Previous article in series – Data Privacy: African & Asia-Pacific Legislations
Regulations in Australia and New Zealand make it extremely difficult for enterprises to move sensitive information to cloud service providers that store data outside of Australian/New Zealand borders. The Office of the Australian Information Commissioner (OAIC) provides oversight and governance on data privacy regulations of sensitive personal information.
The Australian National Privacy Act of 1988 provides guidance and regulates how organizations collect, store, secure, process, and disclose personal information. Like many of the EU Privacy and Protection Acts, the National Privacy Principles (NPP) listed in the Privacy Act were developed to ensure that organizations holding personal information handle and process it responsibly.
An emphasis is also placed on health care information and health service providers—like the U.S. equivalent, HIPAA. Within the privacy principles, the following components are addressed for personal information:
- Collection
- Use
- Disclosure
- Access
- Correction
- Identification
In addition to the above requirements, the organization must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorized access, modification, or disclosure. Given the vagueness of “reasonable steps,” this can allow for substantial ambiguity and challenge.
Australian Privacy Principles (APPs)
In March 2014, the revised Privacy Amendment Act introduced a set of new principles, focusing on the handling of personal information, now called the Australian Privacy Principles (APPs). The Privacy Amendment Act requires organizations to put in place service-level agreements, with an emphasis on security, that list the right to audit, reporting requirements, data locations permitted and not permitted, who can access the information, and additional information like cross-border disclosure of personal information (e.g., when personal data traverses/leaves Australian/New Zealand borders).
The Australian Privacy Principles (APPs)s are summarized below:
- APP 1: Open and transparent management of personal information. Entities must take reasonable steps to implement practices, procedures, and systems that ensure compliance with the APPs. Entities must also make available a privacy policy that addresses a list of prescribed matters.
- APP 2: Anonymity and pseudonymity. Data subjects must have the option of not identifying themselves, or of using a pseudonym, when dealing with entities (except where impracticable).
- APP 3: Collection of solicited personal information. This outlines when the collection of personal data is permitted, including when consent is required.
- APP 4: Dealing with unsolicited personal information. If an entity receives unsolicited personal data, it must determine whether it could have collected the data itself under the APPs. If not, the entity must destroy or deidentify the data.
- APP 5: Notification of the collection of personal information. Entities must take reasonable steps to notify data subjects of certain matters at the time personal data is collected, or as soon as is practicable afterwards. Such matters include:
- The entity’s contact details
- The purpose for which the entity collected the data
- APP 6: Use or disclosure of personal information. Subject to certain exceptions, if an entity holds personal data collected for a particular purpose, it must not use or disclose that information for another purpose without the data subject’s consent.
- APP 7: Direct marketing. Entities must not use or disclose personal data for direct marketing unless an exception applies. Where direct marketing is permitted, entities must always provide a means for the data subject to opt out of direct marketing communications.
- APP 8: Cross-border disclosure of personal information. Subject to certain exceptions, before an entity discloses personal data to a third party located outside of Australia, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs. In certain circumstances, the entity can be deemed liable for any breach of the APPs committed by the overseas recipient.
- APP 9: Adoption, use, or disclosure of government-related identifier. Entities are restricted in the way they can use and disclose government-related identifiers (such as tax file numbers and Medicare numbers).
- APP 10: Quality of personal information. Entities must take reasonable steps to ensure that the personal data they collect, use, or disclose is accurate, up to date, and complete.
- APP 11: Security of personal information. Entities must take reasonable steps to protect the personal data they hold from misuse, interference, and loss, and from unauthorized access, modification, or disclosure. Entities must also destroy or deidentify personal data if they no longer need it for any purpose for which it could be used or disclosed under the APPs.
- APP 12: Access to personal information. Subject to certain exceptions, entities must provide data subjects with access to their personal data.
- APP 13: Correction of personal information. Entities must take reasonable steps to correct personal data to ensure it is accurate, up to date, complete, relevant, and not misleading.
Next article in series – Data Privacy: EU–U.S. Privacy Shield