13 Australian Privacy Principles Explained

The Australian Privacy Principles are the mandatory requirements of all Australian Government and Private entities. It applies to all private organizations where the turnover is over 3 Million. The Privacy Act 1988(Cth) gives armed protection for information security management systems.

13 Australian Privacy Principles govern standards, rights, and obligations around the collection, use, and disclosure of personal information. An organization’s governance and accountability, integrity, and correction of personal information the rights of individuals to access their private information. 

A breach of an Australian Privacy Principle is an ‘interference with an individual’s privacy and can lead to regulatory action and penalties.

Australian Privacy Principles and it’s five core parts: 

Part 1 — Consideration of personal information privacy.

Part 2 — Collection of personal information.

Part 3 — Dealing with personal information.

Part 4 — Integrity of personal information.

Part 5 — Access to, and correction of, personal information.

Part 1 – Consideration of personal information privacy

Australian Privacy Principle 1 – Open and transparent management of personal information: 

This principle aims to ensure that an organization manages personal information in open and transparent ways. They must take the necessary steps to implement these practices, procedures, and systems.

Australian Privacy Principle 2 – Anonymity and pseudonymity: 

Any organization collecting complaints, compliments, or any feedback about their organization must give an individual an option for being anonymous. They can’t compel anyone to disclose the identity of any individual who does not wish to.

person using black and gray laptop computer beside white ceramic cup on brown wooden table

Part 2 – Collection of personal information

Australian Privacy Principle 3 – Collection of solicited personal information: 

This Principle sets out requirements for collecting solicited personal information. If there is an exception, the entity may only collect sensitive information where the conditions are met and the individual consents to the collection. Personal information must only be collected by lawful and fair means.

Australian Privacy Principle 4 – Dealing with unsolicited personal information:

This principle requires an accredited person to destroy unsolicited consumer data right (CDR) data for the information collected and is not required to retain by law or a court/tribunal order. The term ‘unsolicited’ refers to CDR data collected by an accredited person who has not approved to collect that data under the CDR Rules. An organization collecting individual data must not solicit personal information. If an entity receives information in error, the same must be destroyed or ensure the information has been de-identified.

Australian Privacy Principle 5 – Notification of the collection of personal information:

An organization that collects personal information about an individual must take the necessary steps to notify and be aware of certain matters. They must let the individual rules know about their collection of personal information. In some cases, where the notice is not available, early notification of privacy rules must be given before the personal information is collected.

text
Privacy policies

Part 3 – Dealing with personal information

Australian Privacy Principle 6 – Use or disclosure of personal information:

The primary purpose of this principle is why the information has been collected. The information is classified into primary and secondary purposes. Individuals must be aware of what purpose they are disclosing their information. An organization will use and disclose an individual’s personal information only the way an individual expected. If an organization does not comply with the principles, it displays the irresponsible behavior of an organization.

Australian Privacy Principle 7 – Direct marketing:

This principle says that an organization must not use or disclose personal information for direct marketing without the individual’s consent. Direct marketing involves using or disclosing personal information to communicate directly with an individual to promote goods and services. In a simple means, an individual can request not to receive direct marketing communications.

Australian Privacy Principle 8 – Cross-border disclosure of
personal information:

This principle designed a framework for the cross-border disclosure of personal information. It means an organization must protect the information collected must not disclose it to any overseas recipient. An entity that discloses personal information to an overseas recipient is accountable for the overseas recipient’s acts or practices about the information that would breach the APPs.

Australian Privacy Principle 9 – Adoption, use, or disclosure of government related identifiers:

 This principle restricts the general use of government related identifiers by organizations not to become universal identifiers. It means the sources of collecting information on various platforms could not be matched and compromise the individuals’ personal information.

Below are given as examples of government related identifiers:

  • Medicare numbers
  • Centrelink Reference numbers
  • driver license numbers issued by State and Territory authorities
  • Australian passport numbers
person choosing document in folder
Storing Personal Information

Part 4 – Integrity of personal information

Australian Privacy Principle 10-Quality of personal information:

An entity must take necessary steps to ensure that the personal information that the entity collects is accurate, up-to-date, and complete. Any organization handling poor quality personal information can have significant privacy impacts on individuals.

Australian Privacy Principle 11- Security of personal information:

This principle says that an organization must take necessary steps to protect personal information from misuse, interference, and loss from unauthorized access, modification, or disclosure. Where the entity no longer needs the personal information for any purpose to destroy the information or ensure that it is de-identified. This requirement applies except where:

  • the personal information is part of a Commonwealth record, or
  • it is required by law to retain personal information.

Part 5 – Access to, and correction of, personal information

Australian Privacy Principle 12 — Access to personal information:

This principle means an organization holds personal information about an individual to give the individual access to that information on request. If there is an exception, the entity cannot disclose such information; the individual should be explained the reasons of such an exception.

Australian Privacy Principle 13 — Correction of personal information:

An organization must take the necessary steps to implement practices, procedures, and systems to ensure that it complies with the Australian Privacy Principles. If an individual’s information is incorrect, it should be corrected through procedural requirements.

Get Your Free ISO 27001 Gap Analysis Checklist

Subscribe to our Newsletter

Share This Post With Your Network

Share on linkedin
Share on facebook
Share on twitter
Share on google