Privacy

Data privacy, also known as information privacy or data protection, refers to the protection of an individual’s or organization’s sensitive and personal information from unauthorized access, disclosure, alteration, or destruction. It involves ensuring that data is handled in a way that respects the privacy rights of individuals, maintaining the confidentiality and security of the data.

Data privacy encompasses various practices, policies, and measures aimed at safeguarding data from breaches, cyberattacks, or misuse. It is a fundamental aspect of maintaining trust, ethical data handling, and complying with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) in Europe and the Australian Privacy Principles.

Data privacy is crucial for several reasons:

1. Personal Security: Protecting personal information, such as your name, address, and financial details, helps prevent identity theft and fraud. Unauthorized access to this data can lead to financial losses and even legal issues.

2. Digital Footprint: In today’s digital age, our online activities create a digital footprint. Data privacy ensures that your online behaviour, preferences, and interactions remain private, reducing the risk of personal information being exploited for targeted ads or cyberattacks.

3. Trust: Individuals and organizations must trust that their data is handled responsibly. Maintaining data privacy fosters trust between individuals and the companies or platforms they interact with.

4. Compliance: Many countries have data protection laws that require organizations to follow specific guidelines when handling personal data. Ensuring data privacy helps organizations stay compliant with these laws, avoiding legal consequences.

5. Ethical Considerations: Respecting data privacy is an ethical obligation. It’s about treating individuals with dignity and respecting their right to control their personal information.

6. Reputation: Organizations that mishandle data can suffer reputational damage. Customers and users are more likely to trust and support companies that prioritize data privacy.

In Australia data privacy is governed by the Australian Privacy Principles.

The Australian Privacy Principles

The Australian Privacy Principles (or APPs) are the cornerstone of the privacy protection framework in the Privacy Act 1988. They apply to any organisation or agency the Privacy Act covers [OAIC, 2023].

There are 13 Australian Privacy Principles and they govern standards, rights and obligations around:

• the collection, use and disclosure of personal information

• an organisation or agency’s governance and accountability

• integrity and correction of personal information

• the rights of individuals to access their personal information.

APP 1 - Open and Transparent Management

Organizations must have clear and transparent policies on how they manage personal information.

Key elements of APP 1 include:

• Privacy Policies: Organizations are required to have clear and easily accessible privacy policies that outline their practices for handling personal information. These policies should explain what kind of information is collected, why it’s collected, how it’s used, and who it may be disclosed to.

• Access to Privacy Policies: Privacy policies must be made available to individuals free of charge and in an easily understandable format. This can be done through a website, in printed form, or by other means, depending on how the organization interacts with individuals.

• Purpose of Collection: When personal information is collected, organizations should inform individuals of the primary purpose for which the information is being collected. This helps individuals understand why their data is needed.

• Cross-Referencing Privacy Policies: If an organization collects personal information from another organization, they should ensure that individuals are aware of both organizations’ privacy policies.

• Changes to Policies: If an organization changes its privacy policy, individuals should be notified of the changes and given the opportunity to opt out if they disagree with the new policy.

• Contact Information: Privacy policies should include contact information for the organization or agency’s Privacy Officer, making it easy for individuals to ask questions or raise concerns about their personal information.

APP 2 - Anonymity and Pseudonymity

Individuals have the option to interact with organizations anonymously or using a pseudonym, where practical.

Key elements of APP 2 include:

• Option for Anonymity: Under APP 2, organizations and agencies should give individuals the option to interact with them without having to identify themselves, unless it is unreasonable or impracticable to do so. This means that individuals should have the choice to remain anonymous when using services or accessing information, if it’s feasible for the organization.

• Use of Pseudonyms: Individuals should also be given the option to use a pseudonym or alias instead of their real name when dealing with organizations. This allows for a level of privacy while still engaging in transactions or interactions.

