Australia’s data protection laws are set out in the Privacy Act 1988, which regulates the handling of personal information by Australian Government agencies and businesses. The Act includes 13 Australian Privacy Principles (APPs) which set out the standards, rights, and obligations that businesses and organizations must follow when handling personal information.
Under the Privacy Act, personal information is defined as any information or an opinion about an identified individual or an individual who is reasonably identifiable. This includes sensitive information such as health information, racial or ethnic origin, political opinions, and religious beliefs.
Some of the key requirements under the APPs include:
- Collection of Solicited Personal Information: Organizations must only collect personal information that is necessary for their functions or activities, and must do so by lawful and fair means. They must also take reasonable steps to notify individuals of the collection of their personal information, including the purposes for which it is collected.
- Dealing with Unsolicited Personal Information: If an organization receives unsolicited personal information, they must determine whether the information could have been collected lawfully under the APPs. If not, the information must be destroyed or de-identified.
- Use and Disclosure of Personal Information: Organizations must only use and disclose personal information for the primary purpose for which it was collected, or for a related secondary purpose that the individual would reasonably expect. They must also obtain consent before using or disclosing sensitive information, except in certain circumstances.
- Data Quality: Organizations must take reasonable steps to ensure that the personal information they collect, use, or disclose is accurate, up-to-date, and complete.
- Data Security: Organizations must take reasonable steps to protect personal information from misuse, interference, and loss, as well as unauthorized access, modification, or disclosure. They must also destroy or de-identify personal information when it is no longer needed for the purposes for which it was collected.
- Access and Correction of Personal Information: Individuals have the right to access their personal information held by an organization, and to request that any inaccurate or incomplete information be corrected.
Failure to comply with the Privacy Act can result in serious consequences, including penalties, legal action, and damage to an organization’s reputation.