The federal legislation on privacy in Australia (the Privacy Act, 1988) is based on 13 Australian Privacy Principles (APPs). These privacy principles are like rules of conduct which are to be followed and implemented stringently by APP entities (entities that collect personal and sensitive information- be it government agencies or private entities). In case of breach of an APP by the entities, it shall be considered as violation of the privacy rights of an individual.
Let us understand in brief the 13 Australian Privacy Principles-
Principle 1: Open and transparent management of personal information
The entity must always uphold openness in its communication with the individual as to how the personal information is being collected, the manner in which it is being processed and the reason for the collection of the personal information. This communication must be in the form of a privacy policy which must be easily accessible to the individual. Other than a privacy policy, the entity can also implement other procedures and practices in order to facilitate open and easy access to information.
Principle 2: Anonymity and Pseudonymity
It is not necessary for the individuals to always provide their complete details like name, address, contact details to the entity at the time of providing information. The individual can also opt for non-disclosure (anonymity) or using another name (pseudonymity) unless authorised by law to provide the complete identity details or it is impracticable to process information using pseudonyms.
Principle 3: Collection of solicited personal information
This principle expresses that unless reasonably required, the entity must not collect either personal or sensitive information. The questions to be asked at the time of collecting information should be whether the individual has consented to providing the information and if the entity needs the information to carry out its activities. In particular, sensitive information must be requested by the entity only if authorised by law or if there is an emergency situation for instance, a health situation that requires the processing of the sensitive information.
Principle 4: Dealing with unsolicited personal information
The Australian Privacy Principles have a provision where personal information has been collected which was not asked for. In such a situation, the entity must determine if the information collected could have been gathered as per APP 3. If not, the information must be destroyed if it is lawful to do so or it must be de-identified.
Principle 5: Notification of collection of personal information
Since the APPs are based on principles of transparency, Principle 5 states that the entity must inform the individual about the following matters at the time of collecting the personal information or once the information has been collected:
-the contact details of the entity
-personal information that has been collected in case if the individual is unaware or if the personal information has been collected from someone other than the individual.
-the law that authorises the collection of the personal information
-the purposes for which the personal information has been collected
-the consequences if the personal information is not collected
-details of any other entity to whom the personal information would be disclosed to
-details of the privacy policy as to the storage of the personal information and the complaint procedure that can be followed in case of a breach
-disclosure of personal information to overseas recipients and their details
To be continued…
References:
-https://lawhandbook.sa.gov.au
-The Privacy Act, 1988 (Schedule 1)