fbpx

Consumer rights provided under the Australia Privacy Act of 1988

The Australia Privacy Act, like most privacy laws across the world, provides certain rights to consumers regarding the collection, use, and disclosure of their personal information by another entity. This article will explain what those consumer rights are so that businesses know that they need to include these rights in their Privacy Policy so that consumers know how to exercise their rights. 

The privacy principles enshrined in the Australia Privacy Act provide for robust protection of consumer information. The following are the eight consumer rights provided under the Australia Privacy Act of 1988: 

  • Know why their personal information is being collected, how it will be used and who it will be disclosed to;
  • Have the option of not identifying oneself, or of using a pseudonym in certain circumstances; 
  • Ask for access to their personal information;
  • Stop receiving unwanted direct marketing;
  • Ask for their personal information that is incorrect to be corrected;
  • Make a complaint about an organization or agency the Privacy Act covers, if the consumer thinks that the organization or governmental agency mishandled the consumer’s personal information, and 
  • In certain cases, consumers must be notified of a data breach that is likely to result in serious harm to affected individuals. 

Collection of Personal Information

The Australia Privacy Act does not provide a definition for personal information. Rather, it notes that the concept of what personal information means will vary. Generally, information will be considered personal information if it can identify, or can reasonably identify an individual. The Office of the Australian Information Commissioner’s (OAIC’s) website includes a non-exhaustive list of some examples that me qualify as personal information: 

  • An individual’s name, signature, address, phone number or date of birth
  • Sensitive information, which includes an individual’s
    • Racial or ethnic origin
    • Political opinions or associations
    • Religious or philosophical beliefs
    • Trade union membership or associations
    • Sexual orientation or practices
    • Criminal record
    • Health or genetic information
    • Some aspects of biometric information 
  • Credit information
  • Employee record information
  • Photographs
  • Internet protocol (IP) addresses
  • Voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique) 
  • Location information from a mobile device (because it can reveal user activity patterns and habits). 

The Integrity and correction of personal information

Consumers have the right to correct an organization or governmental agency that holds information about them that is inaccurate, out of date, incomplete, irrelevant, and misleading. To do this, consumers should first request to access their personal information from an organization or governmental agency. Only the consumer, or a legal guardian or authorized agent, can request to correct the information. Then, the organization or governmental agency has 30 days to respond to the consumer’s request. If the organization or governmental agency refuses to honor the consumer’s request, then they must, in writing, alert the consumer as to the reasons for refusing to correct the consumer’s personal information. They must also include in the writing that the consumer has the right to request that a statement be associated with their personal information, and they must include how the consumer can go about filing a complaint with the OAIC. 

Consent to the handling of personal information 

The Privacy Act recognizes two types of consent: express and implied when handling personal information. This is an important distinction from the General Data Protection Regulation (GDPR) which only recognizes express consent. Under the GDPR, consent from the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” On the other hand, an organization or governmental agency under the Australia Privacy Act does not need a consumer’s express consent to handle their non-sensitive personal information so long as they reasonably believe that the consumer has impliedly given their consent. For example, an organization or governmental agency can alert a consumer, through writing, that they will disclose the individual’s information for another purpose unless that individual opts out within thirty days. If the consumer does not respond within those thirty days, then the organization or governmental agency may assume the consumer has impliedly consented to the disclosure. While consumers in Australia could impliedly consent to a business operating in Australia, such consent would not be valid if that business was also operating in the European Economic Area (EEA). It is important that businesses operating in both jurisdictions standardize their consent collection processes to ensure consumer’s rights are being upheld. 

However, consumer consent must be informed, voluntary, and current and specific. Consumers have the right to withdraw their consent at any time. Once a consumer withdraws their consent, an organization or governmental agency cannot rely on past consent for any future use or disclosure of their personal information. 

Changes to Australia privacy laws on the horizon

The Australian government has announced its intention to reform the Privacy Act of 1988 along with providing an increase in power and resources to the OAIC, which enforces the Privacy Act. This could lead to an increase in investigations and enforcement activity by the OAIC as well as increased penalties for breaches of the Privacy Act. The OAIC’s approach to the future of privacy includes allowing consumers to exercise more control over how their personal information is managed, as well as strengthening the notice and consent requirements under the Privacy Act. This will impact how entities can collect, use, and disclose personal information, and will require them to update their privacy policies in the near future. Generally speaking, websites must have a Privacy Policy that makes sufficient disclosures to properly meet consumers’ rights that are listed in the Australia Privacy Act. Noncompliance can result in the imposition of penalties of up to AUD $2,100,000 for serious or repeated breaches of privacy. Use Termageddon’s Privacy Policy generator to get your Australian privacy law ready Privacy Policy.