Download - Australian Privacy Principles and Information Privacy ... · APP 1 – open and transparent management of personal information APP 1 requires agencies to have ongoing practices and

Australian Privacy Principles and Information Privacy Principles –

Comparison Guide Summary and analysis of key differences for agencies

April 2013

Contents Introduction to the Guide ................................................................................... 4

Part 1 – Summary of changes .............................................................................. 5

‘Permitted general situations’ and ‘permitted health situations’ ........................................ 5

APP 1 – open and transparent management of personal information ................................ 5

APP 2 – anonymity and pseudonymity ................................................................................. 5

APP 3 – collection of solicited personal information ............................................................ 6

APP 4 – dealing with unsolicited personal information ....................................................... 6

APP 5 – notification of the collection of personal information ............................................ 6

APP 6 – use and disclosure of personal information ............................................................ 7

APP 7 – direct marketing ...................................................................................................... 7

APP 8 – cross-border disclosures .......................................................................................... 7

APP 9 – adoption, use or disclosure of government related identifiers .............................. 8

APP 10 – quality of personal information ............................................................................. 8

APP 11 – security of personal information ........................................................................... 9

APP 12 – access to personal information ............................................................................. 9

APP 13 – correction of personal information ....................................................................... 9

Part 2 – Analysis of differences between IPPs and APPs .................................... 11

Manner and purpose of collection of personal information .............................. 11

Summary of IPP 1 ................................................................................................................ 11

Relevant APPs ..................................................................................................................... 11

Key differences .................................................................................................................... 11

Solicitation of personal information from the individual concerned .................. 13

Summary of IPP 2 ................................................................................................................ 13

Relevant APPs ..................................................................................................................... 13

Key differences .................................................................................................................... 13

Solicitation of personal information generally .................................................. 14

Summary of IPP 3 ................................................................................................................ 14

Relevant APPs ..................................................................................................................... 14

Key differences .................................................................................................................... 14

Storage and security of personal information ................................................... 15

Summary of IPP 4 ................................................................................................................ 15

Relevant APPs ..................................................................................................................... 15

Key differences .................................................................................................................... 15

Information relating to records kept by a record-keeper ................................... 16

Summary of IPP 5 ................................................................................................................ 16

Relevant APPs ..................................................................................................................... 16

Key differences .................................................................................................................... 16

Access to records containing personal information ........................................... 17

Summary of IPP 6 ................................................................................................................ 17

Relevant APPs ..................................................................................................................... 17

Key differences .................................................................................................................... 17

Alteration of records containing personal information ...................................... 17

Summary of IPP 7 ................................................................................................................ 17

Relevant APPs ..................................................................................................................... 18

Key differences .................................................................................................................... 18

Quality of personal information ........................................................................ 19

Summary of IPPs 8 and 9 .................................................................................................... 19

Relevant APPs ..................................................................................................................... 19

Key differences .................................................................................................................... 19

Limits on the use and disclosure of personal information .................................. 19

Summary of IPPs 10 and 11 ................................................................................................ 19

Relevant APPs ..................................................................................................................... 20

Key differences .................................................................................................................... 20

Australian Privacy Principles and Information Privacy Principles – Comparison Guide, April 2013

Office of the Australian Information Commissioner 4

Introduction to the Guide The 13 Australian Privacy Principles (APPs) replace the Information Privacy Principles (IPPs) for agencies from 12 March 2014. The APPs are found in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).1

Part 1 of this Guide summarises the key differences between the two sets of principles, including the new obligations that apply to agencies. Part 2 of the Guide provides a comprehensive analysis of the differences between the APPs and the IPPs.

The APPs are a single set of principles that apply to both agencies and organisations, which are together defined as APP entities. While the APPs apply to all APP entities, in some cases, they impose specific obligations that apply only to organisations or only to agencies. As the purpose of this Guide is to highlight the differences between the IPPs and the APPs, and the new obligations that apply to agencies, it continues to use the term ‘agency’ throughout.

This Guide is designed to be read with reference to the text of the IPPs and the APPs and does not to reproduce these principles in their entirety. Section references throughout the document are to the Privacy Act 1988 (Cth).2

1 <www.comlaw.gov.au/Details/C2012A00197> 2 <www.comlaw.gov.au/Details/C2012C00903>



Part 1 – Summary of changes

‘Permitted general situations’ and ‘permitted health situations’

The amendments to the Privacy Act introduce the concept of a ‘permitted general situation’ and a ‘permitted health situation’. The existence of a permitted general situation or permitted health situation is an exception to various obligations in the APPs.

