Australia Privacy Act 1988 - Ardent Privacy

The Australian Privacy Principles

Pointer

APP 1 : Open and transparent management of personal information: It requires an APP entity to implement privacy practices, procedures and systems.

  • To ensure compliance with the remaining APPs and.
  • That enables them to deal with inquiries and complaints.
  • It also requires them to develop and make readily available a policy about its management of personal information.
Pointer

APP 2 : Anonymity and pseudonymity: It entitles individuals to the option of anonymity or using a pseudonym, when dealing with an APP entity, except where impracticable or another prescribed exception applies.

Pointer

APP 3 : Collection of solicited personal information: It requires.

  • Permits an APP entity to collect personal information only where reasonably necessary for one or more of its legitimate functions or activities.
  • Personal information to be collected directly from the individual to whom it relates, unless impracticable or another prescribed exception applies and.
  • The consent from an individual in order to collect that individual’s sensitive information, or another prescribed exception applies.
Pointer

APP 4 : Dealing with unsolicited personal information: It requires an APP entity that receives unsolicited personal information to determine whether it would otherwise have had grounds on which to collect it (i.e. under APP 3) and

  • Where it does have such grounds, to ensure compliance with the remaining APPs or
  • Where it does not have such grounds, to destroy or de-identify the personal information (provided it is lawful and reasonable to do so).
Pointer

APP 5 : Notification of the collection of personal information: It requires an APP entity to notify an individual (or ensure they are aware), at or before the time of collection, of prescribed matters. Such matters include but are not limited to whether the individual’s personal information is collected from any third parties, the purpose(s) of collection, to whom personal information is disclosed and the processes through which an individual can seek access and/or correction to their personal information, or otherwise complain about the way in which it is handled.

Pointer

APP 6 : Use or disclosure of personal information: It prohibits an APP entity from using or disclosing personal information for a purpose other than the purpose for which it was collected, unless the individual consents, the individual would reasonably expect their personal information to be used for the secondary purpose, or another prescribed exception applies.

Pointer

APP 7 :Direct marketing: It generally prohibits personal information to be used for direct marketing purposes unless the individual reasonably expects it, or consents to it, and prescribed ‘opt out’ processes are in place through which the individual can elect not to receive direct marketing communications (and the individual has not elected as such).

Pointer

APP 8 :Cross-border disclosure of personal information: If an APP entity is to disclose personal information to an overseas recipient, APP 8 requires it to take reasonable steps to ensure the recipient does not breach the APPs. This usually requires the APP entity to impose contractual obligations on the recipient.

There are exceptions to this obligation, including but not limited to where

  • The APP entity reasonably believes the overseas recipient is bound by a law or scheme that protects personal information in a substantially similar way to that of the APPs or
  • The individual consents to the disclosure in the knowledge that such consent will negate the APP entity’s obligation to ensure the overseas recipient does not breach the APPs.
Pointer

APP 9 : Adoption, use or disclosure of government related identifiers: It prohibits an APP entity from adopting, using or disclosing a government-related identifier unless.

  • Required or authorized by law
  • Necessary to verify an individual’s identity and/or
  • Another prescribed exception applies.

Government-related identifiers are identifiers that have been assigned by a government agency including an individual’s license number, Medicare number, passport number and tax file number.

Pointer

APP 10 : Quality of personal information: It requires an APP entity to take reasonable steps to ensure personal information it collects, uses, discloses and holds is accurate, up-to-date and complete. Additionally, personal information can only be used or disclosed to the extent to which it is relevant to the purpose of the use or disclosure.

Pointer

APP 11 : Security of personal information: It requires an APP entity to take reasonable steps to protect information from misuse, interference and loss and from unauthorized access, modification or disclosure.

An APP entity must also destroy or de-identify personal information it no longer requires (unless otherwise required to retain it by law).

Pointer

APP 12 : Access to personal information: It requires an APP entity to provide an individual, upon request, with access to their personal information unless a prescribed exception applies.

