Privacy Act 1988

The Privacy Act now consolidates the existing Commonwealth National Privacy Principles (NPPs)and Information Privacy Principles (IPPs) into one set of privacy principles which are called the Australian Privacy Principles (APPs).

As noted above, the University is not required to comply with the new APPs as it is not an 'organisation' within the meaning of the Privacy Act.

However, the controlled entities of the University must comply with the new APPs from 12 March 2014. A controlled entity is an 'organisation' within the meaning of the Privacy Act and an APP entity to whom the APPs apply.

The APPs are set out in Schedule 1 to the Privacy Act 1988 (Cth). A copy of the APPs is also available at the Office of the Australian Information Commissioner's website.

The OAIC has published APP Guidelines which outline the mandatory requirements of the APPs, how the OAIC will interpret them and matters the OAIC may take into account when exercising functions and powers under the Privacy Act.

The new APPs include the following requirements:

• APP 1: An APP entity (which includes a controlled entity) must have a clearly expressed and up-to-date policy about the management of personal information which should be permanently available to the public. The policy must contain certain information including whether or not the entity is likely to disclose personal information to overseas recipients, and where practicable to which countries.
• APP 4: An APP entity which receives unsolicited information should consider whether it would have collected that information itself under the APPs and if not, should have processes in place to destroy or de-identify that information.
• APP 5: An APP entity is required to address an expanded list of matters about how their information is collected and used by an AAP entity, including whether the entity is likely to disclose the information to overseas recipients and if so, to which countries.
• APP 7: An APP entity is not permitted to use or disclose personal information for direct marketing unless an exemption applies.
• APP 8: An APP entity must take reasonable steps to ensure that an overseas recipient of personal information does not breach the APPs. Although an APP entity may have taken these reasonable steps, they may still be held liable for a breach of an APP by an overseas entity to whom personal information is disclosed. The information does not need to be transferred to that overseas entity, disclosure is sufficient. There are limited ways in which an entity can avoid APP 8.1 as set out in APP 8.2.

Section 13G is a civil penalty provision relevant to controlled entities. It provides for a civil penalty of 2,000 units ($340,000) where an entity does an act or engages in practice that is a serious interference with the privacy of an individual or where the entity repeatedly does an act or engages in a practice that is an interference with the privacy of one or more individuals. An interference with the privacy of an individual includes a breach of an APP.

The Privacy Commissioner has increased powers of investigation and audit, including the power to commence proceedings against a non-compliant entity in the Federal Court or the Federal Magistrates Court and to seek an additional pecuniary penalty of up to $1.7 million from that entity for contravention of a civil penalty provision.