A new s 16A outlines seven permitted general situations, where the collection, use or disclosure of personal information about an individual, or of a government related identifier, will not be a breach of certain APP obligations.

New s 16B outlines five permitted health situations, where the collection, use or disclosure of certain health information or genetic information, will not be a breach of certain APP obligations.

APP 1 – open and transparent management of personal information

APP 1 requires agencies to have ongoing practices and policies in place to ensure that they manage personal information in an open and transparent way.

APP 1 introduces a new requirement for agencies to have a clearly expressed and up-to-date policy about the management of personal information by the agency. APP 1 specifies the minimum information that should be included in the agency’s APP privacy policy. An agency needs to take reasonable steps to make its APP privacy policy available free of charge and in an appropriate form. The agency must take reasonable steps to provide the policy in a particular form if requested by an individual or body.

APP 1 also requires an agency to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs and any registered APP codes, and enable the agency to deal with inquiries and complaints by individuals.

For a more detailed comparison of APP 1 and IPP 5, see ‘Information relating to records kept by a record-keeper’ on page 16.

APP 2 – anonymity and pseudonymity

APP 2 allows individuals to interact with agencies while not identifying themselves, or by using a pseudonym.

Both requirements are subject to certain limited exceptions, including where it is impracticable for the agency to deal with an individual who has not identified themselves, or where the law or a court/tribunal order requires or authorises the agency to deal with individuals who have identified themselves.

There is no equivalent obligation for agencies under the IPPs.

For a more detailed comparison of APP 2 and IPP 1, see ‘Manner and purpose of collection of personal information’ on page 11.



APP 3 – collection of solicited personal information

APP 3 outlines when and how an agency may collect personal and sensitive information that it solicits from an individual or another entity.

An agency must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities.

The APPs impose obligations on agencies regarding sensitive information for the first time. APP 3 deals with the collection of sensitive information by agencies, which is not permissible unless certain exceptions apply.

An agency must only collect personal information from the individual, unless an exception applies.

For a more detailed comparison of APP 3 and IPP 1, see ‘Manner and purpose of collection of personal information’ on page 11, and of APP 3 and IPP 3, see ‘Solicitation of personal information generally’ on page 14.

APP 4 – dealing with unsolicited personal information

APP 4 introduces new obligations for agencies in relation to unsolicited personal information.

Where an agency receives unsolicited personal information, it must determine whether it would have been permitted to collect the information under APP 3. If so, APPs 5 to 13 will apply to that information.

If the information could not have been collected under APP 3, and the information is not contained in a Commonwealth record, the agency must destroy or de-identify that information as soon as practicable, but only if it is lawful and reasonable to do so.

For a more detailed comparison of APP 4 and IPP 1, see ‘Manner and purpose of collection of personal information’ on page 11.

APP 5 – notification of the collection of personal information

APP 5 specifies certain matters about which an agency must generally make an individual aware at the time of, or as soon as practicable after, the agency collects their personal information.

APP 5 is more prescriptive than the IPPs about the information that an agency must provide to an individual.

For a more detailed comparison of APP 5 and IPP 2, see ‘Solicitation of personal information from the individual concerned’ on page 13.



APP 6 – use and disclosure of personal information

APP 6 outlines the circumstances in which an agency may use or disclose the personal information that it holds about an individual.

APP 6 introduces a limited number of new exceptions to the general requirement that an agency only uses or discloses personal information for the purpose for which the information was collected. These include where the use or disclosure is reasonably necessary:

• to assist in locating a missing person

• to establish, exercise or defend a legal or equitable claim, or

• for the purposes of a confidential alternative dispute resolution.

For a more detailed comparison of APP 6 and IPPs 10 & 11, see ‘Limits on the use and disclosure of personal information’ on page 19.

APP 7 – direct marketing

APP 7 regulates the use and disclosure of personal information by organisations for the purpose of direct marketing.

Generally, organisations may only use or disclose personal information for direct marketing purposes where the individual has either consented to their personal information being used for direct marketing, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met.

APP 7 permits contracted service providers for Commonwealth contracts to use or disclose personal information for the purpose of direct marketing if certain conditions are met.

Section 7A sets out the circumstances when an act or practice of an agency will be treated as an act or practice by an organisation. This includes where an agency is listed in Division 1 of Part 2 of Schedule 2 to the Freedom of Information Act 1982 in relation to their commercial activities, or are prescribed by regulation.