Pointer

APP 13 : Correction of personal information: It requires an APP entity to take reasonable steps to correct personal information it holds upon request from an individual for correction or where it is otherwise satisfied, having regard to the purpose for which it holds the personal information, that the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

The Trust Challenge

Key obligations and consequences

No registration with or notification to the OAIC is generally required. However, at or prior to the first collection of personal information about an individual, an APP entity is required to notify that individual of certain mandatory matters either by a privacy collection statement or by including the relevant matters in, and notifying, the privacy policy of the APP entity to that individual. Also, all eligible data breaches must be notified to the OAIC and all affected individuals.

'Data processing records' are not specifically provided for in or required by Australian privacy law. While APPs requires an entity to take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity's functions and activities that ensure compliance with the APPs, the concept and keeping of 'data processing records' (or records of processing activities ('RoPA')) is not common under Australian privacy law.

'Consent' is required for the collection of sensitive information, including health information, from an individual. Again, even with consent the sensitive information can only be collected if it is also reasonably necessary for one or more of the entity's functions or activities.

The Trust Challenge

Key Challenges in brief:

An APP entity can disclose personal information to an overseas recipient, only after taking reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles. The law ensures the accountability of the APP entity by holding it liable for the actions of the overseas entity, if the latter were to breach the APP Principles.

APP entities must notify the Office of the Australian Information Commissioner (OAIC) when they have reasonable grounds to believe that an “eligible data breach” has occurred. An eligible data breach is an unauthorized access to, or disclosure of, personal information, which would likely result in “serious harm” to the individual concerned. As long as it is practicable, the APP entity must notify the individual concerned as well, while also recommending steps they should take in response to the breach. These changes in the Privacy Act were introduced through an amendment in 2017 and in one year, saw an increase of 712% in data breach notifications (compared to the voluntary notification regime prior to that)

APP entities must take reasonable steps to implement practices, procedures, and systems that will ensure compliance with the APP and deal with complaints.The OAIC refers to this as a “privacy management plan”. As part of its template, it requires entities to adopt a privacy by design approach. This includes conducting privacy impact assessments.

In addition to the security obligations noted above, It requires that APP entities delete or de-identify all personal information in their possession once all legal requirements to keep it in an identified form have passed, it is not required for threatened or current litigation and it has been used for the notified purpose for which it was collected. That is, personal information cannot be kept indefinitely and all document/records/data retention policies must include appropriate provisions requiring deletion/de-identification of personal information in those records etc in accordance with APP. The Uber Decision has also made it clear that having (and implementing) an appropriate data destruction and retention policy is required in order to comply with APP.

The Privacy Act recognizes key individual rights through the APPs. These include.

  • Right to anonymity: Individuals have to be provided the option to not identify themselves or to use pseudonyms when dealing with an APP entity. The APP entity is not required to provide these options where collection is authorized by law, a court/tribunal order to deal with identified individuals, or if it would be impractical for the APP entity to deal with such individuals who have not identified themselves.
  • Right to data quality: Personal information collected and disclosed has to be accurate, up to date, complete, and relevant.
  • Right to access data, except where it would pose a serious threat to the health of others, unreasonably impact the privacy of others, or a government agency holding the data has a lawful reason for non-disclosure.
  • Right to correct data, as is reasonable under the circumstances, to ensure that information held is accurate, relevant, up to date, complete and not misleading. On an individual’s request, these corrections must be notified to other APP entities, as long as it is not impractical or unlawful to do so.
  • Right to deletion: This is slightly different from the right to be forgotten recognised under the GDPR. Under the Privacy Act, reasonable steps must be taken by an APP entity to de-identify or delete personal information about an individual once its purpose has been served (unless the information is in a Commonwealth Record and is required by law to be retained).
  • Right to object to marketing: Any APP entity engaged in direct marketing must provide individuals with a simple means of opting out from receiving marketing communication.
Win-Win Situation

Solutions

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

The Trust Challenge

Key Obligations & Consequences

Pointer

Data processing notification

No registration with or notification to the OAIC is generally required. However, at or prior to the first collection of personal information about an individual, an APP entity is required to notify that individual of certain mandatory matters either by a privacy collection statement or by including the relevant matters in, and notifying, the privacy policy of the APP entity to that individual. Also, all eligible data breaches must be notified to the OAIC and all affected individuals.

