Australia Privacy Act Rights: Comprehensive Overview
As a business owner, you are most probably aware of privacy regulations such as Europe's GDPR compliance regulations and the Australia Privacy Act.
Both of these regulations provide rights to their consumers. But, you may be wondering what these rights are. In this article, we’ll be reviewing the Australia Privacy Act rights and why they matter for your business.
Understanding how these rights impact your business, the repercussions of not adhering to them, and the steps needed for compliance can keep you avoid legal trouble.
This guide will delve into a comprehensive overview of Australia’s Privacy Act Rights, the maximum penalties imposed if there is non-compliance, and much more.
Let's dive right in.
Key Takeaways
- The Australia Privacy Act, effective as of 1989, is there to protect both businesses and their customers.
- Consent is required in most circumstances for businesses to share information.
- Stiff penalties of up to AUD 50 million await businesses found guilty of violating a person's privacy.
Australia Privacy Act Overview
The Australia Privacy Act, passed by the Australian Parliament in 1988 and effective in 1989, was one of the world's first personal data protection laws. It has been amended several times since then to keep up with advancing technologies.
The primary purpose of introducing the Privacy Act 1988 was to promote and protect the privacy of individuals' personal information and regulate how Australian Government agencies, private businesses, and some other organizations may handle individuals' personal data and sensitive information.
Protection of the privacy of personal data safeguards an individual's information from unauthorized access. Not everyone accessing data has good intentions, and with cybercrime such as identity theft on the increase, sensitive data such as banking details, social security numbers, financial records, and health information must remain secure.
Oversight of the Australia Privacy Act regulations states that it is the responsibility of The Office of the Australian Information Commissioner (OAIC) to deal with issues that are covered by the Australia Privacy Act 1988.
Australia Privacy Act penalties of up to AUD 50 million may be administered for severe data breaches or acts of non-compliance.
Bearing this in mind, it's a good idea for any business to stay up to date with the latest regulatory best practices and changes. Making use of an outsourced compliance service provider like Captain Compliance allows your business to remain compliant and stay on the right side of the law.
What Businesses Must Provide These Rights?
The Privacy Act is applied to Australian Government agencies, including the Norfolk Island administration and businesses or organizations with annual turnovers of more than AUD 3 million, who all have the responsibility under the Privacy Act to provide the legislated rights to data privacy.
The Privacy Act also covers some small business operators with an annual turnover of AUD 3 million and less if they are a credit reporting body, handle tax file number information, are credit providers and any private sector health service providers such as private hospitals, day surgery, medical practitioners, pharmacists as well as allied health care professionals.
The Privacy Act defines the following businesses or entities as an organization, an individual, including sole traders, body corporates, partnerships, any other unincorporated association, or
trust.
The Australia Privacy Act definition of an organization excludes small business operators, registered political parties, state or territory authorities or any prescribed instrument of a state.
Complementary healthcare businesses, such as therapists, naturopaths, chiropractors, or even weight loss clinics, have the responsibility to ensure the privacy of personal data and sensitive information.
Owners of gyms, child care centers, private schools, private tertiary education institutions and any business that buys and sells personal data all have an obligation to seek consent before sharing any personal information.
Exemptions for Businesses
The Australia Privacy Act does exempt some businesses, as prescribed by the Privacy Regulation 2013, from the need to provide data protection and privacy rights for their customers, staff and partners and protect the use of any personal information without the need to obtain consent.
Of particular importance to any business HR department, employee records and personal data pertaining to current and former employment relationships are exempt from the Australia Privacy Act.
Additionally, political parties are now exempt from the Australia Privacy Act, as these are neither government nor commercial entities.
Small business operators that do under AUD 3 million are exempt from the Australia Privacy Act rights legislation unless an exception applies, such as being a healthcare provider.
Any media business that is acting in the course of journalism only is also exempt from the Australia Privacy Act. It is worth noting that if the organization also performs other functions besides journalism, then the Australia Privacy Act may apply.
6 Australia Privacy Act Rights
Amendments to the Australia Privacy Act rights were made in 2014 and saw the introduction of a unified set of 13 Australian Privacy Principles applied to the Privacy Act.
The Privacy Act rights helps to enforce these Privacy Principles outlined by the Australia Privacy Act. Let's take a look at six of the privacy act rights in detail.
Know Why Information is Collected
Businesses often need to access personal information to conduct their work, and the Privacy Act sets requires businesses to inform consumers of exactly what personal information is collected and why they must collect the information.
To ensure corporate compliance by businesses, only personal information that is reasonably necessary for that business should be collected, ensuring complete data privacy. Businesses will also need to ensure an individual's consent is granted if they need sensitive information.
Access Personal Information
A business must adhere to the general rights granted by the Australian privacy law for individuals to access their personal information held by a business. This may include health, marital status or financial information, except where the law allows for refusal of any requests.
For example, a business may refuse access if this will lead to an unreasonable impact on the privacy of other individuals or may pose a threat to the individual.
It’s generally standard that businesses provide information free of charge, but businesses may charge for providing access, nevertheless. However, this charge may not be excessive. Any business must advise individuals of a charge amount and explain the reasons, such as the costs of locating and retrieving the requested information or associated postage costs.
