What does APP 1 say?
1.1 The declared object of APP 1 is ‘to ensure that APP entities manage personal information in an open and transparent way’ (APP 1.1). This enhances the accountability of APP entities for their personal information handling practices and can build community trust and confidence in those practices.
1.2 APP 1 imposes three separate obligations upon an APP entity to:
- take reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs and any binding registered APP code, and is able to deal with related inquiries and complaints (APP 1.2)
1.3 APP 1 lays down the first step in the information lifecycle – planning and explaining how personal information will be handled before it is collected. APP entities will be better placed to meet their privacy obligations under the Privacy Act if they embed privacy protections in the design of their information handling practices.
Implementing practices, procedures and systems to ensure APP compliance
1.4 APP 1.2 requires an APP entity to take reasonable steps to implement practices, procedures and systems relating to the entity’s functions or activities that will:
- ensure the entity complies with the APPs and any binding registered APP code (see Part IIIB), and
- enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the APPs or such a code
1.5 APP 1.2 imposes a distinct and separate obligation upon an APP entity, in addition to being a general statement of its obligation to comply with other APPs. The purpose of APP 1.2 is to require an entity to take proactive steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs. The obligation is a constant one. An entity could consider keeping a record of the steps taken to comply with APP 1.2, to demonstrate that personal information is managed in an open and transparent way.
1.6 The requirement to implement practices, procedures and systems is qualified by a ‘reasonable steps’ test. The reasonable steps that an APP entity should take will depend upon circumstances that include:
- the nature of the personal information held. More rigorous steps may be required as the amount and sensitivity of personal information handled by an APP entity increases
- the possible adverse consequences for an individual if their personal information is not handled as required by the APPs. More rigorous steps may be required as the risk of adversity increases
- the nature of the APP entity. Relevant considerations include an entity’s size, resources and its business model. For example, the reasonable steps expected of an entity that operates through franchises or dealerships, or gives database and network access to contractors, may differ from the reasonable steps required of a centralised entity
- the practicability, including time and cost involved. A ‘reasonable steps’ test recognises that privacy protection must be viewed in the context of the practical options available to an APP entity. However, an entity is not excused from implementing particular practices, procedures or systems by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances
1.7 The following are given as examples of practices, procedures and systems that an APP entity should consider implementing:
- procedures for identifying and managing privacy risks at each stage of the information lifecycle, including collection, use, disclosure, storage, destruction or de-identification
- security systems for protecting personal information from misuse, interference and loss and from unauthorised access, modification or disclosure (such as IT systems, internal access controls and audit trails) (see also Chapter 11 (APP 11))
- a commitment to conducting a Privacy Impact Assessment (PIA) for new projects in which personal information will be handled, or when a change is proposed to information handling practices. Whether a PIA is appropriate will depend on a project's size, complexity and scope, and the extent to which personal information will be collected, used or disclosed
- procedures for identifying and responding to privacy breaches, handling access and correction requests and receiving and responding to complaints and inquiries
- procedures that give individuals the option of not identifying themselves, or using a pseudonym, when dealing with the entity in particular circumstances (see also Chapter 2 (APP 2))
- governance mechanisms to ensure compliance with the APPs (such as designated privacy officers and regular reporting to the entity’s governance body)
- regular staff training and information bulletins on how the APPs apply to the entity, and its practices, procedures and systems developed under APP 1.2
- appropriate supervision of staff regularly handling personal information, and reinforcement of the entity’s APP 1.2 practices, procedures and systems
- mechanisms to ensure that agents and contractors in the service of, or acting on behalf of, the entity comply with the APPs
- include a notation on the policy indicating when it was last updated
- invite comment on the policy to evaluate its effectiveness, and explain how any comments will be dealt with
- the kinds of personal information collected and held by the entity (APP 1.4(a))
- how personal information is collected and held (APP 1.4(b))
- the purposes for which personal information is collected, held, used and disclosed (APP 1.4(c))
- how an individual may access their personal information and seek its correction (APP 1.4(d))
- how an individual may complain if the entity breaches the APPs or any registered binding APP code, and how the complaint will be handled (APP 1.4(e))
- whether the entity is likely to disclose personal information to overseas recipients (APP 1.4(f)), and if so, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy (APP 1.4(g))
1.16 Further guidance on each of these items is set out below.
Kinds of personal information collected and held
1.18 ‘Sensitive information’ collected or held by the entity could be separately listed (‘sensitive information’ is defined in s 6(1) and discussed in Chapter B (Key concepts)). For example, a policy may list sensitive information relating to ‘health information about an individual’, ‘racial or ethnic origin’, ‘criminal records’, ‘religious affiliation’ and ‘political opinions.’