Pointer

Data processing records

'Data processing records' are not specifically provided for in or required by Australian privacy law. While APPs requires an entity to take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity's functions and activities that ensure compliance with the APPs, the concept and keeping of 'data processing records' (or records of processing activities ('RoPA')) is not common under Australian privacy law.

Pointer

Consent Requirement

'Consent' is required for the collection of sensitive information, including health information, from an individual. Again, even with consent the sensitive information can only be collected if it is also reasonably necessary for one or more of the entity's functions or activities.

The Trust Challenge

Key Challenges in brief:

Pointer

Cross Border Data Transfer

An APP entity can disclose personal information to an overseas recipient, only after taking reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles. The law ensures the accountability of the APP entity by holding it liable for the actions of the overseas entity, if the latter were to breach the APP Principles.

Pointer

Data breach notification

APP entities must notify the Office of the Australian Information Commissioner (OAIC) when they have reasonable grounds to believe that an “eligible data breach” has occurred. An eligible data breach is an unauthorized access to, or disclosure of, personal information, which would likely result in “serious harm” to the individual concerned. As long as it is practicable, the APP entity must notify the individual concerned as well, while also recommending steps they should take in response to the breach. These changes in the Privacy Act were introduced through an amendment in 2017 and in one year, saw an increase of 712% in data breach notifications (compared to the voluntary notification regime prior to that).

Pointer

Privacy by design

APP entities must take reasonable steps to implement practices, procedures, and systems that will ensure compliance with the APP and deal with complaints.The OAIC refers to this as a “privacy management plan”. As part of its template, it requires entities to adopt a privacy by design approach. This includes conducting privacy impact assessments.

Pointer

Data Retention

In addition to the security obligations noted above, It requires that APP entities delete or de-identify all personal information in their possession once all legal requirements to keep it in an identified form have passed, it is not required for threatened or current litigation and it has been used for the notified purpose for which it was collected. That is, personal information cannot be kept indefinitely and all document/records/data retention policies must include appropriate provisions requiring deletion/de-identification of personal information in those records etc in accordance with APP. The Uber Decision has also made it clear that having (and implementing) an appropriate data destruction and retention policy is required in order to comply with APP.

Pointer

Fulfillment of Data Subject Rights

The Privacy Act recognizes key individual rights through the APPs. These include.

  • Right to anonymity: Individuals have to be provided the option to not identify themselves or to use pseudonyms when dealing with an APP entity. The APP entity is not required to provide these options where collection is authorized by law, a court/tribunal order to deal with identified individuals, or if it would be impractical for the APP entity to deal with such individuals who have not identified themselves.
  • Right to data quality: Personal information collected and disclosed has to be accurate, up to date, complete, and relevant.
  • Right to access data, except where it would pose a serious threat to the health of others, unreasonably impact the privacy of others, or a government agency holding the data has a lawful reason for non-disclosure.
  • Right to correct data, as is reasonable under the circumstances, to ensure that information held is accurate, relevant, up to date, complete and not misleading. On an individual’s request, these corrections must be notified to other APP entities, as long as it is not impractical or unlawful to do so.
  • Right to deletion: This is slightly different from the right to be forgotten recognised under the GDPR. Under the Privacy Act, reasonable steps must be taken by an APP entity to de-identify or delete personal information about an individual once its purpose has been served (unless the information is in a Commonwealth Record and is required by law to be retained).
  • Right to object to marketing: Any APP entity engaged in direct marketing must provide individuals with a simple means of opting out from receiving marketing communication.
Win-Win Situation

Solutions

Pointer

Privacy Process Automation: TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Pointer

Consent Management: TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us