- Who this privacy law applies to;
- How it defines personal information;
- The rights that this law provides to consumers;
- The penalties for non-compliance.
Who does the Australia Privacy Act 1988 apply to?
Most privacy laws are very broad in the sense that they apply to businesses outside of the state or country in which they were enacted, and the Australia Privacy Act 1988 is no exception to the rule. This privacy law applies to Australian organizations with an annual turnover of more than AUD $3,000,000. The law defines “organization” as:
- An individual, including a sole trader (acting in a commercial capacity);
- A body corporate;
- A partnership;
- Any other unincorporated association; or
- A trust.
While this privacy law primarily applies to medium and large businesses due to the revenue requirement, it is important to note that there are a few exceptions which would require small businesses to comply as well. The following small businesses with an annual turnover of AUD $3,000,000 need to comply with this privacy law:
- A private-sector health care provider – an organization that provides a health service and includes:
- A traditional health care provider (hospital, medical practitioner, or pharmacy);
- A complimentary therapist, such as a naturopath or a chiropractor;
- A gym or weight loss clinic;
- A childcare center, a private school, and a tertiary educational institution.
- A business that sells or purchases personal information;
- A credit reporting body;
- A contracted service provider for an Australian Government contract;
- An employee association registered or recognized under the Fair Work (Registered Organisations) Act 2009;
- A business that has opted-in to the Privacy Act 1988;
- A business that is related to a business that is covered by this privacy law;
- A business prescribed by the Privacy Regulation 2013.
In addition, organizations formed outside of Australia may need to comply with this law, regardless of revenue, if they have an Australian link. Your organization has an Australian link if it carries on business in Australia and collects and holds personal information in Australia. In assessing whether an entity carries on business in Australia, the following factors need to be considered:
- The entity has a place of business in Australia;
- People who undertake business acts for the entity are located in Australia;
- The entity has a website that offers goods or services to Australian consumers;
- Australia is one of the countries on the drop-down menu appearing on the entity’s website;
- Web content that forms part of carrying on the business was uploaded by or on behalf of the entity, in Australia;
- Business or purchase orders are assessed or acted upon in Australia; or
- The entity is the registered proprietor of trademarks in Australia.
How does this law define personal information?
The Australia Privacy Act 1988 states that the definition of personal information includes a broad range of information that could be used to identify someone. The law provides the following examples of personal information:
- An individual’s name, signature, address, phone number or date of birth;
- Sensitive information such as racial or ethnic origin, political opinions and associations, religious or philosophical beliefs or criminal record;
- Credit information;
- Employee record information;
- Internet protocol (IP) addresses;
- Voice print and facial recognition biometrics;
- Location information from a mobile device.
If you are collecting any of the personal information stated above, and are an Australian company, you need to honor the privacy rights given to consumers under this law.
The consumer rights provided under the Australia Privacy Act 1988
Privacy laws often provide consumers with certain rights when it comes to the collection, use and disclosure of their personal information by businesses. This privacy law provides the following privacy rights to Australians:
- Know why their personal information is being collected, how it will be used and who it will be disclosed to;
- Have the option of not identifying oneself, or of using a pseudonym in certain circumstances;
- Ask for access to their personal information;
- Stop receiving unwanted direct marketing;
- Ask for their personal information that is incorrect to be corrected;
- Make a complaint about an organization or agency the Privacy Act covers, if the consumer thinks that the organization or agency mishandled the consumer’s personal information.
- Your name and details;
- What kinds of personal information you collect and store;
- How you collect the personal information and where it is stored;
- The reasons why you need to collect the personal information;
- How you will use and disclose the personal information;
- How a consumer can access their personal information or ask for a correction;
- How to lodge a complaint if a consumer believes that their personal information has been mishandled and how you will handle that complaint;
- If you are likely to disclose the consumer’s personal information outside of Australia and, if practical, which countries you are likely to disclose it to.
Penalties for non-compliance
The Australia Privacy Act 1988 can impose penalties of up to AUD $2,100,000 for serious or repeated breaches of privacy.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.