# Privacy Act 1988

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
APP Australian Privacy Principles

# Overview

The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organizations with an annual turnover of more than $3 million, and some other organisations, handle personal information.

The Privacy Act includes 13 Australian Privacy Principles (APPs), which apply to some private sector organizations, as well as most Australian Government agencies. These are collectively referred to as "APP entities". The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.

# Principles

The APPs are the cornerstone of the privacy protection framework in the Privacy Act 1988 (Privacy Act). They apply to any organization or agency the Privacy Act covers.

There are 13 APPs and they govern standards, rights and obligations around:

  • the collection, use and disclosure of personal information
  • an organisation or agency’s governance and accountability
  • integrity and correction of personal information
  • the rights of individuals to access their personal information

The APPs are principles-based law. This gives an organization or agency flexibility to tailor their personal information handling practices to their business models and the diverse needs of individuals. They are also technology neutral, which allows them to adapt to changing technologies.

A breach of an APP is an "interference with the privacy of an individual" and can lead to regulatory action and penalties.

The 13 APPs include:

  • APP 1 Open and transparent management of personal information
  • APP 2 Anonymity and pseudonymity
  • APP 3 Collection of solicited personal information
  • APP 4 Dealing with unsolicited personal information
  • APP 5 Notification of the collection of personal information
  • APP 6 Use or disclosure of personal information
  • APP 7 Direct marketing
  • APP 8 Cross-border disclosure of personal information
  • APP 9 Adoption, use or disclosure of government related identifiers
  • APP 10 Quality of personal information
  • APP 11 Security of personal information
  • APP 12 Access to personal information
  • APP 13 Correction of personal information

Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of sensitive information.

Outlines how APP entities must deal with unsolicited personal information.

Outlines when and in what circumstances an APP entity that collects personal information must tell an individual about certain matters.

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.

# Noteworthy

  • The Privacy Act includes 13 APPs.

# Sources