Schedule 1 of the Privacy Act 1988 (Cth) contains the Australian Privacy Principles (APPs). The APPs state how certain organisations or ‘APP entities’ must handle, use and manage personal information. e-Platform operators need to be especially mindful of their obligations. Below, we define ‘APP entity’ and ‘personal information’ and set out some of the privacy compliance principles affecting e-Platform operators.

What is an APP Entity?

An APP entity is an organisation (including a sole individual trader, a body corporate, partnership, an unincorporated association or a trust) that discloses personal information about an individual. The organisation must either disclose or provide the information for a benefit, service or advantage as a pre-cursor to collecting an individual’s personal information.

What is Personal Information?

Personal information can be any information or opinion, regardless of whether it’s true of not or kept in material form, about an individual whose identity is apparent or can reasonably be ascertained.

1. Collection of Solicited Personal Information

APP 1 requires APP entities to implement practices, procedures and systems to ensure they comply with the APPs. It further requires an APP entity to have mechanisms in place that enable them to deal with enquiries and complaints regarding compliance with its privacy obligations. APP 3 provides that an APP entity must not collect personal information unless it’s reasonably necessary to do so for one or more of their functions.

To comply with APPs 1 and 3, e-Platform operators should:

  • have an up-to-date privacy policy available linking from the platform;
  • set out in their terms of use that they will collect personal information;
  • take proactive steps to establish and maintain internal practices, procedures and systems that ensure team members also comply with the APPs;
  • implement practices, procedures and systems for identifying and responding to privacy breaches; and
  • implement mechanisms to ensure that agents and contractors of the e-Platform comply with the APPs.

2. Notifying Individuals

APP 5 states that an APP entity must notify an individual at or before the time that:

  • the entity collected their personal information;
  • the circumstances of that collection;
  • the purpose of the entity collecting the information; and
  • any other entity, body or person to whom the entity may disclose the information to.

An e-Platform operator should also display a notice on the main page setting out its disclosure obligations as well as ensure that all third party service providers know and comply with this requirement.

3. Use and Disclosure of Personal Information

Under APP 6, if an APP entity holds personal information for a particular purpose, it must not use or disclose the information for another purpose. This rule applies except where the individual has consented to the use or disclosure of their information. Consent can be express or implied. The Office of the Australian Information Commissioner (OAIC), who oversees the APPs, suggests that consent is relevant where:

  1. the entity has adequately informed the individual before they give consent;
  2. the individual gave their consent voluntarily;
  3. the consent is current and specific; and
  4. the individual can understand and communicate their consent.

One way for e-Platform operators to obtain express consent is by requiring them to opt into electronic correspondence to receive, for example, emails from third-party suppliers.

4. Access to and Correction of Personal Information

APP 12 provides that APP entities must give individuals access to their information within a reasonable time and without an excessive fee following a request. e-Platform operators should ensure that the request for personal information is made by the correct individual, or by a person authorised to make a request on their behalf (e.g. a legal guardian). An organisation would contravene the APPs if they were to grant the information to another individual.

Further, APP 13 states that the entity must correct the individual’s personal information if asked or if it is found to be inaccurate. e-Platform operators should allow end users to submit requests for their personal information to be updated via their accounts.

***

e-Platform operators should familiarise themselves with their privacy obligations under the APPs. If you need assistance determining whether your current policies and procedures are compliant, get in touch with our online lawyers on 1300 544 755.

Vanja Simic

Next Steps

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.