Australia Privacy Act of 1988
ON THIS PAGE
Independently of where your business is based, if your business is registered in Australia or you have customers in Australia, you must comply with Australia's Privacy Act of 1988. There are thirteen privacy principles known as the Australian Privacy Principles (APPs), which regulate the collection, storage, and management of personal information.
Overview of the Privacy Act 1988
The Australia Privacy Act was presented in 1988, was changed in 2000, and was updated in 2014 and 2022. It is an Australian federal law that governs the management of personal information by private companies with an annual turnover of $3 million or more, Australian government organizations, and health service providers.
The original version of the Australia Privacy Act 1988 was limited to government agencies or companies that had contracts with government agencies. The act was changed in 2000 to include private companies as well, independently if they had government contracts. The updates in 2014 covered entities of any size with a gross income of AUD $3M. In 2022, the updates to the law increased penalties, expanded reach, and enhanced enforcement powers for regulators and authorities.
According to the latest version, the possible penalties for serious or repeated breaches of privacy for corporations or organizations are the following:
- $50 million,
- 3 times the value of any benefit that the corporation and any related corporation obtained, directly or indirectly, that can reasonably be attributed to the conduct that created the violation, or
- If the court can't determine the value of the benefit, then 30% of the adjusted turnover of the corporation during the breach turnover period for the violation.
The Office of the Australian Information Commissioner (OAIC) is responsible for enforcing and regulating compliance with the Privacy Act. It has the authority to investigate privacy complaints, conduct audits, publish notices about data breaches when they occur, and impose penalties for non-compliance. The OAIC also has the right to inform individuals affected by the breach.
The Act establishes thirteen privacy principles known as the Australian Privacy Principles (APPs), which regulate the collection, storage, and management of personal information.
Australia Privacy Act of 1988 Principles
- Open and transparent management of personal information. You must be open and transparent with your users about the information you collect and how you use it. Explain the purpose of the collection and usage of personal information, the ways your users can correct any information, and any possible disclosures to third parties. The principle requires organizations to deal with inquiries and complaints. It also requires organizations to have a Privacy Policy, describing the management of personal information, which should be easily available to users.
- Anonymity and pseudonymity. Organizations must provide an anonymous or pseudo-anonymous option for individuals, who want to use anonymous identity while using your service, unless it is impossible or impractical for you. As an exception, a banking or insurance service cannot provide services to anonymous or pseudo-anonymous identities.
- Collection of personal information. You must know how to collect, store, and share personal information. You need to get user consent to collect their personal information. Collect it only when reasonably necessary for your business activities or if you have a legitimate interest to do it. Collect personal information directly from the individual to whom it relates unless it is impracticable.
- Dealing with unsolicited personal information. First, you have to decide whether unsolicited personal information you received has grounds on which to collect it (see APP 3). When it has such grounds, you must ensure compliance with the remaining APPs. When it does not have such grounds, you must delete or de-identify the personal information.
- Notification of the collection of personal information. You must notify an individual about the collection of personal information prior to the collection of it. You have to reveal your company identity and contact details, any changes to information collection methods, changes in the purposes of information collection, or Privacy Policy updates.
- Use or disclosure of personal information. You can’t use or disclose personal information for a purpose other than the purpose for which it was collected unless the individual consents.
- Direct marketing. You can’t use personal information for direct marketing purposes unless the individual reasonably expects it, or consents to it. You should also have “opt out’ choices on a Cookie Banner or other means through which the individual can choose not to receive direct marketing messages.
- Cross-border disclosure of personal information. If you disclose personal information to overseas partners, take reasonable steps to ensure personal data safety. This could be done by signing agreements regarding personal information management. You should also inform users if this happens.
- Adoption, use, or disclosure of government-related identifiers. The APP prohibits organizations from adopting, using, or disclosing a government-related identifier unless it is required or authorized by law, it is necessary to verify an individual’s identity, and/or another prescribed exception applies.
- Quality of personal information. You must ensure that the personal information you collect, store, and process is accurate, up-to-date, and complete. Personal information can only be used or disclosed to the extent to which it is relevant to the purpose of the use or disclosure.
- Security of personal information. You must take reasonable steps to protect information from misuse, interference, and loss and from unauthorized access, modification, or disclosure.
- Access to personal information. You must provide an individual, upon request, access to their personal information unless an exception applies.
- Correction of personal information. You must take reasonable steps to correct personal information upon request from an individual for correction when the personal information is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
Personal Information Under the Australia Privacy Act of 1988
The Privacy Act defines personal information as: “Information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not”.
Personal information is not limited to an individual’s private information but extends to any individual’s business or work information or opinion.
Several different types of personal information are defined in the Act:
- Sensitive information, which includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation, or criminal record.
- Health information, which is a kind of sensitive information, related to an individual’s health.
- Credit information.
- Employee record information, and
- Tax file number information
How to Comply with Australia Privacy Act of 1988?
The easiest and most reliable way to comply with the Australia Privacy Act of 1988 is by using the Consent Management Platform (CMP). CookieScript CMP has helped companies across the globe to achieve data privacy and comply with privacy laws.
CookieScript CMP allows you to easily display a Cookie Consent Banner on your website and get user consent, allows banner customization, records all user consents for proof of compliance, provides a Cookie Scanner and a Privacy Policy Generator, cross-domain consent sharing, and much more.
Frequently Asked Questions
Does Australia have a data privacy law?
In Australia, data privacy is regulated be the Australia Privacy Act 1988. It is an Australian federal law that governs the management of personal information by private companies with an annual turnover of $3 million or more, Australian government organizations, and health service providers. Use CookieScript CMP to comply with the Australia Privacy Act 1988 and other privacy laws around the globe.
How does the Australia Privacy Act 1988 define personal information?
The Australia Privacy Act 1988 defines personal information as: “Information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not”. Use CookieScript CMP to protect users’ personal information and comply with the Australia Privacy Act 1988 and other privacy laws.
What are users’ rights under the Australia Privacy Act 1988?
There are thirteen privacy principles known as the Australian Privacy Principles (APPs), which regulate the collection, storage, and management of personal information. CookieScript can help you to follow these principles and comply with the Australia Privacy Act 1988 and other privacy laws.
How to Comply with Australia Privacy Act of 1988?
The easiest and most reliable way to comply with the Australia Privacy Act of 1988 is by using the Consent Management Platform (CMP). CookieScript CMP can help you to comply with the Provacy Act: it allows you to easily display a Cookie Consent Banner on your website and get user consent, allows banner customization, records all user consents for proof of compliance, provides a Cookie Scanner and a Privacy Policy Generator, and more.