APP 8 – cross-border disclosures

APP 8 and a new s 16C introduce an accountability approach in relation to an agency’s cross-border disclosures of personal information.

Before an agency discloses personal information to an overseas recipient, the agency must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to that information. In some circumstances an act done, or a practice engaged in, by the overseas recipient that would breach the APPs, is



taken to be a breach of the APPs by the agency. There are a number of exceptions to these requirements.

The IPPs do not explicitly deal with cross-border disclosures.


APP 9 – adoption, use or disclosure of government related identifiers

APP 9 prohibits an organisation from adopting, using or disclosing a government related identifier unless an exception applies. APP 9 generally replicates the restrictions in National Privacy Principle 7 for organisations.

Exceptions generally refer to situations where the adoption, use or disclosure is required or authorised by law, a ‘permitted general situation’ (as outlined in s 16A) exists, or the use or disclosure is reasonably necessary:

• to verify the identity of the individual

• to fulfil obligations to an agency or State or Territory authority

• for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

The terms ‘identifier’ and ‘government related identifier’ are now defined in s 6.3

Section 7A sets out the circumstances when an act or practice of an agency will be treated as an act or practice by an organisation. This includes where an agency is listed in Division 1 of Part 2 of Schedule 2 to the Freedom of Information Act 1982 in relation to their commercial activities, or are prescribed by regulation.


APP 10 – quality of personal information

Under APP 10, an agency must take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete.

An agency must also ensure that the personal information that it uses or discloses is accurate, up-to-date and complete and relevant, having regard to the purpose of the use or disclosure.

For a more detailed comparison of APP 10 and IPP 3, see ‘Solicitation of personal information generally’ on page 14; of APP 10 and IPPs 8 & 9, see ‘Quality of personal information’ on page 19.

3 See Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)

<http://www.comlaw.gov.au/Details/C2012A00197>.



APP 11 – security of personal information

APP 11 requires an agency to take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure.

APP 11 imposes a new requirement on agencies to take reasonable steps to destroy or de-identify information if the agency no longer needs the information for any authorised purpose, unless:

• it is contained in a Commonwealth record, or

• the agency is required by or law or a court/tribunal order to retain the information.

For a more detailed comparison of APP 11 and IPP 4, see ‘Storage and security of personal information’ on page 15.

APP 12 – access to personal information

Like IPP 6, APP 12 requires an agency to give an individual access to the personal information that it holds about that individual, unless the agency is required or authorised to refuse to give access by or under the Freedom of Information Act 1982 or any other Commonwealth or Norfolk Island legislation that provides for access by persons to documents.

Where access is given under the Privacy Act, APP 12 introduces a new requirement for agencies to respond to requests for access within 30 days. Agencies must give access in the manner requested by the individual if it is reasonable and practicable to do so, and must not charge.

If an agency refuses to give access, or to give access in the manner requested, it must take reasonable steps to give access in a way that meets the needs of the agency and the individual. This could include the use of a mutually agreed intermediary.

If an agency decides not to give an individual access it must generally provide written reasons for the refusal and the mechanisms available to complain about the refusal.

For a more detailed comparison of APP 12 and IPP 6, see ‘Access to records containing personal information’ on page 17.

APP 13 – correction of personal information

Like IPP 7, APP 13 requires an agency to take reasonable steps to correct personal information to ensure that, having regard to a purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading, if either:

• the agency is satisfied that it needs to be corrected, or

• an individual requests that their personal information is corrected.



APP 13 contains similar provisions to IPP 7 in relation to associating a statement with the personal information if the agency refuses to correct the information and the individual requests a statement to be associated.

An agency must also respond to a correction request or a request to associate a statement by the individual within 30 days, and must not charge the individual for making the request, for correcting the personal information, or for associating the statement with the personal information.

When refusing an individual’s correction request, an agency must generally provide the individual with written reasons for the refusal and notify them of available complaint mechanisms.

If an agency corrects personal information about an individual that it previously disclosed to another entity, APP 13 generally requires the agency to take reasonable steps to notify the other entity that a correction has been made, if the individual requests it to do so.

For a more detailed comparison of APP 13 and IPP 7, see ‘Alteration of records containing personal information’ on page 17.



Part 2 – Analysis of differences between IPPs and APPs

Manner and purpose of collection of personal information

Summary of IPP 1

Personal information must not be collected unless it is necessary for, or directly related to, a lawful purpose that is directly related to a function or activity of the agency. Personal information must not be collected by unlawful or unfair means.