How personal information is collected and held
1.20 The policy must describe an APP entity’s usual approach to holding personal information. This should include how the entity stores and secures personal information. For example, the policy may explain that personal information is stored by a third party data storage provider, or is combined or linked to other information held about an individual. The description of security measures should not provide details that jeopardise the effectiveness of those measures.
Purposes for which the entity collects, holds, uses and discloses personal information
Accessing and seeking correction of personal information
- that individuals have a right to request access to their personal information and to request its correction (APPs 12 and 13), and
- the position title, telephone number, postal address and email address of a contact person for requests to access and correct personal information. An APP entity could establish a generic telephone number and email address that will not change with staff movements (for example email@example.com)
1.25 An APP entity may have other specific access or correction obligations outside the Privacy Act (for example the Consumer Data Right under Part IVD of the Competition and Consumer Act 2010). In such cases, the APP entity could also refer or explain those obligations where appropriate.
Complaints about a breach of the APPs or a binding registered APP code
Likely overseas disclosures
1.30 An APP entity is required to set out in the policy only likely disclosures of personal information to overseas recipients, and not likely uses of personal information by the entity. For example, routing personal information, in transit, through a server located outside Australia would usually be considered a ‘use’. Similarly, it would also be a use and not a disclosure for an entity to make personal information accessible to an overseas office of the entity, such as a consular office. For further discussion of the requirements applying to a cross-border disclosure of personal information, and what is considered a disclosure, see Chapter 8 (APP 8).
1.31 An example of when it may be impracticable to specify the countries in which overseas recipients of personal information are likely to be located is where personal information is likely to be disclosed to numerous overseas recipients and the burden of determining where those recipients are likely to be located is excessively time-consuming, costly or inconvenient in all the circumstances. However, an APP entity is not excused from specifying the countries by reason only that it would be inconvenient, time-consuming or impose some cost to do so. As in other examples, it is the responsibility of the entity to be able to justify that this is impracticable.
1.35 The following are examples of other information that could be included:
- any exemptions under the Privacy Act that apply to personal information held by the entity or to any of its acts or practices
- whether the APP entity retains a record of personal information about all individuals (or categories of persons) with whom it deals
- who, other than the individual, can access personal information, and the conditions for access
- if the entity interacts with and collects personal information about a vulnerable segment of the community (such as children), the criteria that will be applied and the procedure that will be followed in collecting and holding that personal information
- the situations in which a person can deal with the entity by not identifying themselves or by using a pseudonym (see APP 2, Chapter 2)
- information retention or destruction practices or obligations that are specific to the entity
1.38 Online publication may not be appropriate in some circumstances, for example, where the APP entity does not have an online presence or, where individuals who regularly interact with the entity may not have internet access. In these circumstances, options that an entity should consider include:
- displaying the policy on a stand at the entity’s premises, so that it can be seen by members of the public
- distributing a printout of the policy on request
- including details about how to access the policy at the bottom of all correspondence to individuals
- where the entity interacts with individuals by telephone, informing them during the telephone call of how the policy may be accessed in a particular form
1.40 The reference to a ‘body’ requesting a copy of a policy makes it clear that a request may be made other than by an individual or entity that is subject to the Privacy Act.
- other steps taken by the entity to make its policy publicly available and accessible
- the practicability, including time and cost involved. However, an entity is not excused from providing a copy in a particular form by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances
- the sensitivity of the personal information held. More rigorous steps may be required where the entity holds ‘sensitive information’ (defined in s 6(1) and discussed in Chapter B (Key concepts)) or information of a sensitive nature
- whether the entity has unique or unusual information handling practices
- any reasons given by the body or person for requesting the policy in a particular form
- any special needs of the body or person requesting the policy. For example, it may be reasonable to provide the policy in a form that can be accessed via assistive technology where this meets the requester’s special needs
1.43 If a request for access in a particular form is declined, the APP entity should explain this decision to the person or body making the request. The entity should be prepared to undertake reasonable consultation with the requester about the request.