The Australia Privacy Act of 1988 regulates the way in which business entities and federal government agencies must handle personal information. There are thirteen Australian Privacy Principles (APPs) enumerated in the Privacy Act. “APP entities” must comply with the Privacy Act. This article will examine who qualifies as an “APP entity” and is thus subject to the rules under the Privacy Act.
An APP entity is either a government agency or an organization. An agency refers to a federal government entity (e.g. a federal tax authority). An organization includes an Australian individual, body corporate, partnership, unincorporated association, or a trust. An Australian organization with an annual turnover of more than AUD 3M will have to comply. An Australian small business operator (including a sole trader) with an annual turnover of $3 million or less does not qualify as an APP entity. However, a small business operator will qualify as an APP entity if they:
- A private-sector health care provider- an organization that provides a health service and includes:
- A traditional health care provider (hospital, medical practitioner, or pharmacy);
- A complementary therapist such as a naturopath or a chiropractor;
- A gym or weight loss clinic;
- A childcare center, a private school, and a tertiary educational institution.
- A business that sells or purchases personal information (see examples below);
- A credit reporting body;
- A contracted service provider for an Australian Government contract;
- An employee association registered or recognized under the Fair Work (Registered Organizations) Act 2009;
- A business that has opted-in to the Privacy Act 1988;
- A business that is related to a business that is covered by this privacy law; and
- A business prescribed by the Privacy Regulation 2013.
The Office of the Australian Information Commissioner (OAIC) website provides two examples of how a small business operator could qualify as an organization for the purposes of the Privacy Act.
- For example, if an entity compiles and sells a list of information to another entity, let’s say, a lobbying firm, then that the first entity will be deemed an APP entity, even if their annual turnover is $3 million or less.
- Similarly, in the example above, the second entity, the lobbying firm, will also be deemed an APP entity regardless if their annual turnover is $3 million or less because they are paying another entity to collect information about individuals.
Table of Contents
Businesses outside of Australia may need to comply with the Australian Privacy Act
In addition, organizations formed outside of Australia may need to comply with this law, regardless of revenue, if they have an Australian link. Your organization has an Australian link if it carries on business in Australia and collects and holds personal information in Australia. In assessing whether an entity carries on business in Australia, the following factors need to be considered:
- The entity has a place of business in Australia;
- People who undertake business acts for the entity are located in Australia;
- The entity has a website that offers goods or services to Australian consumers;
- Australia is one of the countries on the drop-down menu appearing on the entity’s website;
- Web content that forms part of carrying on the business was uploaded by or on behalf of the entity, in Australia;
- Business or purchase orders are assessed or acted upon in Australia; or
- The entity is the registered proprietor of trademarks in Australia.
APP entities responsible for acts and practices of staff
The Privacy Act enumerates three scenarios where an act or practice engaged in by a person is taken to be an act or practice engaged in by the APP entity:
- A person employed by, or in the service of an APP entity, in performing the duties of the person’s employment.
- A person on behalf of an unincorporated body or other body that is established by or under a Commonwealth enactment, for the purpose of assisting or performing functions in connection with an APP entity.
- A member, staff member or special member of the Australian Federal Police in performing duties such as a member.
Who doesn’t have responsibilities under the Privacy Act?
The Privacy Act does not cover the following actors:
- State or territory government agencies
- An individual acting in their own capacity
- A university, other than a private university
- A public school
- In some situations, the handling of employee records by an organization in relation to current and former employment relationships
- A small business operator based in Australia (unless an exception applies as previously discussed)
- A media organization acting in the course of journalism if the organization is publicly committed to observing published privacy standards
- Registered political parties and political representatives
Obligations under the Privacy Act for APP entities
If you qualify as an APP entity under the Privacy Act then there are three key features under the Privacy Act to pay attention to. First, an APP entity must follow the thirteen APPs which are the principles that govern the way personal information can be collected, used, disclosed, and stored. Second, for an entity that handles in any way credit-related personal information, you must follow the credit reporting provisions of the Privacy Act, which regulates the way in which credit-related personal information is to be collected, used, disclosed, and stored. Finally, you should check to see if you’re subject to the obligation to comply with an “APP code,” which is a written code of practice usually specific to Commonwealth agencies. APP entities must be cognizant of the full scope of their obligations in the Privacy Act based on the nature of their business activities. This starts with an obligation to post a Privacy Policy that follows all of the obligations under the Australian Privacy Act for a covered entity. Terrmageddon is the Privacy Policy generator that can help you create your Australia Privacy Act Privacy Policy.