Relevant APPs

APP 2—anonymity and pseudonymity

APP 3—collection of solicited personal information

APP 4—dealing with unsolicited personal information

Key differences

APP 2—anonymity and pseudonymity

APP 2 introduces new obligations for agencies to give individuals the option of not identifying themselves, or of using a pseudonym, when dealing with the agency in relation to a particular matter, unless:

• the agency is required or authorised by or under an Australian law, or an order of a court/tribunal, to deal with individuals who have identified themselves (APP 2.2(a))4

• it is impracticable to deal with individuals who have not identified themselves (APP 2.2(b)).


APP 3.1 and APP 3.5 generally reflect the obligations for agencies that are contained in IPP 1. An agency must not collect personal information (other than sensitive information) unless it is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities. An agency must only collect personal information by lawful and fair means. The concept of ‘fair’ extends to the obligation not to use ‘unreasonably intrusive’ means.

Under IPP 1, an agency’s obligations do not change when collecting sensitive information. APP 3.3 introduces a higher standard for agencies to meet when collecting sensitive information.

4 Definitions of the terms ‘Australian law’ and ‘court/tribunal order’ have been inserted into s 6 in order to

clarify the scope of this exception. See Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) <www.comlaw.gov.au/Details/C2012A00197>.



Agencies must not collect sensitive information unless an exception applies (APP 3.4). Exceptions include:

• where the individual consents to the collection, and the information is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities (APP 3.3(a))

• if the collection is required or authorised by or under an Australian law or a court/tribunal order (APP 3.4(a))5

• where a permitted general situation exists in relation to the collection (APP 3.4(b), see s 16A for a list of permitted general situations)6

• if the agency is an enforcement body (other than the Immigration Department) and reasonably believes that the collection is reasonably necessary for, or directly related to, one or more of its functions or activities (APP 3.4(d)(ii)). The term ‘enforcement body’ is defined in s 6.7

• if the agency is the Immigration Department, and reasonably believes that the collection of the information is reasonably necessary for, or directly related to, one or more enforcement related activities conducted by, or on behalf of, the Department (APP 3.4(d)(i)). The term ‘enforcement related activities’ is defined in s 6.8

APP 3.6 creates a new obligation for agencies to only collect information about an individual from that individual, unless:

• the individual consents to the collection from another person • the agency is required or authorised by or under an Australian law or a

court/tribunal order to collect the information from someone other than the person,9 or

• it is unreasonable or impracticable to do so.

APP 3 is also discussed under IPP 3.

APP 4—dealing with unsolicited personal information

APP 4 creates new obligations in relation to the receipt of personal information which is not solicited by the agency.

Where unsolicited personal information is received:


clarify the scope of this exception. See Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) <www.comlaw.gov.au/Details/C2012A00197>.

6 See Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) <http://www.comlaw.gov.au/Details/C2012A00197>.



9 Definitions of the terms ‘Australian law’ and ‘court/tribunal order’ have been inserted into s 6 in order to clarify the scope of this exception. See Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) <www.comlaw.gov.au/Details/C2012A00197>.



• an agency must, within a reasonable period, determine whether it could have collected the information under APP 3 (APP 4.1)

• if the information could have been collected, then APPs 5 to 13 apply to the information (APP 4.4)

• if the agency could not have collected the information, it must destroy or de-identify the information as soon as practicable, but only if lawful and reasonable to do so, and only if the information is not contained in a Commonwealth record (APP 4.3).

Unsolicited personal information which is retained by the receiving agency must be afforded the same privacy protection as solicited personal information.

Solicitation of personal information from the individual concerned

Summary of IPP 2

IPP 2 outlines the matters that agencies must take reasonable steps to make individuals aware of, either before the information is collected, or as soon as practicable after. The individual should be made generally aware of:

• the purpose for which the information is collected

• if the collection is authorised or required by or under law

• any person, body or agency to which information of that kind is usually disclosed, and any body or agency to which they pass on the information.

Relevant APPs

APP 5—notification of the collection of personal information

Key differences

Under APP 5, an agency must take reasonable steps to notify an individual of certain matters, or otherwise ensure an individual is aware of these matters. The list of matters in APP 5 is more extensive than those contained in IPP 2. Notification must occur at or before the time the information is collected, or, if that is not practicable, as soon as practicable after.

