What is the Privacy Act 1988?
The Privacy Act 1988 is the main piece of legislation in Australia that regulates the way that personally identifiable information (PII) of individuals is collected, stored, used and disclosed.
What is Personal Information and what are other key definitions?
Under the Privacy Act 1988, organizations must follow certain protocols regarding the personal and the sensitive information collected from individuals. PII means a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances.
For example, personal information may include:
- an individual’s name, signature, address, phone number or date of birth;
- sensitive information;
- credit information;
- employee record information;
- internet protocol (IP) addresses;
- voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique); and
- location information from a mobile device (because it can reveal user activity patterns and habits).
Sensitive information is personal information that includes information or an opinion about an individual’s:
- racial or ethnic origin
- political opinions or associations
- religious or philosophical beliefs
- trade union membership or associations
- sexual orientation or practices
- criminal record
- health or genetic information
- some aspects of biometric information
Generally, sensitive information requires a higher level of privacy protection than other personal information.
Who has to comply with the Privacy Act 1988?
The Privacy Act 1988 applies to any Australian Government agency and to any organization with a turnover of more than $3 million, subject to exceptions.
An organization is defined under the Privacy Act as:
- an individual, including a sole trader;
- a body corporate;
- a partnership;
- any other unincorporated association; or
Who is excluded from compliance to the Privacy Act 1988?
There are a number of institutions that are excluded from compliance such as:
- state or territory government agencies, such as a public hospital or a state or territory healthcare facility;
- public schools;
- universities, except private ones or the Australian National University;
- individuals acting in their own capacity;
- media organizations in the course of journalism provided that they have made a public commitment to observe publishing privacy standards;
- registered political parties or representatives; and
- small businesses with annual turnover of less than $3 million, unless exceptions apply such as mentioned earlier.
How can I keep my organization compliant with the Privacy Act 1988?
Additionally, you are required to provide your website visitors with certain rights, such as access to their personal information, the option to opt out of having their personal information shared for direct marketing purposes, and the option to correct or delete their personal information from your records.
The Privacy Act 1988 helps you understand compliance through the use of 13 principles, also known as the Australian Privacy Principles (APP), which outline a code of conduct for your organization.
They are as follows:
Australian Privacy Principle 1 — Open and transparent management of personal information
Australian Privacy Principle 2 — Anonymity and pseudonymity
- This principle requires that you give individuals the option to either use a pseudonym, or to not identify themselves at all.
- This means that when they access your website, the personal information fields are not marked as mandatory so as to allow them to still receive assistance.
Australian Privacy Principle 3 — Collection of solicited personal information
- You may only solicit and collect personal information that is strictly required for your business.
- You may only solicit and collect sensitive personal information if your website visitors consent to this, unless exceptions apply.
- You may only solicit and collect personal information if it is done through lawful means and directly from the individual, unless exceptions apply.
Australian Privacy Principle 4 — Dealing with unsolicited personal information
- If you find that you have collected personal information that you did not solicit, you must first check whether this may have been collected under Principle 3 and if that is not the case you must then consider destroying or de-identifying the information.
- In effect, this principle helps you afford the appropriate level of privacy protection to any piece of personal information that you acquired, even if you did not solicit this particular information.
Australian Privacy Principle 5 — Notification of the collection of personal information
- If you collect personal information from your website’s visitors you must ensure that you notify them of this.
- In addition, you have to inform them about your contact details and about the aspects of data collection outlined earlier (why, when, for what purpose, etc.)
Australian Privacy Principle 6 — Use or disclosure of personal information
- You may only use or disclose personal information for the primary purpose or, in exceptional cases, for a secondary purpose.
Australian Privacy Principle 7 — Direct marketing
- You are not allowed to use or disclose the personal information that you hold about an individual for the purpose of direct marketing, unless there is an exceptional situation.
- If you use or disclose personal information for this purpose, you must allow your website visitors to request not to receive direct marketing communications - to Opt Out - and you must comply with their request for this.
