e.g. fingerprints that are to be used for the purpose of automated biometric verification).
There are limited exceptions where consent is not required to collect sensitive information, including where the collection of the information is required by law, or is required to prevent a serious threat to health or safety. There is also an exception permitting not-for-profit organisations to collect sensitive information if it relates solely to the members of the organisation, or to people who have regular contact with it for the purpose of its activities. Also, private sector organisations can collect health information from an individual in certain circumstances in connection with providing a health service.
APP 4 states that if an APP entity receives personal information that it has not solicited from an individual, it must first determine whether or not it could have collected the information under APP 3 if it had solicited the information. If not, the entity must destroy or de-identify the information.
APP 5 requires that, when an entity collects personal information about an individual, it must take reasonable steps to notify the individual or otherwise ensure they are aware of certain matters, including:
• the organisation’s identity and contact details;
• the fact that the entity has collected the information;
• any law that requires the information to be collected;
• the purposes for which the information is collected;
• the consequences for the person if the information is not collected;
• the organisations to which the information is usually disclosed;
• how the individual can access and, if necessary, correct the information;
• how the individual can complain about the entity’s use of the information; and
• whether the entity is likely to disclose the information to overseas recipients and, if practicable, the countries where they are located.
Often, entities will notify individuals about the above by providing a privacy notice at the time of collection, such as on a form used to collect personal information, or in a script read over the telephone.
APP 6 regulates organisations’ use and disclosure of personal information. APP 6 states that an entity should only use (or disclose) personal information for the purpose for which it was collected.
An entity can use or disclose personal information about an individual for another purpose if:
• the individual consents; or
• the individual would reasonably expect the organisation to use or disclose the information for a secondary purpose, and the secondary purpose is related to the primary purpose (or directly related in the case of sensitive information).
An example of a related secondary purpose is where an entity collects personal information to provide a service and uses that information to evaluate or improve that particular service.
In the case of F v Medical Specialist  PrivComr A17, a medical specialist collected health information from an individual but decided (for ethical and therapeutic reasons) to not treat the patient. The medical specialist referred the matter to the clinic manager so that the patient could receive treatment from another consultant. The Privacy Commissioner decided that the disclosure was directly related to the purpose for which it was collected, and would be within an individual’s reasonable expectation. (The case is reported on www.austlii.edu.au – see the federal Privacy Commissioner’s case notes.)
An entity may also be able to disclose personal information for some secondary purposes related to the public interest (e.g. law enforcement, public safety, research purposes and emergency situations).
APP 7 concerns the circumstances in which an entity can use personal information for direct marketing. The term “direct marketing” is not defined in the PA 1988; however, the Explanatory Memorandum to the Act states that it involves “communicating directly with a consumer to promote the sale of goods and services to the consumer”. The APP guidelines state that direct marketing can be through “a variety of channels, including telephone, SMS, mail, email and online advertising”.
APP 7 prohibits private sector organisations from using personal information for direct marketing except in certain limited circumstances; if personal information has been collected directly from an individual, direct marketing is only permitted where:
• the individual would reasonably expect the information to be used for the purpose of direct marketing; and
• the entity includes a simple means to opt-out of the direct marketing communications (and the individual has not made a request to opt-out).
The APP guidelines state that an organisation should not assume that an individual would reasonably expect their information to be used for direct marketing just because the organisation assumes the individual would welcome it.
According to the APP guidelines, for “a means to opt-out” to be “simple”, it should require minimal time and effort. It should be clear, easily understood, accessible and free (or involve no more than a nominal cost; for example, a standard text message charge). If an individual has opted-out of receiving direct marketing from an entity, the entity must not use or disclose the individual’s personal information for the purpose of direct marketing.
Additional restrictions apply to using personal information for direct marketing if the individual would not reasonably expect their personal information to be used for direct marketing, or if the personal information was collected from a third party.
Sensitive information can only be used for direct marketing with the individual’s consent. Consent must be obtained even if the individual and the organisation have a pre-existing relationship.
APP 7 generally applies only to private sector organisations; however, it can apply to the Australian Government agencies named in schedule 2 of the Freedom of Information Act 1982 (Cth) and its regulations. There are also exceptions to the prohibition on direct marketing in APP 7, such as where the direct marketing is necessary for an entity to fulfil its obligations under a government contract.
Where other laws apply that contain specific provisions regarding direct marketing (such as the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth)), these provisions displace the more general rules in APP 7.
APP 8 covers the disclosure of personal information outside of Australia. It is particularly relevant in today’s context where an increasing number of entities use information technology services that disclose or transfer personal information to overseas recipients (e.g. outsourcing, off-shoring and cloud computing).