Additional matters about which an agency must notify an individual, or otherwise make them aware, under APP 5 include:

• the identity and contact details of the agency (APP 5.2(a))

• if the agency has obtained the information from someone else, or the individual may not be aware that the agency has collected the information, that the agency collects, or has collected, the information, and the circumstances of collection (APP 5.2(b))



• the main consequences for the individual if the agency doesn’t collect the information (APP 5.2(e))

• that the agency’s APP privacy policy contains information about access, correction and complaint handling (APP 5.2(g) & (h))

• whether the agency is likely to disclose the information to overseas recipients and, if so, the countries in which these recipients are likely to be located (APP 5.2(i) & (j)). If it is not practicable to specify the countries in the notification, the agency may make the individual aware of them in another way.

Solicitation of personal information generally

Summary of IPP 3

An agency must take steps to ensure the personal information it collects is relevant to the purpose for which it is collected, up-to-date and complete, and not collected in an unreasonably intrusive way.

Relevant APPs


APP 10—quality of personal information

Key differences

APP 10.1 mirrors the requirements of IPP 3, imposing an obligation on agencies to take reasonable steps to ensure that the information it collects is up-to-date and complete. APP 10.1 also requires an agency to take reasonable steps to ensure that the information it collects is accurate.

APP 3.1 states that an agency must only collect personal information if it is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities. This requirement is similar to the requirement in IPP 3(c) that the personal information collected is relevant to the purpose for which the information is collected.

APP 10.2 also deals with an agency’s obligations in relation to the quality of the personal information that it uses and discloses. This provision is discussed under IPPs 8 and 9.

The APPs remove the requirement in IPP 3(d) that the collection must not intrude upon the personal affairs of the individual. However under APP 3, agencies must only collect personal information by lawful and fair means. APP 3 is also discussed under IPP 1.



Storage and security of personal information

Summary of IPP 4

An agency must take reasonable safeguards to ensure that the personal information that it holds is stored securely to protect it against loss, unauthorised access, use, modification or disclosure, and against other misuse.

The agency must also use all its reasonable powers to prevent unauthorised use or disclosure of the information when it is given to another person in connection with the provision of a service to the agency.

Relevant APPs

APP 11—security of personal information

Key differences

APP 11 requires agencies to take reasonable steps to protect information from interference, in addition to protection against misuse, loss, and from unauthorised access, modification or disclosure.

Unlike IPP 4, APP 11 contains no obligation for an agency to protect information disclosed to third parties providing services to the agency. The only equivalent provision under the APPs is in APP 8, where an agency that discloses personal information to an overseas recipient, must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. APP 8 is discussed further under IPP 10 and 11.

Under APP 11, agencies must take reasonable steps to de-identify or destroy personal information if:

• it is no longer needed for any purpose for which the information may be used or disclosed under the APPs

• the information is not contained in a Commonwealth record, and

• the agency is not required by or under an Australian law or a court/tribunal order, retain the information.10

No such express obligation exists in the IPPs.


clarify the scope of this exception. See Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) <http://www.comlaw.gov.au/Details/C2012A00197>.



Information relating to records kept by a record-keeper

Summary of IPP 5

An agency must take steps to record the type of personal information that it holds, and to enable an individual to ascertain whether the agency holds personal information about that individual. Additionally, an agency must give the Commissioner a copy of this record annually.

Relevant APPs

APP 1—open and transparent management of personal information

Key differences

The APPs remove the requirement for agencies to submit records about the types of personal information that they hold to the Commissioner every year. Instead, much of the information previously required under IPP 5 must now be contained in the agency’s APP privacy policy. An agency is required to have a clearly expressed and up-to-date APP privacy policy about the management of personal information, which the agency makes available free of charge and in an appropriate form (APP 1.3).

Under APP 1.2, an agency must take reasonable steps to implement practices, procedures and systems relating to the agency’s functions or activities that will:

• ensure that the agency complies with the APPs and any registered APP code that binds the agency, and

• enable the agency to deal with inquiries or complaints from individuals.

This is a new requirement for agencies.

APP 1.4 requires an agency’s APP privacy policy to include the following information:

• the kinds of personal information that the entity collects and holds

• how the entity collects and holds personal information

• the purposes for which the entity collects, holds, uses and discloses personal information

• how an individual may access their personal information that is held by the entity and seek the correction of such information

• how an individual may complain about a breach of the APPs, or any registered APP code that binds the entity, and how the entity will deal with such a complaint

• whether the entity is likely to disclose personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

If the APP privacy policy is requested in a particular form, the agency must take reasonable steps to give it in that form (APP 1.5).



Access to records containing personal information

Summary of IPP 6

If an agency holds personal information about an individual, the individual is entitled to have access to that information unless the agency is required or authorised by Commonwealth law to refuse to provide access.

