12 March 2014 marked the replacement of the National Privacy Principles and Information Privacy Principles with the Australian Privacy Principles (APPs) from Schedule 1 of the Privacy Amendment (enhancing Privacy Protection) Act 2012. The thirteen APPs are detailed in the attached notes section.
Who is covered by the APPs?
Any Australian organisation with an annual turnover of over $3 million will be considered an ‘APP Entity’. Small business operators (organisations with a turnover under $3 million) may also be caught by the exemptions (see notes section).
A Small Business Operator is an individual (including a sole trader), body corporate, partnership, unincorporated association or trust that has an annual turnover of $3 million or less for a financial year, unless an exception applies (s 6D). If an exception (as noted below) applies to a small business operator it may be deemed an APP Entity. The exceptions include businesses that:
• provide a health service and hold health information other than in an employee record
• disclose personal information about another individual for a benefit, service or advantage, or provide a benefit, service or advantage to collect personal information about another individual from anyone else, unless they do so with the consent of the individual or are required or authorised by or under legislation to do so
• are contracted service providers for a Commonwealth contract.
1. open and transparent management of personal information
2. anonymity and pseudonymity
must offer individuals the option of not identifying themselves or of using a pseudonym
3. collection of solicited personal information
must not collect personal information unless the information is reasonably necessary for one or more of the entity’s functions or activities
4. dealing with unsolicited personal information
is required to consider the content of information and if necessary destroy or de-identify the information
5. notification of the collection of personal information
must take such steps as reasonable to notify the individual as to a range of matters including identity and contact details of the APP entity
6. use or disclosure of personal information
must obtain consent when disclosing personal information
7. direct marketing
must provide the ability for the individual to ‘opt-out’ of marketing and/or provide source of information
8. cross-border disclosure of personal information
must recognise that in certain circumstances, an act done, or a practice engaged in by the overseas recipient is taken to have been done, or engaged in by the APP entity
9. adoption, use or disclosure of government related identifiers
10. quality of personal information
must take reasonable steps to ensure personal information collected is accurate, up-to-date and complete
11. security of personal information
must protect from misuse, interference and loss from unauthorised access, modification and disclosure
12. access to personal information
must have procedures for giving an individual access to their personal information
13. correction of personal information
must have procedures for giving an individual ability to correct their personal information
Personal information is defined as any ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:
Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person.
Sensitive information is a subset of personal information and is defined as:
 Source: Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012