Subject to certain exceptions, before an APP entity makes personal information available to a third party located outside of Australia, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs. This usually involves the APP entity entering into an enforceable contract with the overseas recipient requiring the recipient to handle the personal information in accordance with the APPs. An APP entity may be deemed liable for a breach committed by the overseas recipient (even if the entity took reasonable steps to ensure the overseas entity complied with the APPs).
Where an APP entity discloses personal information to an overseas recipient, it also needs to comply with APP 6.
Disclosure of personal information is permitted with an individual’s consent provided they have been expressly informed that if they consent, then APP 8 will not apply.
An APP entity may disclose personal information to an overseas recipient without complying with APP 8, where the disclosure is required or authorised by or under Australian law or by a court or tribunal order. Examples of laws that may require or authorise disclosure to an overseas recipient are the Australian Federal Police Act 1979 (Cth) and the Mutual Assistance in Criminal Matters Act 1987 (Cth). An example of a permitted disclosure to the government of a foreign country is under the Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth).
APP 9 limits the use of government-related identifiers (e.g. passport, Medicare, and drivers’ licence numbers) by private sector organisations. The purpose of APP 9 is to ensure that government-related identifiers do not become universal identifiers, and to prevent government-related identifiers from being used for data-matching. As such, APP 9 generally prohibits an entity from adopting government-related identifiers as its own way to identify an individual. There are exceptions where using the identifier is reasonably necessary for certain purposes, such as verifying the identity of an individual.
APP 10 requires APP entities to take reasonable steps to ensure that the personal information they collect, use and disclose is accurate, up-to-date and complete. The reasonable steps required depend on the sensitivity of the information.
APP 11 concerns the security of personal information held by APP entities. It requires APP entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss and from unauthorised access, modification and disclosure. Further, the entity must take reasonable steps to destroy or de-identify the information if it no longer needs it. A more detailed discussion of the requirements of APP 11 can be found in the OAIC’s Guide to Securing Personal Information (available at www.oaic.gov.au).
APP 12 states that an APP entity must, upon request, give an individual access to any personal information that the entity holds about them. An entity “holds” personal information if it has possession or control over it. The information does not have to be in the physical possession of the entity (e.g. where it has outsourced storage of the information but retains control over it).
All APP entities must allow individuals to request access to their personal information for free. Australian Government agencies must also provide access for free. Whereas, private sector organisations may charge for providing access, but the charge cannot be excessive. The APP guidelines suggest that a charge is excessive if it exceeds the actual cost of giving access.
APP 12 sets time periods within which entities must respond to requests for access. Australian Government agencies must respond to requests within 30 days of the request. Private sector organisations must deal with requests within a reasonable time period.
APP entities must take reasonable steps to give access, which may mean providing access through an agreed intermediary. If the entity refuses access on the basis of an exception (these are described below), the individual is entitled to receive a written notice setting out the reasons for the refusal and how they can complain about the refusal.
There are several exceptions to APP 12 that permit an entity to refuse access to personal information. These exceptions differ depending on whether the entity is a private sector organisation or an Australian Government agency. This is because agencies have responsibilities to provide access to information under other Commonwealth legislation, such as the Freedom of Information Act 1982 (Cth) (“FoI Act (Cth)”) (see Freedom of information law). The intention of APP 12 is that individuals should rely on the FoI Act (Cth) as the primary way to seek access to their personal information held by agencies. APP 12 lists several grounds upon which an agency can refuse access, which cross-reference the FoI Act (Cth) and other Commonwealth legislation. However, a request for access under APP 12 is a decision made under the PA 1988, not the FoI Act (Cth), and so the agency is still obliged to provide reasons for the refusal, and an individual is entitled to complain to the Privacy Commissioner.
Private sector organisations can also refuse access in some circumstances – for example, if:
• it would be unlawful to provide the information;
• it would have an unreasonable impact on the privacy of another individual;
• it would pose a serious and imminent threat to the life or health of any individual;
• the request is frivolous or vexatious; or
• giving access would reveal evaluative information in connection with a commercially sensitive decision (in which case the entity’s reasons for refusal may include an explanation for the commercially sensitive decision).
APP 13 requires an APP entity to take reasonable steps to correct any personal information it holds if it is satisfied that the information is out of date, inaccurate, incomplete, irrelevant or misleading, or if an individual requests the information to be corrected. On request from the individual, the entity must also communicate the correction to third parties to whom it has previously disclosed the information.
If an entity refuses to correct the information, it must explain (in writing) the refusal and how the individual can complain about this refusal. The entity may also have to inform users of the information that the individual believes to be incorrect.
For government agencies, APP 13 operates alongside the right to amend or annotate personal information under part V of the FoI Act (Cth).