• Reasonable and Impracticable Exceptions: There are situations where it may be unreasonable or impracticable to allow anonymity or pseudonymity. For example, if a financial institution needs to verify a customer’s identity for legal or security reasons, it would be impracticable to allow anonymity. However, such exceptions must be justifiable.

• Collection of Minimal Information: When organizations do collect personal information, they should limit it to what is necessary for the purpose of the interaction. This discourages the unnecessary collection of data.

• Exceptions: There are exceptions to APP 2, such as when a law or court order requires the collection of specific identifying information.

APP 3 - Collection of Solicited Personal Information

Organizations can only collect personal information that is reasonably necessary for their functions and activities.

Key elements of APP 3 include:

• Open and Transparent Collection: Organizations must be open and transparent about the collection of personal information. This means individuals should be informed about why their information is being collected, what it will be used for, and who it may be disclosed to.

• Collection for a Lawful Purpose: Personal information should only be collected for a lawful purpose that is directly related to the functions or activities of the organization. It should not be collected for unrelated purposes.

• Direct Collection: Whenever possible, organizations should collect personal information directly from the individual it relates to. For example, if an organization needs information from a customer, it should seek that information directly from the customer.

• Exceptions: There are exceptions that allow for the collection of personal information without the individual’s consent in certain circumstances. These exceptions include situations where collection is required or authorized by law, or when it is necessary to deal with a serious threat to health or safety.

• Sensitive Information: If an organization needs to collect sensitive information (such as health information or racial or ethnic origin), stricter requirements apply. Sensitive information can generally only be collected with the individual’s consent, or if required or authorized by law.

• Notification: Individuals must be notified of the organization’s privacy policy, which should include information about how personal information is handled, the purposes for which it is collected, and how individuals can access and correct their information.

APP 4 - Dealing with Unsolicited Personal Information

When an organization receives unsolicited personal information, they must determine if they could have collected it under the usual circumstances.

Key elements of APP 4 include:

• Reasonable Steps: When an organization receives unsolicited personal information, it must assess whether it could have collected the information under APP 3 if it had solicited the information. If the organization determines that it could have collected the information under APP 3, it should treat it as if it had been solicited.

• Sensitive Information: Special care should be taken when dealing with unsolicited sensitive information (such as health information or information about an individual’s racial or ethnic origin). The organization must ensure that this information is not used or disclosed unless one of the exceptions under APP 3 applies.

• Destruction or De-identification: If the organization determines that it could not have collected the unsolicited personal information under APP 3 and it is not otherwise required or authorized by law to retain the information, it must take reasonable steps to destroy the information or ensure it is de-identified.

• Notification: Individuals should be notified if an organization receives unsolicited personal information about them, unless it would be unreasonable or impractical to do so. This notification should inform individuals about how the organization will handle the information.

APP 5 - Notification of Collection

Individuals must be informed when their personal information is collected, including the purpose of collection.

Key elements of APP 5 include:

• Openness and Transparency: Organizations are required to have a clearly expressed and up-to-date privacy policy that outlines their practices for managing personal information. This policy should be readily available and easily accessible to individuals.

• Notifying Individuals: When an organization collects personal information directly from an individual, it must take reasonable steps to ensure that the individual is aware of the following:

  • The identity of the organization and how to contact it.

  • The fact that the individual can access their personal information and seek correction if necessary.

  • The purposes for which the information is being collected.

  • Any third parties or types of third parties to whom the information might be disclosed.

  • Any legal requirements or consequences if the information is not provided.

• Exceptions: There are certain exceptions to the notification requirement. For example, notification may not be necessary if the individual is already aware of the information being collected, or if it is impractical to provide such notification.

• Consequences of Non-Compliance: Non-compliance with APP 5 can have significant consequences, as it goes to the heart of privacy transparency and fairness. Individuals have the right to be informed about how their information is being handled.

APP 6 - Use or Disclosure

Personal information can only be used or disclosed for the purpose it was collected, unless the individual consents or an exception applies.

