Last review date: 31 December 2024

☒         the identity and the contact details of the controller and, where applicable, of the controller's representative

☒         the purposes of the processing for which the personal data is intended

☒         the legal basis for the processing

☒         the categories of personal data concerned

☒         the source from which the personal data originates and, if applicable, whether it came from publicly accessible sources

☒         the recipients or categories of recipients of the personal data, if any

☒         information regarding data transfers to third countries, where applicable, and reference to appropriate or suitable safeguards and the means by which by to obtain a copy of them or where they have been made available

☒         the existence of data subjects' rights, such as the right to access, rectification, erasure, data portability, etc.

☒         how the data is held

☒         the right to lodge a complaint with a supervisory authority

☒         whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data

☒         other

A privacy policy must also state how an APP entity holds personal information it has collected.

Regarding the above-ticked boxes, there are some nuances. Most notably, Australia has separate requirements for a privacy policy to be made available and for individuals to be provided with a collection notice. In practice, businesses sometimes use one document as both a privacy policy and a collection notice. The required minimum content for privacy policies and collection notices are similar, but there are some differences:

• APP 1 (requirement for a privacy policy): this requires an APP entity to have a clearly expressed and up-to-date policy (privacy policy) about the management of personal information by the entity which, at a minimum, contains the following information:
  • The kinds of personal information that the entity collects and holds
  • How the entity collects and holds personal information
  • The purposes for which the entity collects, holds, uses and discloses personal information
  • How an individual may access personal information about the individual that is held by the entity and seek the correction of such information
  • How an individual may complain about a breach of the APPs, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint
  • Whether the entity is likely to disclose personal information to overseas recipients
  • If the entity is likely to disclose personal information to overseas recipients - the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy
• APP 5 (requirement for a collection notice): this requires that when an APP entity collects personal information about an individual, the APP entity must take reasonable steps to notify the individual of certain matters or to otherwise ensure that the individual is aware of such matters. The information which must be provided is:
  • The identity and contact details of the APP entity
  • If the APP entity collects the personal information from someone other than the individual, or the individual may not be aware that the APP entity has collected the personal information - the fact that the entity so collects, or has collected, the information and the circumstances of that collection
  • If the collection of the personal information is required or authorized by or under an Australian law or a court/tribunal order - the fact that the collection is required or authorized (including the name of the Australian law, or details of the court/tribunal order)
  • The purposes for which the APP entity collects the personal information
  • The main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity
  • Any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity
  • That the APP privacy policy of the APP entity contains information about how the individual may:
    • Access the personal information about the individual that is held by the entity and seek the correction of such information
    • Complain about a breach of Australian privacy laws, and how the entity will deal with such a complaint
    • Whether the APP entity is likely to disclose the personal information to overseas recipients and if so, the countries in which such recipients are likely to be located if it is practicable to specify this

The Privacy Act does not currently require privacy notices or policies to specify that an individual can lodge a complaint with a regulator. However, the APP Guidelines recommend doing so, and this is best (and common) practice.

Credit providers who collect or hold credit-related personal information are also required to have a credit reporting policy and provide certain other notices to individuals.

Additional notices are required under surveillance laws in certain circumstances (e.g., to establish a basis for implied consent to surveillance of private conversations or activities or as a specific requirement under workplace surveillance laws).

The review of the Privacy Act considered the requirements around notice of collection of personal information. Among other things, the report on the review proposed – and the government agrees in-principle (subject to further consultation) – to:

• Introduce an express requirement in APP 5 that requires collection notices to be clear, up-to-date, concise, and understandable, and that appropriate accessibility measures should also be in place
• Supplement OAIC guidance on notices
• Require additional matters to be covered by privacy notices:
  • If the entity collects, uses or discloses personal information for a high privacy risk activity —the circumstances of that collection, use or disclosure
  • That the APP privacy policy contains details on how to exercise any applicable rights of the individual, and
  • The types of personal information that may be disclosed to overseas recipients
• Standardize terminology, icons, templates and layouts for privacy policies and collection notices, potentially on a sectoral basis.

The Tranche 1 reforms of the Privacy Act require privacy policies to include information about automated decision-making involving personal information. This change will come into effect on 10 December 2026.

Last review date: 31 December 2024

☒ Yes

Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:

☒         right to access the data subject's own personal data

☒         right to rectify/correct the data subject's own personal data where inaccurate or incomplete

☒         right to withdraw consent

☒         other

Individuals can also make complaints to APP entities about perceived breaches of privacy laws. The OAIC is empowered (and required) to investigate complaints made to it by individuals (although the Privacy Act does not phrase these points in terms of "data subject rights").

Key individual rights under the MHR Act are to determine who has access to their My Health Record using access controls and to request permanent deletion of their My Health Record.

Certain limited rights to data portability have been phased in for the banking and energy sectors under the CDR regime from 1 July 2020 onwards, with the system being extended to more data and more entities as time goes on. The government has also considered extending the system but plans to cover the superannuation, insurance and telecommunications sectors have been paused in order to focus on maturing the existing CDR regime.

Individuals may also have rights under State and Territory public sector privacy laws, health records laws, surveillance and telecommunications laws.

The report on the review of the Privacy Act recommends – and the government agrees in principle (subject to further consultation) – to expand individuals' rights. The expanded set of rights would include rights to:

• Access, and receive an explanation about, the individual's personal information on request
• Object to the collection, use or disclosure of personal information
• Erasure of personal information
• Correction of personal information, including in generally available publications online controlled by an APP entity
• De-indexing of online search results containing sensitive information, personal information about a child, excessively detailed personal information and inaccurate, outdated, incomplete, irrelevant or misleading personal information

The government also agrees that there should be a right for individuals to request meaningful information about how substantially automated decisions with legal or similarly significant effect are made.

Last review date: 31 December 2024

☒ Yes

There are accountability and governance requirements to:

☒         take privacy by default and design measures for all processing of personal data

While it is not mandatory to conduct privacy impact assessments, this is recommended for new projects and would form part of APP 1 compliance (and in fact the OAIC has issued a range of guidance on privacy impact assessments to assist organizations). The OAIC has recently highlighted in further guidance that it is best practice for organizations considering using facial recognition technology to undertake a privacy impact assessment to identify potential privacy impacts at the outset.

☒         maintain a record of processing activities

☒         implement appropriate measures to comply with data privacy and security

☒         demonstrate compliance with data privacy and security

☒         provide training to employees

☒         other

An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity's functions or activities that will:

• Ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity
• Enable the entity to deal with inquiries or complaints from individuals about the entity's compliance with the Australian Privacy Principles or such a code

This will typically entail undertaking the activities selected above. Furthermore, certain sectoral laws may specifically require certain of these activities be undertaken (e.g., telecommunications laws require designated service providers to retain certain subscriber and communications information).

The report on the review of the Privacy Act includes proposals that would impact on accountability and governance matters, including the following proposals that have been agreed in-principle (subject to further consultation) by the government that:

• An APP entity should be required to determine and record the purposes for which it will collect, use and disclose personal information at or before the time of collection. If an APP entity wishes to use or disclose personal information for a secondary purpose, it should have to record that secondary purpose at or before the time of undertaking the secondary use or disclosure.
• APP entities should be required to appoint or designate a senior employee responsible for privacy within the entity.
• APP entities should be required to conduct a privacy impact assessment for activities with high privacy risks.

These proposals are expected to be addressed in later reforms to the Privacy Act.