There are legal requirements for large companies and companies who hold sensitive information (medical businesses, gyms, market research, schools, etc) about the public to protect that data.
Below are all of those requirements. Numbers 5, 8, 10, 11, and 12 can be specifically questioned in exams.
In summary, companies have a legal obligation to protect your information and keep it private.
APP 1
Open and Transparent Management of Personal Information
Ensures organisations manage personal information openly and transparently, such as having a clear and up-to-date privacy policy that outlines how they collect, use, disclose, and protect personal information.
APP 2
Anonymity and Pseudonymity
Allows individuals to remain anonymous or use pseudonyms when dealing with organisations, except in limited circumstances where the use of personal information is necessary for the organisation to perform its functions or activities.
APP 3
Collection of Solicited Personal Information
Specifies when organisations can collect solicited personal information directly from individuals, and applies higher standards to the collection of sensitive information, ensuring that collection is fair, lawful, and not excessive.
APP 4
Dealing with Unsolicited Personal Information
Outlines how organisations must handle unsolicited personal information, including the requirement to either destroy or de-identify it unless it is later determined that the organisation can lawfully collect and use the information.
APP 5
Notification of the Collection of Personal Information
Organisations must inform individuals about the collection of their personal information at or before the time of collection. This notification should include:
- The entity collecting the information and its contact details.
- The purposes for which the information is being collected.
- Whether the provision of the information is mandatory or voluntary.
- Consequences, if any, of not providing the information.
- Any overseas recipients to whom the information may be disclosed.
- Individuals’ rights to access and correct their personal information.
APP 6
Use or Disclosure of Personal Information
Defines the conditions under which organisations may use or disclose personal information they hold, ensuring that such use or disclosure is for a purpose that is related to the collection of the information or a purpose that the individual would reasonably expect.
APP 7
Direct Marketing
Restricts the use and disclosure of personal information for direct marketing purposes to specific conditions, including obtaining the individual’s consent and providing them with an easy way to opt-out of receiving further marketing communications.
APP 8
Cross-Border Disclosure of Personal Information
Before disclosing personal information to an overseas recipient, organisations must take reasonable steps to ensure that:
- The recipient is bound by privacy laws or commitments that are at least equivalent to the Australian Privacy Principles.
- Appropriate mechanisms are in place to protect the personal information from misuse, interference, unauthorised access, modification, or disclosure.
- Individuals are notified of the cross-border disclosure and provided with details about the overseas recipient and the protections in place.
APP 9
Adoption, Use, or Disclosure of Government-Related Identifiers
Limits the circumstances under which organisations can adopt, use, or disclose government-related identifiers, such as Australian driver’s license numbers or tax file numbers, to protect individuals’ privacy and prevent misuse.
APP 10
Quality of Personal Information
Organisations must take reasonable steps to ensure that the personal information they collect, use, or disclose is:
- Accurate: The information must reflect the current facts and be kept up-to-date. If inaccurate information is detected, organisations should take steps to correct it.
- Complete: The information should be sufficient to fulfill the purpose for which it was collected and, where necessary, be supplemented with additional information.
- Relevant: The information must be pertinent and directly related to the purpose for which it is being used or disclosed.
- Up-to-date: Organisations should take reasonable steps to ensure that personal information is kept current, particularly if changes are likely to affect decisions made about the individual.
APP 11
Security of Personal Information
Organisations must take reasonable steps to protect personal information they hold from misuse, interference, and loss, as well as unauthorised access, modification, or disclosure. This includes:
- Implementing physical, technical, and administrative security measures to safeguard personal information.
- Regularly reviewing and updating security practices to address emerging risks and new technologies.
- Ensuring that contractors, agents, and third-party service providers who handle personal information are bound by appropriate privacy and security obligations.
- Responding promptly to security breaches and taking steps to mitigate any harm to affected individuals.
APP 12
Access to Personal Information
Organisations must take reasonable steps to protect personal information they hold from misuse, interference, and loss, as well as unauthorised access, modification, or disclosure. This includes:
- Implementing physical, technical, and administrative security measures to safeguard personal information.
- Regularly reviewing and updating security practices to address emerging risks and new technologies.
- Ensuring that appropriate privacy and security obligations bind contractors, agents, and third-party service providers who handle personal information.
- Responding promptly to security breaches and taking steps to mitigate any harm to affected individuals.
APP 13
Correction of Personal Information
Specifies an organisation’s obligations to correct personal information it holds when requested by an individual, ensuring that the information is accurate, up-to-date, and complete, and taking reasonable steps to communicate any corrections to relevant parties.
If companies/organisations break any of these rules the Australian Information Commissioner can investigate. In the first instance, they will issue recommendations. For serious breaches or willful neglect there can be penalties.
Notifiable Data Breaches
A data breach occurs when personal information an organisation holds is lost or subjected to unauthorised access or disclosure. For example, when:
- a device with a customer’s personal information is lost or stolen
- a database with personal information is hacked
- personal information is mistakenly given to the wrong person.
When a data breach occurs, it should be reported to the Office of the Australian Information Commissioner.