Key elements of APP 6 include:

• Primary Purpose: Personal information can generally only be used or disclosed for the primary purpose for which it was collected, unless an exception applies.

• Secondary Purpose: If an organization wishes to use or disclose personal information for a secondary purpose (a purpose other than the primary one), it must obtain the individual’s consent unless another exception applies.

• Exceptions: There are several exceptions under APP 6 that allow for the use or disclosure of personal information without the need for consent. Some of these exceptions include when the use or disclosure is:

  • Required or authorized by law.

  • Necessary to prevent a threat to life, health, or safety.

  • Reasonably necessary for law enforcement purposes.

  • Related to research, and steps are taken to ensure the information remains de-identified.

• Direct Marketing: If personal information is collected for the purpose of direct marketing, the organization must provide a clear and easy way for individuals to opt-out of receiving direct marketing communications.

• Consequences of Non-Compliance: Non-compliance with APP 6 can result in a breach of an individual’s privacy rights. It’s essential for organizations to ensure that any use or disclosure of personal information aligns with the principles outlined in APP 6.

APP 7 - Direct Marketing

Individuals have the right to opt out of receiving direct marketing materials.

Key elements of APP 7 include:

• Consent: Before organizations can engage in direct marketing activities, they must obtain the individual’s consent. Consent should be informed, voluntary, and easy to withdraw. Individuals should have a clear and simple way to opt-out of further direct marketing communications.

• Opt-Out Mechanism: Organizations must provide a straightforward opt-out mechanism in their marketing materials. This allows individuals to indicate that they do not wish to receive further direct marketing communications. Once an opt-out request is received, organizations must promptly comply with it.

• Third-Party Marketing: If organizations disclose personal information to third parties for direct marketing purposes, they should inform individuals of this practice and provide them with an option to opt-out. This ensures transparency and gives individuals control over how their information is used.

• Compliance with Spam Laws: Organizations conducting electronic direct marketing (e.g., email marketing) must also comply with relevant spam laws, in addition to APP 7. These laws may impose additional requirements, such as including an unsubscribe link in marketing emails.

• Exceptions: There are some exceptions to the consent requirement for direct marketing. For example, organizations can send direct marketing communications without consent if they have obtained the individual’s information through a conspicuous publication or if the communication is related to their ongoing relationship with the individual.

APP 8 - Cross-Border Disclosure of Personal Information

Organizations must ensure that personal information sent overseas is protected by similar privacy laws.

Key elements of APP 8 include:

• Consent and Notification: Before an organization can transfer personal information outside of Australia, it generally requires the individual’s consent. Individuals must be informed that their information will be sent overseas and the countries to which it will be sent.

• Alternative Exceptions: APP 8 provides some alternative exceptions to the consent requirement. These include situations where the overseas recipient is subject to similar privacy laws or binding contractual obligations that provide the same level of protection as the Australian Privacy Principles.

• Notification of Countries: Organizations must specify the countries, or at least the regions, where they intend to transfer personal information. This helps individuals understand the potential risks associated with cross-border data transfers.

• Overseas Entities’ Privacy Practices: Organizations should take reasonable steps to ensure that overseas entities that receive personal information comply with privacy laws equivalent to the Australian Privacy Principles or are bound by contractual agreements to protect the information.

• Complaint Handling: APP 8 emphasizes the importance of having processes in place to handle complaints related to cross-border disclosure of personal information. Individuals should be able to lodge complaints if they believe their information is mishandled overseas.

• Access and Correction: Individuals should have avenues to access and correct their personal information held by overseas recipients. This means they can request access to their data and seek corrections if necessary, even if it’s stored overseas.

• Accountability: Organizations are ultimately accountable for the security and privacy of personal information transferred overseas. They should take reasonable steps to ensure that overseas recipients comply with the Australian Privacy Principles.

APP 9 - Adoption, Use, or Disclosure of Government-Related Identifiers

Organizations can only use government-related identifiers in specific circumstances.

