The Australian Privacy Commissioner, Mr Timothy Pilgrim, said the second stage of these draft Guidelines gives guidance about new requirements for agencies and organisations in areas such as how they use or disclose personal information, undertake direct marketing activities and send data off-shore.
‘The Direct Marketing Principle, APP 7, says that organisations may only use or disclose personal information for direct marketing purposes in particular circumstances. Generally, this will be where the individual has a reasonable expectation that their information will be used for direct marketing or where the individual has consented to their information being used for this purpose. Organisations must also give people a simple means to opt-out of receiving further communications,’ Mr Pilgrim said.
Another significant area of change is the off shore disclosure of data covered in APP 8. New accountability requirements will apply to organisations (including Australian Government agencies) that send personal information to an overseas recipient. Australian organisations will generally remain accountable for the handling of the personal information by the overseas recipient.
‘I understand that being held accountable for the mishandling of personal information disclosed to an organisation overseas may be a concern. However, I imagine the cost of an overseas data breach (that includes the costs of remediation, loss of reputation and customer trust, and potentially, customers) is equally concerning. These new requirements provide a compelling business case for organisations to protect their business when planning to send personal information overseas,’ Mr Pilgrim said.
These Guidelines will outline how the Office of the Australian Information Commissioner (OAIC) will interpret and apply the APPs which are central to new privacy laws that commence on 12 March 2014. The consultation on APPs 6 to 11 is open until close of business Monday 21 October 2013. Please send submissions to firstname.lastname@example.org.
The OAIC strongly encourages organisations to channel their feedback on the APP Guidelines through industry associations and peak bodies to ensure that they can be finalised as soon as possible.
Most of the draft APP Guidelines have now been released for public consultation. Consultation on the General Matters and Parts 1 and 2 ended on 20 September 2013. Consultation on Parts 3 and 4 ends on Monday 21 October 2013. Consultation for Part 5 has not yet commenced.
Australian Privacy Principles Guidelines
- Chapter A — Introductory matters
- Chapter B — Key concepts
- Chapter C — Permitted general situations
- Chapter D — Permitted health situations
Part 1 — Consideration of personal information privacy -
- Chapter 1 — APP 1 open and transparent management of personal information
- Chapter 2 — APP 2 anonymity and pseudonymity
Part 2 — Collection of personal information
- Chapter 3 — APP 3 collection of solicited personal information
- Chapter 4 — APP 4 dealing with unsolicited personal information
- Chapter 5 — APP 5 notification of the collection of personal information
Part 3 — Dealing with personal information
- Chapter 6 — APP 6 use or disclosure of personal information
- Chapter 7 — APP 7 direct marketing
- Chapter 8 — APP 8 cross-border disclosure of personal information
- Chapter 9 — APP 9 adoption, use or disclosure of government related identifiers
Part 4 — Integrity of personal information
- Chapter 10 — APP 10 quality of personal information
- Chapter 11 — APP 11 security of personal information
Part 5 — Access to, and correction of, personal information
- Chapter 12 — APP 12 access to personal information
- Chapter 13 — APP 13 correction of personal information