APPs & codes

Australian businesses and some overseas organisations are bound by the Australian Privacy Principles (the APPs) or an approved privacy code. Failure to follow the APPs constitutes an interference with the privacy of an individual, to which sanctions apply.

Australian Privacy Principles

The APPs set out a minimum standard for the fair handling of personal information by private sector organisations. The 13 APPs cover everything from the collection and use of information to data quality and access rights.

We've provided a summary of the APPs and how they may affect you.

Who, what & when?

Who does the Privacy Act apply to?

The Privacy Act (the Act) and the APPs apply to government agencies and to private sector organisations with a link to Australia, including:

  • individuals who collect, use or disclose personal information in the course of a business. For example, a sole trader's business activities will be regulated (unless it's a small business), but information gathered outside business activities won't be;
  • bodies corporate; and
  • partnerships, unincorporated associations and trusts – any act or practice of a partner, committee member or trustee is attributed to the organisation.

Organisations outside Australia must comply with the provisions in some circumstances, particularly when information is collected in Australia. Sending information out of Australia is also regulated.

There are also exemptions, and the APPs usually don't cover:

  • employee records;
  • a small business operator;
  • a registered political party;
  • a media organisation; and
  • certain transfers of personal information between related bodies corporate.
What is protected?

The Act regulates the way in which organisations collect, handle, disclose, use and store personal information. Personal information is basically any information – including an opinion – that identifies or can reasonably be used to identify a person. It could simply be their name, address, telephone number or date of birth. There are extra protections for sensitive information, such as information about an individual's race, sexual preference or health.

What is required?

The Act requires that organisations must take reasonable steps to implement practices and procedures that comply with the APPs and any registered APP code that binds the organisation. Organisations must have a clear, up-to-date and freely available privacy policy that details how they will comply with the APPs.

What are the consequences of breaching the Act?

Under the amended Privacy Act, the Privacy Commissioner has additional investigation and audit powers, as well as the power to accept enforceable undertakings, develop and register binding privacy codes, and commence proceedings in the Federal Court or the Federal Magistrates Court.

If an entity engages in serious or repeated breaches of the APPs or a registered privacy code, the Commissioner may apply to the Federal Court or the Federal Magistrates Court for an order that the entity pay a penalty of up to $1.7 million for corporations (up to $340,000 for individuals).

Credit Reporting

The 2014 amendments to the Privacy Act also introduced a new credit reporting regime, under which credit reporting bodies can collect 'positive' data about individuals, including repayment history information. The regime also provides significant new protections for individuals in relation to their credit information, including a strengthened complaint process.

Approved Privacy Codes

One of the aims of the initial private sector privacy laws was to encourage private sector organisations to develop binding industry-wide codes of practice for handling personal information. In practice, very few codes have been developed and approved by the Privacy Commissioner.

The only code currently in force is the Credit Reporting Code, although the Association of Market and Social Research Organisations is developing a code that would set out how its members would apply the APPs.