What are Australian Privacy Principles and the Australian Privacy Act?
The Australian Privacy Principles (APP) are the basis of the 1988 Australian Privacy Act, which was significantly amended in the year 2000.
APP is a privacy framework that applies to Australian government organizations, organizations that provide health services, and any private sector organization generating an annual revenue of over $3 million. This includes organizations outside Australia that store or process data of Australian citizens.
There are 13 privacy principles that set standards, rights and obligations, including:
- The collection, disclosure, and usage of personal data
- Governance and responsibilities requirements
- Integrity of personal information
- An individual’s right to access personal information
Violation of the APP is considered “interference with individual privacy”, and may result in regulatory actions and penalties.
In addition to the APP, in 2019 Australia enacted CPS 234, a regulation governing information security practices at financial and insurance organizations.
Australian Privacy Principles (APP) Guidelines Summary
Below is a brief overview of the 13 privacy principles under the Australia privacy act.
1. An Open and Transparent Management of Personal Information
Entities should handle personal information openly and honestly. This includes a policy that describes how your personal information is managed. The policy should include:
- Type of personal information in question
- How entities obtain the information
- Reasons for collecting and using the information
- Methods for correcting errors in the information
- Method for dealing with complaints
- How information is shared with foreign organizations and in which regions
2. Anonymity and Pseudonymity
Allow individuals to remain anonymous if they so desire, and use pseudonyms for personal data when possible. There are exceptions to this principle, such as obligations under Australian laws, or circumstances that require a personal identity for the entity to process the data.
3. Collection of Solicited Personal Information
Defines when entities are allowed to collect personal information. The organization must demonstrate that it needs the data for its functions or activities. This principle sets higher standards for collection of information that is deemed sensitive.
4. Unsolicited Personal Information
Applies to information received by any entity without being explicitly solicited. In this case, the organization must prove that if the information was solicited it could be collected according to Principle 3. If this cannot be proved, and the information is in Australian Commonwealth records, the organization must destroy it.
5. Notification of Collection of Personal Information
Describes when and where an entity collecting personal information should notify the individual from whom data is collected.
6. Use or Disclosure of Personal Information
Requires entities to only use personal data that is relevant to the original purpose for which the information was collected. However, if the individual explicitly allows use of their data for another purpose, or if the entity could reasonably expect such use, they may collect other data.
This principle details exceptions, most of which are related to data that must be disclosed to protect health, safety, or the general public interest.
7. Direct Marketing
Organizations may not use private information for direct marketing except in the following cases:
- Individuals can reasonably expect such use of their information
- Individuals have provided their consent, and have a clear way to opt out
8. Cross-Border Disclosure of Personal Information
When an entity shares personal data with someone outside Australia, this principle requires it to ensure the recipient complies with the Australian Privacy Principles, via contractual obligation. If the recipient does breach the APP, the entity that shared the information is liable. There are two main exceptions:
- The entity sharing the data believes the recipient maintains a similar privacy regulation to the APP in their location.
- The individual consented to sharing of their data with overseas parties, and understands the entity does not take responsibility over the privacy practices of the recipient.
9. Adoption, Use or Disclosure of Government Related Identifiers
An entity may not use a government-related identifier as their own, or disclose an identifier of a person, unless the entity is authorized to do so by laws, or the identifier is needed to verify the identity of the individual. A government-related identifier is, for example, an Australian license number, passport number, or tax file ID.
10. Quality of Personal Information
All information received by the entity must be accurate, complete and up to date, and the organization may only disclose and use information if it verifies this.
11. Security of Personal Information
Entities are required to implement measures specifically designed for the protection of stored personal information from the following risks:
- Data interference
- Data loss
- Data isuse
- Unauthorised access
- Data modification
- Unauthorized disclosure
Additionally, there are specific circumstances during which entities must either de-identify or destroy personal data.