Key elements of APP 9 include:

• Limited Adoption: APP 9 states that organizations should not adopt government-related identifiers as their own identifier unless it’s required by law or is necessary for the organization’s functions. In most cases, organizations should use their own identifiers for individuals.\

• Limited Use and Disclosure: Organizations can only use or disclose government-related identifiers for purposes permitted by law or if it’s reasonably necessary for their functions. This means they should not use these identifiers for purposes unrelated to their core functions.

• Exceptions: APP 9 provides exceptions where the use or disclosure of government-related identifiers is allowed. This includes situations where it’s required by law or authorized by a court or tribunal. It also permits the use or disclosure of such identifiers for identity verification.

• Protection and Security: Organizations must take steps to protect government-related identifiers from unauthorized access, use, or disclosure. This includes implementing security measures and access controls to prevent misuse.

• Data Minimization: APP 9 encourages organizations to collect only the government-related identifiers that are necessary for their functions. Unnecessary collection of these identifiers should be avoided.

• Data Retention: Organizations should not keep government-related identifiers for longer than necessary. Once the purpose for which they were collected has been fulfilled, they should be securely destroyed or de-identified.

• Individual Access: Individuals should have the right to access their government-related identifiers held by an organization. They can also request corrections if the information is inaccurate.

• Complaints: APP 9 requires organizations to have processes in place for handling complaints related to government-related identifiers. Individuals should be able to raise concerns about how their identifiers are being used or protected.

APP 10 - Quality of Personal Information

Organizations must ensure that the personal information they collect is accurate, up-to-date, and complete.

Key elements of APP 10 include:

• Collection of Accurate Information: Organizations are required to take reasonable steps to ensure that the personal information they collect is accurate, complete, and up-to-date. This includes verifying the information at the time of collection.

• Use of Information: Personal information should only be used for the purposes for which it was collected or a related purpose that an individual would reasonably expect. Using inaccurate information for decision-making or other purposes should be avoided.

• Correction of Information: Individuals have the right to request corrections to their personal information if they believe it is inaccurate, incomplete, or out-of-date. Organizations must promptly respond to such requests and make necessary corrections.

• Notification of Corrections: If an organization corrects personal information, they should inform other entities to which the information was previously disclosed, if applicable, unless it is impractical or involves disproportionate effort.

• Data Quality Policies: Organizations are encouraged to establish and maintain policies and procedures for managing the quality and accuracy of personal information. This may include regular reviews and updates of stored information.

• Data Minimization: APP 10 aligns with the principle of data minimization, emphasizing that organizations should only collect personal information that is necessary for their functions or purposes. Unnecessary or excessive data collection should be avoided.

• Retention and Deletion: Personal information should not be retained longer than necessary for the purposes for which it was collected. Once the purpose has been fulfilled, organizations should securely delete or de-identify the information.

• Complaints: Individuals should have a mechanism to raise concerns and complaints about the accuracy and quality of their personal information. Organizations should have procedures in place for handling such complaints.

APP 11 - Security of Personal Information

Organizations must take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure.

Key elements of APP 11 include:

• Data Security Measures: Organizations must implement measures to safeguard personal information. These measures may include encryption, access controls, firewalls, and secure storage.

• Risk Assessment: Organizations should conduct regular risk assessments to identify potential security threats and vulnerabilities to personal information. This includes considering both internal and external risks.

• Data Breach Response: In the event of a data breach that could result in harm to individuals, organizations are required to take immediate action. This includes containing the breach, assessing the impact, and notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) where required.

• Access Control: Limiting access to personal information is crucial. Organizations should ensure that only authorized personnel have access to such data, and access should be based on a need-to-know basis.

• Staff Training: Staff handling personal information should be adequately trained on data security practices and privacy policies. This includes educating employees about the risks of mishandling personal information.

• Third-Party Data Processors: When using third-party service providers to handle personal information, organizations remain responsible for the security of that data. Contracts with service providers should include data protection provisions.