Relevant APPs

APP 12—access to personal information

Key differences

APP 12 retains the same access obligations as IPP 6 and includes some additional requirements. Under APP 12, an agency that holds personal information about an individual must, on request by the individual, give access to the information, unless the entity is required or authorised to refuse to give access by or under:

• the Freedom of Information Act 1982 (Cth), or • any other Act of the Commonwealth, or a Norfolk Island enactment, that provides

for access by persons to documents.

It is intended that the Freedom of Information Act will be the primary avenue through which individuals can seek access to their information, where it is contained in documents held by an agency. However, where access is provided in accordance with the Privacy Act, APP 12.4 introduces a new requirement for agencies to respond to a request for access within 30 days. Access must also be given in the manner requested by the individual, if it is reasonable and practicable to do so. Agencies may not charge individuals for making a request or for giving them access to their personal information (APP 12.7).

Where an agency refuses a request for access, or refuses to give access in the manner requested by the individual, APP 12.5 requires the agency to take reasonable steps to give access in a way that meets the needs of the agency and the individual. This could include giving access through the use of a mutually agreed intermediary (APP 12(6)). There is no such requirement under the IPPs.

Additionally, if an agency refuses to give access, or to give access in the manner requested, it must provide the individual with written reasons for the refusal (except to the extent that it would be unreasonable to do so), the complaint mechanisms available, and any other matter prescribed by the regulations (APP 12.9).

Alteration of records containing personal information

Summary of IPP 7

An agency must take steps to make any corrections, deletions and additions that are reasonable to ensure that the record is accurate and relevant, up-to-date, complete and



not misleading, having regard to the purpose for which the information was collected or is to be used, or any purpose directly related to that purpose.

If an agency is not willing to correct the personal information as requested by an individual, the agency must take reasonable steps to attach any statement provided by the individual of the correction, deletion or addition sought.

This requirement is subject to any limitation in a Commonwealth law that provides a right to require the correction or amendment of documents.

Relevant APPs

APP 13—correction of personal information

Key differences

APP 13.1 is substantially similar to the provisions in IPP 7. An agency must take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading, if:

• the agency is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, or

• the individual to whom the personal information relates requests the agency to correct the information.

APP 13 also contains similar provisions to IPP 7 in relation to associating a statement. If an agency refuses to correct the personal information as requested, and the individual requests that a statement be associated with the information that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, the agency must take reasonable steps to do so in such a way that will make the statement apparent to users of the information (APP 13.4).

Unlike IPP 7, APP 13 requires an agency, when refusing an individual’s correction request, to provide the individual with written reasons for the refusal (except to the extent that it would be unreasonable to do so), the complaint mechanisms available, and any other matter prescribed by the regulations (APP 13.3).

Under APP 13, an agency must respond to a correction request within 30 days. Agencies must not charge individuals for making a request, for making a correction, or for attaching a statement (APP 13.5). There are no equivalent requirements in the IPPs.

APP 13 also places a new obligation on agencies to, on request by the individual, take reasonable steps to notify a third party of the correction unless it is unlawful or impracticable to do so, where the agency previously disclosed the uncorrected personal information to that third party (APP 13.2).



Quality of personal information

Summary of IPPs 8 and 9

An agency must not use personal information without taking reasonable steps to ensure that the information is accurate, up-to-date and complete, having regard to the purpose for which the information is to be used (IPP 8). The information must only be used for a purpose to which the information is relevant (IPP 9).

Relevant APPs

APP 10—quality of personal information

Key differences

APP 10.2 contains the same obligations as IPPs 8 and 9 in relation to use, requiring an agency to take reasonable steps to ensure that the personal information that it uses is accurate, up-to-date, complete, and relevant, having regard to the purpose for which it will be used. However, APP 10.2 applies these requirements to an agency’s disclosure of personal information in addition to use.

APP 10.1 requires an agency to take reasonable steps to ensure that the information it collects is accurate, up-to-date and complete. This provision is discussed further under IPP 3.

Limits on the use and disclosure of personal information

Summary of IPPs 10 and 11

These principles set out when an agency may use or disclose personal information. They do not differentiate between an agency’s treatment of personal information or sensitive information.

Under IPP 10, if an agency collected personal information for a particular purpose, it must not use that information for any other purpose unless certain exceptions apply, including:

• if the individual has consented to the use for another purpose • if the purpose is directly related to the purpose for which the information was

obtained.

