If you operate an e-platform in Australia, you will likely have obligations under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs). As an e-platform operator, you are assigned as an APP entity, which means you have specific responsibilities regarding the following:
- handling;
- usage; and
- management of personal information.
However, navigating these obligations can be difficult, particularly in the digital landscape where data flows rapidly. This article will define ‘APP entity’ and ‘personal information’ while outlining fundamental privacy principles that e-platform operators must uphold.
What is an APP Entity?
Under the Privacy Act, an ‘APP entity’ means an organisation or agency that must follow the Australian Privacy Principles (APPs) contained within the Privacy Act. These principles control how APP entities:
- collect;
- use;
- store; and
- share personal information.
Examples of APP entities are government agencies and organisations that make more than $3 million yearly. Organisations earning less than $3 million yearly can still be considered APP entities. For example, businesses offering healthcare services or trading personal data are still considered APP entities regardless of their annual earning.
If you are an APP entity, you must take reasonable measures to protect personal information from:
- misuse;
- interference; and
- unauthorised access or disclosure.
Your business must also have a privacy policy explaining how you manage personal information and provide individuals access to their information upon request.
What is Personal Information?
According to the Australian Privacy Act, personal information is any “information or an opinion about a known person, or a person who can be identified, whether the information or opinion is:
- true or not; and
- recorded in a material form or not.”
This means that personal information can include any details about a person that can be used to identify them, regardless of whether it is accurate or written down. It can include information such as a person’s:
- name;
- address;
- phone number;
- email address;
- date of birth;
- photographs, and
- other identifiable information.
It can also include sensitive information, such as:
- health information;
- racial or ethnic origin;
- political opinions; and
- religious beliefs.
Key Privacy Principles E-Platform Operators Must Uphold
1. Collection of Personal Information
APP 1 of the Privacy Act requires APP entities to manage personal information openly and transparently. This means that APP entities must have a clear and accessible privacy policy that outlines their handling of personal information.
As an APP entity, your privacy policy must include information about:
- the types of personal information you collect and hold;
- methods used to collect and hold personal information;
- the reasons for collecting, holding, using, and sharing personal information;
- how individuals can access and correct their personal information; and
- how individuals can make a complaint about breaches of the APPs and how your business will address them.
Additionally, APP 3 specifically addresses collecting personal information. APP entities must only collect the personal information they need for their tasks or jobs, and they should do this lawfully and fairly. When collecting personal information, APP entities must make sure the person knows:
- who is collecting the personal information and how to contact them;
- why they are collecting the personal information;
- if any laws or court orders say they have to collect personal information;
- what might happen to the person if they do not collect their personal information; and
- any third parties sharing the personal information to.
2. Notifying Individuals
APP 5 states that an APP entity must inform an individual when:
- the entity collects their personal information;
- the circumstances of that collection;
- the purpose of the entity collecting the information; and
- any other entity, body or person the entity may share the information to.
The specific steps an APP entity must take to notify individuals will depend on factors like:
- the sensitivity of the personal information;
- the possible consequences of collecting personal information;
- any special needs of the individual; and
- the time and cost involved.
However, an entity cannot avoid taking particular steps because they are inconvenient, time-consuming or costly.
3. Use and Disclosure of Personal Information
Under APP 6, your business must only use or share personal information for the main reason it was collected or for a closely related reason that the person would expect. As an e-platform operator, ensure you use or disclose personal information only for intended purposes like processing orders or offering customer support.
Additionally, you must get consent from individuals before using their personal information for a secondary purpose, such as sharing it with third-party advertisers. Consent from an individual can be express or implied. The Office of the Australian Information Commissioner (OAIC), which oversees the APPs, suggests that consent is relevant if:
- your business informs the individual before they give consent;
- the individual gives voluntary consent;
- the consent is current and specific; and
- the individual can understand and communicate their consent.
When seeking to obtain express consent, you should explain where information is being shared and why, allowing customers to opt in.
4. Access and Correction of Personal Information
According to APP 12, an e-platform operator must have a clear policy for individuals to access their personal information on the platform. As such, you should ensure that accessing this information is easy. When individuals ask for their information, they should get it in a reasonable time and without an excessive fee.
Importantly, be sure to check that the right person is asking for their personal information, such as a legal guardian. If you give personal information to the wrong person, you may break the APP rules.
Under APP 13, you must ensure the personal information your business holds is accurate, up-to-date and complete. This means allowing individuals to correct any mistakes in their personal information. You should also tell relevant third parties about any corrections.
The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.
Key Takeaways
The Privacy Actsets out the specific rules about collecting, handling and sharing personal information in the APPs. The APPs control how e-platforms are to:
- request;
- store;
- alter;
- use;
- collect; and
- disclose personal information.
These rules cover any information or opinion about a person whose identity is apparent or can be figured out, whether it is true or not or kept in material form. E-platform operators must follow these four primary privacy obligations. If they do not, they might face penalties for breaching the Privacy Act.
If you need help determining whether your current policies and procedures are compliant, our experienced online lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