12. Access to Personal Information
This privacy principle explains the steps an entity should take when individuals request access to personal data the entity keeps about the individual. In most cases, the entity must provide the required access, unless an exception applies.
13. Correction of Personal Information
Entities must meet the following standards while collecting personal data:
- Collect accurate and complete information
- Update personal information
- Collect only relevant information
- The collected information must not be misleading
- Notify affected entities when any corrections is made
Any entity refusing to correct information must let the individual know, and explain the reasoning behind the refusal, in detail.
Penalties of Australian Privacy Principles Law
In 2019, the Australian federal government passed new legislation that increases the maximum fine for misuse of personal information, for serious or frequent violations. Fines under Australian privacy law currently range between $2.1 million to the any of the following baselines:
- Ten million dollars
- Three times the value of information obtained through the violation
- 10% of the annual domestic revenue of the entity
In addition, according to the updated legislation, the Office of the Australian Information Commissioner (OAIC) can issue a notice of infringement, if an entity does not cooperate in resolving minor violations. A notice of infringement can lead to a penalty fine of a maximum of $63,000 for organizations and a maximum of $12,600 for individuals.
Australian Privacy Principles Best Practices
Here are a few best practices you can use to improve your compliance with the APP.
Collect and Retain De-Identified Data Where Possible
Consider if you can collect anonymous information instead of personal information. When personal data is no longer identifiable, it is anonymized. This includes the deletion or correction of personally identifiable information or information likely to enable identification of an individual.
When you must collect personally identifiable information (for legal or other reasons), reduce the amount of information collected to the minimum required for your business process, and anonymize it or delete it when you no longer need it.
Obtain Consent for New Uses or Sharing of Personal Data
Only disclose or use personal data for the original purpose for which it was collected, or related purposes that the individual can reasonably expect.
If the collected personal information is used for an irrelevant purpose, it is recommended to obtain consent again, or to process the information anonymously.
Check the Privacy Practices of Third Parties with Which You Share Personal Information
Your business and reputation is at risk if third parties mishandle the data you share with them. Before providing any data to a third party, ensure your contract with that third party includes the way they process personal information. This is especially important if the third party is outside Australia.
Notify Individuals When You Collect Their Personal Information
When collecting personal information about individuals, always notify them in advance. The notification must include an explanation of how and why the information is collected, and who is expected to receive the information.
Protect the Personal Information You Hold
Identify potential threats to the security of personal information you hold, and take steps to mitigate these threats. This includes network security, protecting hardware and applications, access control, and password management. Take measures to prevent human error, which is a major cause of security breaches.
Imperva Compliance Solutions
The Imperva Data Protection solution is used to meet auditing, monitoring, alerting, and protection requirements for APP compliance. It provides comprehensive protection of structured data, whether it is on-premise, in the cloud, in big data stores, or in mainframes.
In addition to APP compliance, Imperva’s data security solution protects your data wherever it lives—on premises, in the cloud and in hybrid environments. It also provides security and IT teams with full visibility into how the data is being accessed, used, and moved around the organization.
Our comprehensive approach relies on multiple layers of protection, including:
- Database firewall—blocks SQL injection and other threats, while evaluating for known vulnerabilities.
- User rights management—monitors data access and activities of privileged users to identify excessive, inappropriate, and unused privileges.
- Data masking and encryption—obfuscates sensitive data so it would be useless to the bad actor, even if somehow extracted.
- Data loss prevention (DLP)—inspects data in motion, at rest on servers, in cloud storage, or on endpoint devices.
- User behavior analytics—establishes baselines of data access behavior, uses machine learning to detect and alert on abnormal and potentially risky activity.
- Data discovery and classification—reveals the location, volume, and context of data on premises and in the cloud.
- Database activity monitoring—monitors relational databases, data warehouses, big data and mainframes to generate real-time alerts on policy violations.
- Alert prioritization—Imperva uses AI and machine learning technology to look across the stream of security events and prioritize the ones that matter most.