Under IPP 11, an agency must not disclose personal information to another person, body or agency unless certain exceptions apply including:

• the individual concerned is reasonably likely to have been aware, or made aware under IPP 2, that information of that kind is usually passed to that person, body or agency

• the individual has consented to the disclosure.



In addition, IPPs 10 and 11 permit the use for another purpose or disclosure of the personal information if:

• the agency believes that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual or another person

• the use or disclosure is required or authorised by or under law • the use or disclosure is reasonably necessary for enforcement of the criminal law

or of a law imposing a pecuniary penalty, or for the protection of the public revenue. If an agency uses or discloses the information for this purpose, a note of this should be made on the record.

Under IPP 11.3, if a person, body or agency receives personal information that has been disclosed by an agency under IPP 11.1, they must not use or disclose the information for a purpose other than the purpose for which the information was given to them.

Relevant APPs

APP 6—use or disclosure of personal information


APP 8—cross border disclosure of personal information


Key differences

APP 6—use or disclosure of personal information

APP 6 combines the general provisions for both the use and the disclosure of personal information in one principle. If an agency collects personal information for a particular purpose (the primary purpose), it must not use or disclose the information for another purpose (the secondary purpose) unless the individual consents to the use or disclosure, or another exception applies.

APP 6 reflects the IPP 10 and IPP 11 exceptions, as well as introducing new exceptions, which permit the use or disclosure of personal information for secondary purposes. APP 6 also places different obligations on agencies regarding the use or disclosure of sensitive information, which is new for agencies.

APP 6.2(a) deals with use or disclosure of personal information for a secondary purpose. It is similar to IPP 10.1(e) and IPP 11.1(a), but deals with sensitive information separately from other personal information. Use or disclosure is permitted if the individual would reasonably expect the agency to use or disclose the information for the secondary purpose and the secondary purpose is:

• if the information is sensitive information – directly related to the primary purpose.



• if the information is not sensitive information – related to the primary purpose of collection.

The remainder of APP 6.2 and APP 6.3 outline the other exceptions that permit the use or disclosure of personal information for a secondary purpose.

APP 6.2(b) is similar to IPP 10.1(c) and IPP 11.1(d), with use or disclosure now permitted when it is required or authorised by or under an Australian law or a court/tribunal order.11

APP 6.2(c) permits the use or disclosure of personal information if a ‘permitted general situation’ exists. These situations are set out in s 16A.

Permitted general situation 1 reflects the IPP 10.1(b) and IPP 11.1(c) exceptions regarding threats to life, health or safety, and extends it to threats to public health and safety. However it removes the requirement that the threat must be imminent. This removal of the imminence requirement is balanced by the introduction of a requirement to assess whether it is unreasonable or impracticable to seek the individual’s consent to the use or disclosure.

The permitted general situations also introduce new exceptions for agencies. Under APP 6.2(c) the use or disclosure of personal information for a secondary purpose is allowed if:

• the agency has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the agency’s functions or activities has been, is being, or may be engaged in, and the agency reasonably believes that the use or disclosure is necessary in order for an agency to take appropriate action in relation to the matter

• the agency reasonably believes that it is reasonably necessary to assist any APP entity, body or person to locate a missing person and the use or disclosure complies with rules made by the Commissioner

• it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim

• it is reasonably necessary for the purpose of a confidential alternative dispute resolution process

• the agency reasonably believes that it is necessary for the agency’s diplomatic or consular functions or activities.

In the case of the Defence Force, the use or disclosure of personal information is permitted if there is a reasonable belief that it is necessary for war or warlike operations; peacekeeping or peace enforcement; civil aid, humanitarian assistance, medical or civil emergency or disaster relief. These activities must be occurring outside Australia and the external Territories.





APP 6.2(e) permits the use or disclosure of personal information if an agency reasonably believes it is necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. The terms ‘enforcement body’ and ‘enforcement related activities’ are now defined in s 6.12 ‘Enforcement related activities’ includes the activities listed in IPP 10.1(d) and IPP 11.1(e), in addition to the following new activities:

• the conduct of surveillance activities, intelligence gathering activities or monitoring activities

• the conduct of protective or custodial activities

• the enforcement of laws relating to the confiscation of the proceeds of crime

• the prevention, detection, investigation or remedying of misconduct of a serious nature, or other conduct prescribed by the regulations

• the preparation for, or conduct of, proceedings before any court or tribunal, or the implementation of court/tribunal orders.

Agencies are still required to make a written note of any use or disclosure of personal information made under this exception (APP 6.5).

