The Australia Privacy Act of 1988 regulates the way in which business entities and federal government agencies must handle personal information. There are thirteen Australian Privacy Principles (APPs) enumerated in the Privacy Act. “APP entities” must comply with the Privacy Act. This article will examine who qualifies as an “APP entity” and is thus subject to the rules under the Privacy Act.
An APP entity is either a government agency or an organization. An agency refers to a federal government entity. An organization includes an individual, body corporate, partnership, unincorporated association, or a trust. A small business operator (including a sole trader) with an annual turnover of $3 million or less does not qualify as an APP entity. However, a small business operator will qualify as an APP entity if they:
- A private-sector health care provider- an organization that provides a health service and includes:
- A traditional health care provider (hospital, medical practitioner, or pharmacy);
- A complementary therapist such as a naturopath or a chiropractor;
- A gym or weight loss clinic;
- A childcare center, a private school, and a tertiary educational institution.
- A business that sells or purchases personal information (see examples below);
- A credit reporting body;
- A contracted service provider for an Australian Government contract;
- An employee association registered or recognized under the Fair Work (Registered Organizations) Act 2009;
- A business that has opted-in to the Privacy Act 1988;
- A business that is related to a business that is covered by this privacy law; and
- A business prescribed by the Privacy Regulation 2013.
The Office of the Australian Information Commissioner (OAIC) website provides two examples of how a small business operator could qualify as an organization for the purposes of the Privacy Act.
- For example, if an entity compiles and sells a list of information to another entity, let’s say, a lobbying firm, then that the first entity will be deemed an APP entity, even if their annual turnover is $3 million or less.
- Similarly, in the example above, the second entity, the lobbying firm, will also be deemed an APP entity regardless if their annual turnover is $3 million or less because they are paying another entity to collect information about individuals.
APP entities responsible for acts and practices of staff
The Privacy Act enumerates three scenarios where an act or practice engaged in by a person is taken to be an act or practice engaged in by the APP entity:
- A person employed by, or in the service of an APP entity, in performing the duties of the person’s employment.
- A person on behalf of an unincorporated body or other body that is established by or under a Commonwealth enactment, for the purpose of assisting or performing functions in connection with an APP entity.
- A member, staff member or special member of the Australian Federal Police in performing duties such as a member.
Who doesn’t have responsibilities under the Privacy Act?
The Privacy Act does not cover the following actors:
- State or territory government agencies
- An individual acting in their own capacity
- A university, other than a private university
- A public school
- In some situations, the handling of employee records by an organization in relation to current and former employment relationships
- A small business operator (unless an exception applies as previously discussed)
- A media organization acting in the course of journalism if the organization is publicly committed to observing published privacy standards
- Registered political parties and political representatives
Obligations under the Privacy Act for APP entities
I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist. I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association’s Cyber Law and Data Privacy Committee.