Australian Privacy Principles (APPs) – One Year On
David Wilson - Mar 09, 2015
It’s been almost a year since the Australian Privacy Principles (APPs) came into effect on March 12th 2014, replacing the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs). This update is this most significant development on privacy laws since the introduction of the Privacy Act over 25 years ago, and reflects the impact that the Internet has had on the collection and handling of information.
What are the 13 APPs?*
APP 1 — Open and transparent management of personal information
APP 2 — Anonymity and pseudonymity
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
APP 3 — Collection of solicited personal information
Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.
APP 4 — Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information that it has unwillingly received.
APP 5 — Notification of the collection of personal information
Outlines when and under what circumstances an APP entity that collects personal information must notify an individual of certain matters.
APP 6 — Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
APP 7 — Direct marketing
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8 — Cross-border disclosure of personal information
Outlines the steps an APP entity must take to protect personal information in accordance with the APPs if it is to be disclosed overseas.
APP 9 — Adoption, use or disclosure of government related identifiers
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
APP 10 — Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
APP 11 — Security of personal information
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
APP 12 — Access to personal information
Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
APP 13 — Correction of personal information
Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.
What else changed?
With the new reform comes more power to the OAIC, changes to credit reporting laws, and the ability for the OAIC to recognise external dispute resolution (EDR) schemes. You can read more about the changes here.
Let’s look at some results
Over the last 12 months, the 13 APPs (along with the associated coverage) have really dispelled much of the smoke and mirrors around end users’ rights to how their personal information is collected, stored and used. Just last week, the OAIC ruled in favour of a pesky reporter who requested their metadata from Telstra in accordance with APP 12 over a 20 month period. And with 13 easy to follow APPs, this year will see more and more users rightly (and publicly) demanding access to their personal data held by the likes of telcos, health companies and any other organisation that follows their digital trail.