An agency that is not an enforcement body is also permitted to disclose biometric information or biometric templates to enforcement bodies, provided the disclosure is conducted in accordance with guidelines issued by the Commissioner (APP 6.3). This is a new provision for agencies.

There is no equivalent in the APPs to IPP 11.3, which provides that if an agency discloses personal information (however obtained) to any recipient, the recipient can only use or disclose that information for the purpose for which it was disclosed to them. However, where the recipient is an APP entity, the recipient would need to comply with the APPs in relation to the personal information.


Under APP 7, an organisation may generally only use or disclose personal information for direct marketing purposes if an exception, listed in APPs 7.2 to 7.5, applies.

APP 7 may apply to agencies, as per s 7A. Section 7A sets out the circumstances when an act or practice of an agency will be treated as an act or practice by an organisation. This includes where an agency is listed in Division 1 of Part 2 of Schedule 2 to the Freedom of Information Act 1982 in relation to their commercial activities, or are prescribed by regulation. These agencies will only be able to use or disclose personal information for the purpose of direct marketing if an exception in APP 7 is met.

Exceptions to the general prohibition on direct marketing include situations where the individual has either consented to their personal information being used for direct


<http://www.comlaw.gov.au/Details/C2012A00197>.



marketing, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met.

APP 7.5 permits contracted service providers for Commonwealth contracts to use or disclose personal information for the purpose of direct marketing if certain conditions are met.

APP 8—cross border disclosure of personal information

APP 8 sets out the requirements relating to the disclosure of personal information to recipients located outside of Australia.

These specific obligations in relation to cross border disclosures are new for agencies. Before an agency discloses personal information to an overseas recipient, the agency must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (APP 8.1).

In certain circumstances an act done, or a practice engaged in, by the overseas recipient is taken to have been done, or engaged in, by the agency and to be a breach of the APPs by that agency (s 16C, see Note to APP 8.1). Generally, this will apply where:

• APP 8.1 applies to the disclosure (APP 8.1 applies to all cross-border disclosures of personal information, unless an exception in APP 8.2 applies), and

• the overseas recipient is not subject to the APPs, but the act or practice would be a breach of the APPs if they were.

APP 8.2 lists a number of exceptions to APP 8.1. These are where:

• an agency reasonably believes that the recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that is, overall, substantially similar to the APPs; and the individual to whom the information relates is able to access mechanisms to take action to enforce those protections (APP 8.2(a))

• an individual consents to the cross-border disclosure, after the agency expressly informs them that APP 8.1 will no longer apply if they give their consent (APP 8.2(b))

• the cross border disclosure is required or authorised by or under an Australian law, or a court/tribunal order (APP 8.2(c))

• a permitted general situation exists, other than those relating to disclosure for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process (APP 8.2(d))

• the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party (APP 8.2(e))

• an agency reasonably believes that the disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an



enforcement body, and the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body(APP 8.2(f)).


APP 9 prohibits an organisation from adopting, using or disclosing a government related identifier unless an exception applies.

APP 9 may apply to agencies, as per s 7A. Section 7A sets out the circumstances when an act or practice of an agency will be treated as an act or practice by an organisation. This includes where an agency is listed in Division 1 of Part 2 of Schedule 2 to the Freedom of Information Act 1982 in relation to their commercial activities, or are prescribed by regulation.

The terms ‘government related identifier’ and ‘identifier’ are defined in s 6.13

Exceptions to the general prohibition on the adoption, use or disclosure of government related identifiers generally refer to situations where:

• the adoption, use or disclosure is required or authorised by or under an Australian law or a court/tribunal order14

• the use or disclosure is reasonably necessary for the agency to verify the identity of the individual for the purposes of the agency’s functions or activities

• the use or disclosure is reasonably necessary for the agency to fulfil obligations to another agency or State or Territory authority

• a permitted general situation exists, other than those relating to disclosure for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process

• the use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (the terms ‘enforcement body’ and ‘enforcement related activities’ are now defined in s 6.15 See discussion of the new definition of ‘enforcement related activities’ under ‘Limits on the use and disclosure of personal information’ on page 22).


<http://www.comlaw.gov.au/Details/C2012A00197>. 14 Definitions of the terms ‘Australian law’ and ‘court/tribunal order’ have been inserted into s 6 in order to



Download - Australian Privacy Principles and Information Privacy ... · APP 1 – open and transparent management of personal information APP 1 requires agencies to have ongoing practices and

Top Related