Australian Privacy Principles provides businesses with the flexibility to tailor their personal information handling practices to their diverse needs and business models. The Australian Privacy Principles are also technology neutral, applying equally to paper-based and digital environments.
Following are the kinds of businesses in Australia which are required to comply with Australian Privacy Principles:
APP1: Open and transparent management of personal information
APP2: Anonymity and pseudonymity
APP3: Collection of solicited personal information
APP4: Dealing with unsolicited personal information
APP5: Notification of the collection of personal information
APP6: Use or disclosure of personal information
APP7: Direct marketing
APP8: Cross-border disclosure of personal information
APP9: Adoption, use or disclosure of government related identifiers
APP10: Quality of personal information
APP11: Security of personal information
APP12: Access to personal information
APP13: Correction of personal information
APP's overseas applicability
Any personal information of Australians which is sent overseas to be stored on servers or data centres will also need to comply with Australian Privacy Principles.
APP may also apply to businesses conducted on a world-wide basis, which are not Australian based but target various countries including people in Australia by collecting their personal information. Also, there are additional factors which need to be considered before concluding whether Australian Privacy Principles applies to an overseas business.
From 22nd February 2018 onwards, any breaches caused to the personal information stored by an APP entity, will need to be reported to the Office of the Australian Information Commissioner (OAIC). Under the current law, government agencies and businesses covered by the Privacy Act are required to notify as soon as practicable any individuals affected by a data breach that is likely to result in serious harm. The OAIC must also be notified of such data breaches.
Failure to report eligible data breaches will be considered to be an interference with the privacy of an individual affected by the breach and will result in civil penalties of up to AUD $2.1 million for serious or repeated interferences.
Complying with Overseas Privacy Laws
Australian businesses who collect personal information from customers, clients or end-users located in other countries, will need to comply with the privacy laws of all those countries. The recent European Union’s General Data Protection Regulation (GDPR) which came into effect on 25th May 2018 is an example of the far reaching consequences of privacy laws on Australian businesses. The GDPR applies to businesses that:
The details of the applicability and compliance of the EU GDPR will be dealt in another article. The best way to ensure your business is in compliance with applicable privacy laws is to contact AJR Lawyers for bespoke advice and services regarding your business.
AJ has vast experience and knowledge in corporate and commercial laws and these are his views and opinions on issues commented upon here.