Privacy-proof your website for Australia Privacy Act

Under the Australia Privacy Act, personal information is defined as:

“information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.“

Examples of personal information include an individual’s name, address, phone number, medical records, bank account details, photos, or employment details. 

Sensitive information related to health, genetic information, racial/ethnic background, sexual orientation, and political opinions are also considered personal information and given extra protections under the Act.

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 was passed on 12 December 2022, to implement significant reforms to the Privacy Act Australia. The amendment aims to strengthen the protection of personal information, enhance individual privacy rights, and improve transparency and accountability in data handling. 

The Act brings significant changes including: 

• Expanding the extraterritorial reach of the Privacy Act 1988 
• Increased penalties for serious or repeated interferences 
• Strengthening the Notifiable Bata Breaches Scheme
• Enhancing the powers of the OAIC to address privacy violations

The Office of the Australian Information Commissioner (OAIC) oversees compliance with the Privacy Act and handles privacy-related complaints and investigations. The OAIC is an independent statutory agency that oversees the Privacy Act, which sets out the standards, rights, and obligations for the handling of personal information. 

Under the Australia Privacy Act 1988, express consent is required for the collection of sensitive information or to use or disclose personal information for any purpose other than the purpose it was collected for.

Cookie consent Australia

To process non-sensitive personal information, express consent is not mandatory. However, implied consent is required, through the use of a notification at or before the time of data collection. Organizations are obligated to ensure that individuals understand the purpose of data collection and are also presented with an option to opt-out. 

According to the Office of the Australian Information Commissioner (OAIC), consent should be:

• Informed: individuals should be clear about the consequences of giving or not giving their consent
• Voluntary:  consent cannot be forced or pressured, and individuals should have the choice to give consent or not.
• Current and specific: Consent granted by individuals should be time and context-specific and for the stated purpose alone.

The Privacy Act Australia exempts entities that include small businesses with an annual turnover of less than $3 million, state government agencies, most universities and public schools, individuals acting in a personal capacity, and registered political parties.

Additionally, some acts and practices related to employee records, related bodies corporate, and acts done or practices engaged in by a media organization in the course of journalism are also exempt from the Privacy Act. 

While the GDPR does not directly apply to Australia, businesses need to understand the extraterritorial reach of the GDPR and assess whether it falls within its scope. GDPR can apply to Australian businesses that operate within the EU or offer goods and services to individuals in the EU. 

In such cases, businesses are required to comply with the GDPR’s requirements, such as obtaining explicit consent for data processing, implementing appropriate security measures, and respecting individuals’ rights regarding their personal data.

The Australian equivalent of the General Data Protection Regulation (GDPR) is the Privacy Act 1988. This legislation governs the handling of personal information by Australian government agencies and businesses. The Privacy Act outlines the Australian Privacy Principles (APPs), which regulate the collection, use, and disclosure of personal information and ensure its accuracy and security. 

The Australia Privacy Principles (APPs) are a set of 13 principles that regulate the handling of personal information under the Privacy Act 1988 and provide a framework for the collection, use, and disclosure of personal information. The principles are:

• Open and transparent management of personal information: organizations must implement transparent privacy practices and systems.
• Anonymity and pseudonymity: individuals can remain anonymous or use a pseudonym when dealing with an APP entity
• Collection of solicited personal information: organisations can only collect personal information necessary for legitimate purposes.
• Dealing with unsolicited personal information: organisations must take certain steps when receiving unsolicited personal information.
• Notification of collection: organisations must inform individuals about the purpose and details of collecting their personal information.
• Use and disclosure: organisations are subject to restriction on the use or disclosure of PI for the purpose it was collected, with exceptions.
• Direct marketing: organisations must refrain from using personal information for direct marketing purposes. 
• Disclosing personal information overseas: organizations must ensure cross-border disclosure of personal information meets privacy protection standards.
• Government-related identifiers: organisations must limit the adoption, use, or disclosure of government-related identifiers.
• Quality of personal information: organisations must ensure that collected information is accurate, up-to-date, and complete.
• Security of personal information: organisations must take reasonable steps to safeguard personal information from misuse or unauthorized access.
• Access to personal information: individuals have the right to access their personal information and request corrections.
• Correction of personal information: organisations must correct personal information upon request and notify relevant entities if necessary.

Yes, having a cookie policy for your website can help you be legally compliant. The Privacy Act 1988 and the Australian Privacy Principles (APPs) regulate the way businesses handle personal information, including data collected through cookies. As cookies can track and store user data, they fall under the definition of personal information. 

Therefore, it is best practice to have a clear and comprehensive cookie policy in place to comply with the law. You can add your cookie policy to your privacy policy or maintain a separate cookie policy page. 

You can generate your free cookie policy with CookieYes!

Yes, a privacy policy is a legal requirement for businesses in Australia. The Privacy Act sets out the Australian Privacy Principles (APPs) including APP1: Open and transparent management of personal information. This means, businesses must have a clear and up-to-date privacy policy that outlines how personal information is collected, stored, used, and disclosed. 

Additionally, the privacy policy must also include information about how individuals can access and correct their personal information, as well as how they can make a complaint about a breach of privacy. You can generate a free privacy policy in minutes with CookieYes.