Skip to content

4 Privacy Obligations e-Platform Operators Should Understand

If you operate an e-platform in Australia, you will likely have obligations under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs). As an e-platform operator, you are assigned as an APP entity, which means you have specific responsibilities regarding the following:

However, navigating these obligations can be difficult, particularly in the digital landscape where data flows rapidly. This article will define ‘APP entity’ and ‘personal information’ while outlining fundamental privacy principles that e-platform operators must uphold.

What is an APP Entity?

Under the Privacy Act, an ‘APP entity’ means an organisation or agency that must follow the Australian Privacy Principles (APPs) contained within the Privacy Act. These principles control how APP entities:

  • collect; 
  • use;
  • store; and 
  • share personal information. 

Examples of APP entities are government agencies and organisations that make more than $3 million yearly. Organisations earning less than $3 million yearly can still be considered APP entities. For example, businesses offering healthcare services or trading personal data are still considered APP entities regardless of their annual earning.

If you are an APP entity, you must take reasonable measures to protect personal information from: 

  • misuse; 
  • interference; and 
  • unauthorised access or disclosure. 

Your business must also have a privacy policy explaining how you manage personal information and provide individuals access to their information upon request.

What is Personal Information?

According to the Australian Privacy Act, personal information is any “information or an opinion about a known person, or a person who can be identified, whether the information or opinion is:

  • true or not; and
  • recorded in a material form or not.”

This means that personal information can include any details about a person that can be used to identify them, regardless of whether it is accurate or written down. It can include information such as a person’s: 

  • name; 
  • address;
  • phone number; 
  • email address;
  • date of birth; 
  • photographs, and 
  • other identifiable information. 

It can also include sensitive information, such as:

  • health information; 
  • racial or ethnic origin; 
  • political opinions; and 
  • religious beliefs.
Continue reading this article below the form
Loading form

Key Privacy Principles E-Platform Operators Must Uphold

1. Collection of Personal Information

APP 1 of the Privacy Act requires APP entities to manage personal information openly and transparently. This means that APP entities must have a clear and accessible privacy policy that outlines their handling of personal information. 

As an APP entity, your privacy policy must include information about:

  • the types of personal information you collect and hold;
  • methods used to collect and hold personal information;
  • the reasons for collecting, holding, using, and sharing personal information;
  • how individuals can access and correct their personal information; and
  • how individuals can make a complaint about breaches of the APPs and how your business will address them.

Additionally, APP 3 specifically addresses collecting personal information. APP entities must only collect the personal information they need for their tasks or jobs, and they should do this lawfully and fairly. When collecting personal information, APP entities must make sure the person knows:

  • who is collecting the personal information and how to contact them;
  • why they are collecting the personal information;
  • if any laws or court orders say they have to collect personal information;
  • what might happen to the person if they do not collect their personal information; and
  • any third parties sharing the personal information to.

APP 3 also requires APP entities to collect personal information directly from the individual unless there is an exception. If personal information comes from a third party, the APP entity must ensure that the individual is aware of the collection and the circumstances. Lastly, APP entities must destroy or de-identify the personal information they receive unless it is necessary for what they do.

2. Notifying Individuals

APP 5 states that an APP entity must inform an individual when:

  • the entity collects their personal information;
  • the circumstances of that collection;
  • the purpose of the entity collecting the information; and
  • any other entity, body or person the entity may share the information to.

The specific steps an APP entity must take to notify individuals will depend on factors like: 

  • the sensitivity of the personal information;
  • the possible consequences of collecting personal information;
  • any special needs of the individual; and 
  • the time and cost involved. 

However, an entity cannot avoid taking particular steps because they are inconvenient, time-consuming or costly. 

3. Use and Disclosure of Personal Information

Under APP 6, your business must only use or share personal information for the main reason it was collected or for a closely related reason that the person would expect. As an e-platform operator, ensure you use or disclose personal information only for intended purposes like processing orders or offering customer support. 

Additionally, you must get consent from individuals before using their personal information for a secondary purpose, such as sharing it with third-party advertisers. Consent from an individual can be express or implied. The Office of the Australian Information Commissioner (OAIC), which oversees the APPs, suggests that consent is relevant if:

  1. your business informs the individual before they give consent;
  2. the individual gives voluntary consent;
  3. the consent is current and specific; and
  4. the individual can understand and communicate their consent.

When seeking to obtain express consent, you should explain where information is being shared and why, allowing customers to opt in.

For example, using an opt-in pop-up for customers to receive marketing emails from third-party suppliers can be beneficial.

4. Access and Correction of Personal Information

According to APP 12, an e-platform operator must have a clear policy for individuals to access their personal information on the platform. As such, you should ensure that accessing this information is easy. When individuals ask for their information, they should get it in a reasonable time and without an excessive fee.

Importantly, be sure to check that the right person is asking for their personal information, such as a legal guardian. If you give personal information to the wrong person, you may break the APP rules. 

Under APP 13, you must ensure the personal information your business holds is accurate, up-to-date and complete. This means allowing individuals to correct any mistakes in their personal information. You should also tell relevant third parties about any corrections.

Front page of publication
2024 Key Data and Privacy Developments

The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.

Download Now

Key Takeaways

The Privacy Actsets out the specific rules about collecting, handling and sharing personal information in the APPs. The APPs control how e-platforms are to:

  • request; 
  • store;
  • alter;
  • use; 
  • collect; and 
  • disclose personal information. 

These rules cover any information or opinion about a person whose identity is apparent or can be figured out, whether it is true or not or kept in material form. E-platform operators must follow these four primary privacy obligations. If they do not, they might face penalties for breaching the Privacy Act.  

If you need help determining whether your current policies and procedures are compliant, our experienced online lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Jordan Bramis

Jordan Bramis

Lawyer | View profile

Jordan is a Lawyer at LegalVision. He graduated in 2021 with a double degree in Law and Communication.

Qualifications: Bachelor of Laws, Bachelor of Communication, University of Technology Sydney.

Read all articles by Jordan

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards