- 1The principal privacy rules and regulations in Australia are contained in the Privacy Act 1988 (Cth) and what is known as the Australian Privacy Principles or APPs. The Office of the Australian Information Commissioner (OAIC) is the regulatory body responsible for compliance and enforcement of privacy laws in Australia. In short, the OAIC is the body to whom your business must answer in the event of a data breach, or the body to whom you may make a complaint about the handling of your personal information.
- 2The term ‘personal information’ is defined under the Privacy Act to mean any information or opinion about an individual, or that may reasonably identify an individual. The guidance offered by the OAIC indicates that it does not matter whether this information or opinion is true or not, nor does it matter whether it is recorded in a material form.
- 3The Privacy Act also distinguishes between the different ways of handling personal information (i.e. whether a business entity ‘collects’, ‘discloses’, ‘holds’ and/or ‘uses’ the personal information). Contexts such as direct marketing and cross border disclosure will also affect a business’ handling of personal information.
- 4Data sovereignty is an issue that may arise when a business stores data in a foreign jurisdiction and the data stored is subject to the laws of that jurisdiction. Discussions around data sovereignty generally concern compliance with the laws of another jurisdiction or the intersection of that foreign law with the local laws of a user.
- 5In Australia, there are now mandatory notification obligations following data breach. The obligations apply to any organisation that is subject to the Privacy Act – whether based in Australia or a foreign registered company that carries on business in Australia and which collects or transmits data.