Australian Privacy Principle 8 — Cross‑border disclosure of personal information
- Before disclosing personal information to an overseas organization you are required to make sure that the recipient organization will follow the APPs.
- This is done by what is called a ‘reasonable steps’ test, meaning that before you disclose the information, an enforceable contractual agreement should be made between yourself and the recipient, outlining the type of personal information that will be disclosed, that the recipient will follow the APPs, a privacy complaint handling procedure, and a data breach response plan.
Australian Privacy Principle 9 — Adoption, use or disclosure of government related identifiers
- You are not allowed to adopt, use or disclose government related identifiers of your website visitors unless an exception applies.
- An identifier can be any “number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual.”
- A government related identifier is any identifier that has been assigned by an agency, or a State or Territory authority, for example, such as Medicare numbers or an individual’s Australian passport number.
Australian Privacy Principle 10 — Quality of personal information
- You must take reasonable steps to ensure the personal information you collect is accurate, up to date and complete.
- Also, you must take reasonable steps to ensure the personal information you use or disclose is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
- It is recommended that you do this via regular reviews.
Australian Privacy Principle 11 — Security of personal information
- You must take reasonable steps to ensure that the personal information you collected is protected from misuse, interference or loss, as well as unauthorized access, modifications of any kind, or disclosure.
- When a piece of personal information is deemed to be no longer necessary for any of the purposes for which it was collected, you are required to ensure that it is either destroyed or de-identified, unless exceptions apply.
Australian Privacy Principle 12 — Access to personal information
- If you have collected personal information about your website visitors, under this principle, you are required to give them access to this information, on request, unless there is grounds for refusal.
- Whereas agencies are required to answer such a request within 30 calendar days, for organizations the time frame is “within a reasonable period after the request is made.”
- If the request for access is refused, you are required to provide the reason for this.
- The means through which access is granted may vary, but it can be done in the manner requested by the individual if that is reasonable and practicable.
Australian Privacy Principle 13 — Correction of personal information
- Under this principle, you are required to ensure that the personal information you hold about your website visitors is accurate, up to date, complete, and relevant.
- This applies if you consider the personal information to need any of the above, or if the owner of the information in question has submitted a request for one of the above.
What data access rights does the Privacy Act 1988 grant?
The Privacy Act 1988 gives your website visitors the following data subject rights:
- Right to be informed: website visitors have to be informed of their personal information being collected and of the purpose(s) for this, as stated in APP 5.
- Right to access: your website visitors must have access to their personal information under APP 12.
- Right to rectification: APP 13 gives your visitors the right to rectification of their personal information.
- Right to erasure: although there is no specific right to erasure, APP 11 requires you to delete or de-identify any personal information once it no longer serves its original purpose.
- Right to object: your website visitors have the right to opt out of direct marketing as well as withdraw consent for the processing of their personal information, as explained in APP 7.
- Other rights: APP 2 allows your website visitors to not identify themselves if they so choose, but rather to use a pseudonym.
How to address data subject access requests under the Privacy Act 1988
The Privacy Act 1988 sets in APP 12 a 30 days period for replying to data subject access requests for agencies and “within a reasonable period after the request is made” for organizations. There is no extension period mentioned in the text of the law.
Access should be given in the manner requested, if possible, and at no cost or at a charge that cannot be excessive.
If you refuse access, you must inform the individual of the reason for this as well as where they can submit a complaint.
Enforcement and penalties
The authority in charge of enforcing the Privacy Act 1988, as well as investigating data breaches is called the Office of the Australian Information Commissioner (OAIC).
The penalties for noncompliance with the Privacy Act can go up to no more than $10 million, 3 times the value of the benefit obtained following the act of noncompliance, or 10% of the domestic annual turnover.
Data Subject Rights - GDPR vs. The Privacy Act 1988
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
The Privacy Act 1988
- Right to be informed
- Right to access
- Right to rectification
- Right to erasure
- Right to object
- Other rights
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.