All ‘APP entities’ must comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Act).  An ‘APP entity’ includes an entity in the private sector or a not-for-profit organisation with an annual turnover of more than $3 million.

In certain circumstances, a small business with a turnover of less than $3 million will be deemed to be an APP entity. This includes if it operates another business with a turnover of $3 million or more, provides a health service or is a contracted service provider for a Commonwealth contract.  If you are uncertain regarding your status as an APP entity, we recommend that you contact us for advice.

There are 13 APPs in the Act which govern the standards, rights and obligations regarding the management of personal information by APP Entities.  In particular, we highlight the following:

• APP 1 requires APP entities to implement various privacy practices, procedures and systems.  This includes the requirement for APP entities to have a clearly expressed and readily available privacy policy setting out how it will manage personal information in accordance with the Act.

  SWS tip: APP entities should ensure they display a clear and up-to-date privacy policy on their website.  Please contact us if you require assistance in preparing a privacy policy, or would like us to review your current privacy policy to ensure it complies with the Act.

• APP 4 requires an APP entity that receives unsolicited personal information to determine whether it has grounds to collect the information and, if so, to collect this information in accordance with the APPs, or if not, to either destroy or de-identify the information (unless it would be unlawful or unreasonable to do so).

  SWS tip: APP entities should ensure they understand their responsibilities regarding the receipt of unsolicited personal information (such as CVs from prospective employees) and have clear processes for handling such information. Please let us know if you have any queries.

• APP 5 requires APP entities to take reasonable steps to protect the personal information it collects from misuse, disclosure or unauthorised access.

  SWS tip: APP entities should have appropriate security measures in place to protect personal information.  Security measures may include the use of document encryption software, disabling the use of portable devices and recording trails of access to documents containing personal information.

• APP 7 prohibits APP entities from using personal information for direct marketing purposes unless the individual reasonably expects it, or consents to it, and prescribed ‘opt-out’ processes are in place through which the person can elect not to receive direct marketing communications.

  SWS tip: Before sending marketing communications, APP entities should ensure there is evidence of the recipients having consented to receiving the material and that clear opt-out mechanisms are provided.

• APP 8 requires an APP entity to take reasonable steps when disclosing personal information to an overseas recipient to ensure it does not breach the APPs.  Relevantly, if the overseas recipient does breach the APPs, the Act imposes liability on the APP entity that made the overseas disclosure.

  SWS tip: If an APP entity is likely to disclose personal information to an overseas entity (e.g if it is part of a multinational corporate group), it is crucial to ensure that the overseas entity has appropriate privacy procedures in place and is complying with the APPs.

Please contact us if you require further information on the APPs.

APP 3 requires even stricter practices in relation to the handling of ‘sensitive information’.  Sensitive information is a subset of personal information and includes information about an individual’s racial or ethnic origin, political opinions, religious affiliations, sexual orientation, criminal record or health information. Further, unlike the collection of non-sensitive personal information which is permitted where the APP entity reasonably believes it has implied consent, an APP entity is required to seek express consent from an individual before collecting sensitive information.

SWS tip: APP entities which collect sensitive information should ensure they have systems in place to obtain and record consent. This will ensure there is no doubt as to whether express consent was provided by the subject of the sensitive information.

It is also important to be aware of the mandatory data breach notification laws which took effect on 22 February 2018.  If an APP entity determines that an ‘eligible data breach’ has occurred and is likely to result in serious harm to an individual whose personal information is involved, it will be required to provide a statement to the OAIC and publish the statement publicly as soon as practicable.  For more information on this specific issue, please read our previous article.

SWS tip: We recommend that APP entities have a draft notification statement prepared so that they can respond quickly in the event of an eligible data breach.

Failure to comply with Australian privacy legislation comes at a high cost.  The maximum penalty for serious, or repeated, breaches is currently set at $420,000 for an individual or $2.1 million for a corporation.