Option of Not Identifying Yourself
Any business seeking to obtain personal data or sensitive information from customers for marketing or survey purposes needs to be aware that the Australian Privacy Principles (APP 2) provides individuals with the option of dealing anonymously or by pseudonym with any business defined as an entity by the APP.
A business dealing with any individual, where applicable, must make them aware that their privacy extends to the right to deal with them anonymously or by pseudonym.
Communication of your business's APP Privacy Policy can outline the circumstances in which individuals may deal anonymously or by pseudonym with your business, including relevant procedures for doing so.
Policies may go further and explain how your business manages pseudonyms with the linked personal information and how their choice of anonymity or use of a pseudonym may lead to the provision of a limited service.
However, a business is not required to provide those options where it is obligated or authorized by court, law or any tribunal order to deal with an identified individual or in the case where it's impractical to communicate with an individual who has not identified themself.
Stop Direct Marketing
Not everyone likes to be contacted without consent, and some businesses can be downright abusive with direct marketing.
Business leaders must be aware that APP 7 provides that a business may only use or disclose a person's 'sensitive information' for direct marketing if that individual has granted consent.
Correct Personal Information
Your customers have the right to correct personal information on file if it is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
An individual has the right to ask your business to amend or annotate a record of their personal information. Your business is obligated to respond to any request within a reasonable period of typically 30 days.
Make a Complaint
The Privacy Act 1988 provides strict rules regarding handling an individual's personal information. Individuals who feel that their right to the protection of personal data or sensitive information has been violated may contact your business to make a complaint. If they are not satisfied, they are fully entitled to file a complaint with the OAIC.
Australian Privacy Act Right to be Forgotten - Does it Exist?
The Australia Privacy Act does not include the right to be forgotten, but you may still offer this right to consumers if applicable to gain trust.
For those not aware of what the right to be forgotten (RTBF) entails, it means people can have private information (often negative information) removed from online searches and business directories.
One such example is a market research business that keeps personal data that is no longer necessary in relation to the original purpose of collection.
Although the right to be forgotten is currently not offered under the Australia Privacy Act, it may be in the distant future. Australia's Attorney-General's Department (AGD) presented a review report early in 2023 presenting many reforms to the Privacy Act, including the proposed 'right to be forgotten,' but at this stage, all concerned parties will have to wait and see.
Other Rights Provided Under the Australia Privacy Act
The APP provides consumers with additional rights that are not explicitly stated by the OAIC. Let's look at a few of these important privacy rights to help you ensure that your business is compliant with the relevant privacy legislation.
Right to Know if Information Was Breached
All businesses must comply with Australian privacy law Under the Notifiable Data Breaches scheme.
Your business is legally obliged to inform an individual if a data breach is likely to cause serious harm, such as identity theft, which may affect an individual's finance and credit reports and even financial loss incurred due to fraudulent activity.
You will have 30 days to assess if the breach is likely to cause serious harm.
Security of Data
It is important to note that the APP 11 provides for the security of an individual's personal information, and any business holding that personal information must take reasonable steps to protect their information from loss, theft, misuse and interference.
Right to Sue (for serious breaches)
Serious breaches of an individual's privacy allow them the right to sue. The APP law has a provision for individuals affected by a data privacy breach to seek compensation from the business in question.
For a business, any serious or repeated interference with an individual's privacy can lead to multiple lawsuits, which could incur costs of millions.
Closing
Business owners are well advised to play catch up if they have not been paying attention to the requirements of the Privacy Act.
Not all businesses have the resources and personnel to decipher the often complex requirements of the privacy act to implement, maintain and update their compliance policies and procedures.
Keeping customers' personal data secure is not a once-off task, but adherence to the privacy act should rather be looked at as a mechanism to ensure that all your customers can trust your business to protect their data. This is of particular importance as more and more selling is conducted online.
As a business owner, you are not left alone to tackle these matters, as Captain Compliance offers compliance services to help you achieve the next step in the right direction. Get in touch today and allow us to empower your business to do things right.
FAQs
Why is the Australia Privacy Act needed?
The Australia Privacy Act exists to keep people's personal info safe and sets out the rules for businesses on how exactly they should collect, use, and safely keep this data.
Learn more on our guide on the Australia Privacy Act
Is it important to be transparent when handling customer information?
APP 1 sets out for all businesses to be open and honest about how their personal information is handled.
Find out how a privacy policy can help boost your business’s transparency
Are individuals allowed to change their details?
Yes, the APP rules tell businesses how to make corrections if and when necessary at an individual's request.
Want to learn more about data subject access requests? Find out more here
How do data breaches happen?
Data breaches happen. Big business holds plenty of valuable information for hackers, so every effort must be made to be prepared for such theft attempts. Captain Compliance is able to point businesses in the right direction when it comes to data security considerations.
Find out what your obligations are as a business owner when a data breach occurs
Are there any penalties for noncompliance?
Yes, civil penalties enforced by the OAIC can run up to AUD 50 million. Rather, avoid the nightmare of penalties by calling us first.
Does a preschool business even need to comply with the rules?
Yes, consent is required as sharing of children's personal information can have serious consequences.