What is the Privacy Act 1988?

The purpose of the Privacy Act is to protect the privacy of individuals by regulating how organisations (e.g. federal government agencies, businesses) handle personal information. This is accomplished through a set of 13 requirements known as the Australian Privacy Principles (APP) that are used to safeguard personal information and prevent an “interference with the privacy of an individual”. 

Under APP 1 (open and transparent management of personal information), APP entities (i.e. organisations covered by the Privacy Act, which includes businesses with an annual turnover of >$3 million) are required to have a privacy policy that outlines what, why and how they collect personal information, who it may be disclosed to, and how individuals can file complaints if they believe the entity has breached the act and mishandled their personal information. 

For more information on the Australian Privacy Principles: https://www.oaic.gov.au/privacy/australian-privacy-principles/read-the-australian-privacy-principles#part-1-consideration-of-personal-information-privacy 

Collection of Personal Information (APP 3 & 5)

APP 3 (collection of solicited information) specifies an entity may only request the collection of personal information if it is directly related to its function. For example, an e-commerce business must only collect information that is necessary for its activity (i.e. selling products online). Therefore, it may only collect information such as name, address, and payment details that are required to process the order. 

APP entities must also notify the individual when collecting their personal information, including the purpose for which it will be used. This is covered under APP 5 – notification of the collection of information.

Use of Personal Information (APP 6 & 7)

Under APP 6 (use or disclosure of personal information), organisations are allowed to use or disclose the personal information they have collected only for the specific purpose communicated to the individual, and not for any other reasons unless the individual has provided consent. For example, a healthcare service provider collecting a patient’s personal information for the primary purpose of providing medical treatment may not use it for other secondary purposes such as research or marketing without consent.

This is also highlighted in APP 7 (direct marketing) where organisations aren’t allowed to use or disclose personal information for the purpose of direct marketing unless there is a reasonable expectation that the organisation would use it for that purpose (e.g. retail), in which case, the individual must be given a simple opt-out option (e.g. unsubscribing from marketing emails).

Access to Personal Information (APP 12 & 13)

APP 12 (access to personal information) grants individuals the right to request access to the personal information held about them by the organisation. If the individual believes some information is out-of-date, incomplete, inaccurate, or misleading, they may then request that the organisation corrects it in accordance with APP 13 (correction of personal information).

Implications of Identity Theft 

Identity theft occurs when someone gains access to your personal information without permission and uses it to assume your identity. They may then use your name to commit fraudulent or criminal activities, make unauthorised banking transactions causing long-term financial implications, or engage in hostile social media activities that can lead to irreparable reputational damage. 

Safe Disposal of Data (APP 11)

The Privacy Act’s principles aim to protect individuals’ personal information and prevent identity theft by avoiding data breaches. APP 11 (security of personal information) requires entities to take reasonable measures to protect personal data against threats like misuse, unauthorised access, modification or disclosure. Organisations can do so by ensuring the information is securely stored, encrypted, and only accessible to authorised employees who need it (e.g. the marketing team, or even better, the senior managers of the marketing department).

APP 11 also mandates organisations to destroy or de-identify data that is no longer required for the purpose/s for which it was collected. Organisations should employ secure methods to destroy/de-identify personal information, such as shredding or burning paper documents and wiping or overwriting data stored on hard drives / digital devices to ensure the deleted/overwritten data is unrecoverable.