The Australian Privacy Act
Requirements
Who is subject to the Australian Privacy Act?
The Australian Privacy Act of 1988 applies to the following entities:
- Australian Government agencies.
- All private sector and not-for-profit organisations with an annual turnover of more than $3 million.
- Some small businesses, including:
- Private sector health service providers. Providers of a service, including traditional health service providers, gyms and weight loss clinics, and child care centres, amongst others.
- Businesses that sell or purchase personal information.
- Credit reporting bodies.
- Certain other businesses, such as those related to the operation of a residential tenancy database or an employee association registered under the Fair Work (Registered Organisations) Act 2009.
The Privacy Act also applies to all individuals, regardless of their location, when their personal information is handled by an entity subject to the Privacy Act.
Does the Australian Privacy Act have data residency requirements?
The Australian Privacy Act of 1988 does not explicitly mandate data residency requirements. This means that there's no legal requirement under the Act that data must be stored in Australia.
However, under Australian Privacy Principle 8 and in certain circumstances, if an organization discloses personal information about an individual to an overseas recipient, the organization could be held accountable for any subsequent mishandling of that information by the overseas recipient. This doesn't prevent overseas data transfer but does place requirements on the disclosing organization to take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles.
What data is covered by the Australian Privacy Act?
The Australian Privacy Act of 1988 protects 'personal information,' which is defined as:
"Information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not."
This broad definition means that 'personal information' can cover a wide range of types of data, and it includes any data that can be used to personally identify someone. Here are some examples of personal information:
- Names.
- Signatures.
- Addresses.
- Telephone numbers.
- Date of birth, medical records, bank account details.
- Photos.
- Commentary or opinion about a person.
- Work information, such as position, performance, conduct, etc.
- IP addresses, cookies, device identifiers, or other digital identifiers.
In addition, there are 'sensitive personal information' categories that receive additional protection. This category includes data such as:
- Racial or ethnic origin.
- Political opinions.
- Membership of a political association.
- Religious beliefs or affiliations.
- Philosophical beliefs.
- Membership of a professional or trade association.
- Membership of a trade union.
- Sexual orientation or practices.
- Criminal record.
- Health information.
What rights does the user (data subject) have under the Australian Privacy Act?
Under the Australian Privacy Act of 1988 individuals have the following key rights concerning their personal information:
Right to Transparency and Information: Organisations must have a privacy policy that clearly explains what personal information they collect, how they use it, and who they share it with. This policy must be freely available.
Right of Access: Individuals generally have the right to access their personal information held by an organisation. This includes a right to seek confirmation that an organisation holds personal information about them.
Right to Correction: Individuals have a right to ask for incorrect or outdated personal information to be corrected.
Right to Privacy Complaints: Individuals can lodge a complaint about the handling of their personal information with the organisation involved or directly with the Office of the Australian Information Commissioner (OAIC).
Right to Opt Out of Direct Marketing: Organisations must provide a simple way for individuals to request not to receive direct marketing communications and must not use or disclose personal information for direct marketing purposes unless an exception applies.
Notifiable Data Breaches Scheme: If an organisation covered by the Privacy Act has reasonable grounds to believe an eligible data breach has occurred, they must promptly notify individuals likely to be at risk of serious harm and the Commissioner.
Right against Cross-Border Disclosure: As per Australian Privacy Principle 8, before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles.
However, note that some exceptions and specific circumstances may apply to these rights.
How should data be stored according to the Australian Privacy Act?
Under the Australian Privacy Act 1988, there are no specific requirements about how data should be stored. However, the Australian Privacy Principles (APPs) set out in the Privacy Act provide a framework for how personal information should be handled, managed, and protected, which includes aspects of storage.
The APPs include:
- APP 11 – Security of personal information: This principle stipulates that an organization must take reasonable steps to protect the personal information it holds from misuse, interference, and loss, as well as unauthorized access, modification, or disclosure. When it comes to storage, this generally means that data should be securely stored and protected, whether it's held in physical or electronic format.
In case an entity no longer needs personal information for any purpose for which the information may be used or disclosed, it must take reasonable steps to destroy the information or ensure that the information is de-identified. However, this is only the case if the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information.
Again, 'reasonable steps' can depend on a number of factors, including the nature of the entity, the amount and sensitivity of the personal information, the potential adverse consequences for an individual, the practicality of implementation, and whether a security measure is itself privacy invasive.
- APP 8 – Cross-border disclosure of personal information: While this principle doesn't directly cover 'storage,' it does cover scenarios where personal information is transferred, or 'disclosed,' to a recipient outside of Australia. Before an entity discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the recipient does not breach the APPs in relation to the information.
How does SlashID help with the Australian Privacy Act?
SlashID's data residency and encryption posture help companies comply with:
- Data Encryption principles
- It can help avoid accidental cross-bordel disclosures of personal information