The Office for the Australian Information Commissioner (OAIC) has published initial draft guidelines which provide a good indication as to how to interpret the first five of thirteen Australian Privacy Principles (APPS) that will form the foundation of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 which will become effective from 12 March 2014.
- APP 1: Open and Transparent Management of Personal Information
APP entities will be deemed accountable for taking proactive steps to manage risks to data at every stage from collection, use and storage to destruction. Emphasis is placed on the importance of IT security systems, privacy impact assessments for new projects and procedures for reporting breaches. Also important are easily accessible and up-to-date privacy policies.
- APP 2: Anonymity and Pseudonymity
It is anticipated that individuals will have the right to deal with organisations where they cannot be identified from the data they provide, by opting not to provide personal information, or by providing a different name, term or descriptor. The aim is to give individuals greater control over their personal information and is seen as a method of assisting organisations with reducing their compliance burden. Organisations would need to prominently state when it is not necessary for an individual to provide personal information.
- APP 3: Collection of Solicited Personal Information
APP entities will only be able to solicit information collected from other entities which is reasonably necessary or directly related to the entities functions or activities. There will also be an additional obligation to seek explicit direct consent from individuals when soliciting sensitive personal data except (a) where it is permitted by law (b) where a permitted general situation exists or 3.4 (c) where a permitted health situation exists (d) for an enforcement activity or (e) by a non-profit organisation.
- APP 4: Dealing with Unsolicited Personal Information
This principle aims to address how organisations should deal with data which it has not actively sought to collect yet but falls within its control, such as information received that is surplus to its function. If the data could not have been collected under APP 3, then it must be either destroyed or de-identified.
- APP 5: Notification of the Collection of Personal Information
Before or at the time of collection of any information, organisations will be expected to ensure that individuals are fully informed as to the APP entity’s identity, the purpose for collection, the consequences if that information is not collected and any intended disclosure.
Further draft guidelines are expected to be released over the next few weeks and will cover the remaining APPS which deal with topics including direct marketing, cross-border disclosure or personal information and data security.