• Physical Security: For physical records containing personal information, organizations should have measures in place to prevent unauthorized access, such as locked filing cabinets and restricted access areas.

• Incident Response Plan: Organizations should develop and maintain an incident response plan to address security breaches promptly. This plan should outline procedures for identifying, assessing, and mitigating security incidents.

• Regular Audits and Reviews: Regularly auditing and reviewing data security practices and policies is essential to ensure ongoing compliance and identify areas for improvement.

• Documenting Security Measures: Organizations should document the security measures in place to protect personal information. This documentation may be requested by regulators as evidence of compliance.

APP 12 - Access to Personal Information

Individuals have the right to access their personal information held by organizations and request corrections if necessary.

Key elements of APP 12 include:

• Request for Access: Individuals have the right to request access to their personal information held by an organization. These requests must be made in writing, and the organization is required to verify the identity of the requester before providing access.

• Reasonable Access: Organizations must provide individuals with access to their personal information unless there is a valid reason to refuse access. Valid reasons may include legal obligations or exceptions provided for by law.

• Timely Response: Organizations should respond to access requests promptly and without undue delay. In most cases, access should be granted within 30 days of the request. If more time is needed, the individual should be informed of the reasons for the delay.

• Access Process: The process for requesting access should be straightforward and clearly communicated to individuals. This includes providing information about how to make a request and the expected timeframe for a response.

• Correction and Amendment: If individuals discover that their personal information is inaccurate, incomplete, or out-of-date, they have the right to request corrections. Organizations must respond to such requests and, if necessary, amend the information.

• Refusal of Access: Organizations may refuse access in certain circumstances, such as if it would pose a serious threat to the health or safety of an individual, if it would reveal commercially sensitive information, or if it is prohibited by law.

• Charges for Access: In some cases, organizations may charge a reasonable fee for providing access to personal information. This fee should be clearly communicated to the individual before proceeding.

• Record Keeping: Organizations should keep records of access requests, including details of the request, the response, and any amendments made to personal information.

• Third Parties: If an individual requests access to their information and it contains personal information about another individual, organizations must consider the rights and privacy of the other person. This may involve redacting or withholding certain information.

• Appeals: Individuals have the right to appeal a decision to refuse access to their personal information. There should be a clear process for handling such appeals.

APP 13 - Correction of Personal Information

If an individual believes their personal information is incorrect, they can request corrections.

Key elements of APP 13 include:

• Correction Requests: Individuals have the right to request corrections to their personal information held by an organization. These requests should be made in writing, and the organization is required to take reasonable steps to correct the information.

• Verification: Organizations should verify the identity of the individual making the correction request to ensure that the request is legitimate.

• Timely Response: Organizations are expected to respond to correction requests promptly. Corrections should be made without undue delay, usually within 30 days of receiving the request.

• Correction Process: The process for requesting corrections should be clear and accessible to individuals. Organizations should provide information about how to make a correction request and the expected timeframe for a response.

• Reasonable Steps: Organizations are required to take reasonable steps to correct personal information if they are satisfied that it is inaccurate, out-of-date, incomplete, or irrelevant.

• Refusal to Correct: If an organization refuses to correct personal information as requested by an individual, they must provide written notice of the refusal. The notice should include reasons for the refusal and details about how the individual can complain about the refusal.

• Notification of Correction: Once corrections are made, the organization should notify the individual and any third parties to whom the corrected information has been disclosed. This is particularly important if the corrected information was previously inaccurate.

• Records of Correction: Organizations should keep records of correction requests and actions taken to correct personal information.

• Review of Decisions: Individuals have the right to request a review of a decision made by an organization not to correct their personal information. Organizations should have a clear process for handling such review requests.

Unit 4 subject matter covered:

• Explain Australian Privacy Principles (2014) and ethics applicable to the use of personally identifiable or sensitive data from a digital systems perspective [QCAA, 2017]