Chapter B: Key concepts (original) (raw)

Publication date: 21 December 2022

Version 1.4

Download the print version [345KB]

B.1 This Chapter outlines some key words and phrases that are used in the Privacy Act and the Australian Privacy Principles (APPs).

Key concepts A to D

APP entity

B.2 An ‘APP entity’ is defined to be an agency or organisation (s 6(1)).

B.3 An ‘organisation’ is defined to be:

unless it is a small business operator, registered political party, State or Territory authority or a prescribed instrumentality of a State (s 6C).

B.4 The following terms are also defined in the Privacy Act: ‘small business operator’ (s 6D), ‘registered political party’ (s 6(1)) and ‘State or Territory authority’ (s 6C).

B.5In general, a small business operator is an individual (including a sole trader), body corporate, partnership, unincorporated association or trust that has an annual turnover of $3,000,000 or less for a financial year, unless an exception applies (s 6D). If an exception applies this kind of business may be an organisation. The exceptions include businesses that:

B.6 Following are two examples of how the second exception may apply:

B.7 A non-APP entity may be treated as an organisation (and therefore as an APP entity) in certain circumstances, for example, a small business operator that is related to an organisation covered by the Privacy Act (s 6D(9)), an entity that chooses to be treated as an organisation (s 6EA) or a small business operator that is accredited under the Consumer Data Right System under Part IVD of the Competition and Consumer Act 2010 (s 6E(1D)). Also, some small business operators are treated as organisations (and therefore an APP entity) in relation to the following activities they carry out:

B.8 ‘Agency’ refers to Australian Government (and Norfolk Island Government) agencies,[2] but does not include State and Territory agencies. An ‘agency’ is defined to be:

B.9 Section 6(5) clarifies that a person shall not be taken to be an agency merely because the person is the holder of, or performs the duties of, certain offices, such as a judicial office or of an office of magistrate.

B.10 The APPs extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation, or small business operator, that has an Australian link (s 5B(1A)).

B.11 An organisation or small business operator has an Australian link where it is:

B.12 An organisation that does not fall within one of those categories will also have an Australian link where it carries on business in Australia or an external Territory (s 5B(3)(b)).

Carries on business in Australia

B.13 The phrase ‘carries on business in Australia’ in s 5B(3)(b) is not defined in the Privacy Act. However, it arises in other areas of law, including corporations and consumer law. Guidance may be drawn from judicial consideration of the phrase in those contexts.

B.14 The two elements — ‘carries on business’ and ‘in Australia’ — are connected but can be considered separately. Australian courts have held that both are questions of fact.[4] An assessment should be made having regard to all relevant circumstances, particularly the nature of the enterprise conducted by an entity, and the particular Act being applied.[5] In this instance, it is the Privacy Act being applied.

Carry on business

B.15 The general law concept of ‘carrying on business’ has been said to ‘generally involve conducting some form of commercial enterprise, systematically and regularly with a view to profit’[6]; or to embrace ‘activities undertaken as a commercial enterprise in the nature of a going concern, that is, activities engaged in for the purpose of profit on a continuous and repetitive basis’.[7]

B.16 The focus of those definitions upon conducting or establishing a commercial enterprise for the purpose of profit is important. Nevertheless, a necessary modification of the concept in the context of the Privacy Act is that the Act can apply to a non-profit entity that is an ‘organisation’ as defined in s 6C(1). As to those entities, the more important element may be the repetition of commercial acts on a systematic or continuing basis as part of the activities of the entity.

In Australia

B.17 Whether a business is carried on ‘in Australia’ focusses upon whether activity is undertaken in Australia as part of the entity’s business. There is ‘a need for some physical activity in Australia through human instrumentalities, being activity that itself forms part of the course of conducting business’.[8] However, as noted in another decision, ‘provided that there are acts within Australia which are part of the company's business, the company will be doing business in Australia although the bulk of its business is conducted elsewhere and it maintains no office in Australia’.[9]

B.18 An important consideration in applying this territorial requirement in the context of the Privacy Act is that the Act, though technologically-neutral, operates in an environment where personal information is regularly collected, held, used and disclosed online by organisations that may simultaneously carry on business through the web in many countries. In addition, an object of the Privacy Act is to ‘promote the protection of the privacy of individuals’ (s 2A(a)), which requires that regard be had to contemporary and practical circumstances.

B.19 In this context, factors that may be considered in assessing if an entity carries on business in Australia include whether:

B.20 The presence or absence of one of these factors may not be determinative in assessing whether an entity carries on business in Australia. For example, where an entity does not have a place of business in Australia, this does not necessarily mean that it does not carry on business in Australia.

B.21 An entity will not generally be regarded as carrying on business in Australia solely on the basis that a purchase order can be placed in Australia or that it has a website that can be accessed from Australia.[12]

B.22The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 came into force on 13 December 2022 and repealed s 5B(3)(c) of the Privacy Act. This means that the previous test under s 5B(3) will apply to acts and practices outside Australia and the external Territories that occurred before 13 December 2022.

B.23 Prior to 13 December 2022, s 5B(3) provided that an organisation will have an Australian link where:

B.24The phrase ‘carries on business’ is discussed above at B.13–B.21.

B.25 Personal information is collected ‘in Australia’, if it is collected from an individual who is physically present in Australia or an external Territory, regardless of where the collecting entity is located or incorporated. An example is the collection of personal information from an individual who is physically located in Australia or an external Territory, via a website that is hosted outside Australia. This applies even if the website is owned by a company that is located outside of Australia or that is not incorporated in Australia.[13]

Collects

B.26 An APP entity collects personal information ‘only if the entity collects the personal information for inclusion in a record or generally available publication’ (s 6(1)).

B.27 The term ‘record’ is defined in s 6(1) and includes a document or an electronic or other device. Some items are excluded from the definition, such as anything kept in a library, art gallery or museum for the purposes of reference, study or exhibition, and Commonwealth records in the open access period.

B.28 The term ‘generally available publication’ is defined in s 6(1) to mean a ‘magazine, book, article, newspaper or other publication that is, or will be, generally available to members of the public’, regardless of the form in which it is published and whether it is available on payment of a fee.

B.29 An APP entity does not collect personal information where that information is acquired but not included in a record or generally available publication. For example, a newspaper article containing personal information will not be ‘collected’ by the entity unless, for example, a clipping of the article is kept and stored with other documents held by the entity or the article is scanned and saved into the entity’s electronic database.

B.30 The concept of ‘collection’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means, including from:

B.31 Collection may also take place when an APP entity generates personal information from other data it holds, such as the generation of an audit log.

Commonwealth record

B.32 A ‘Commonwealth record’ has the same meaning as in the Archives Act 1983 (s 6(1)).

B.33 The Archives Act states that a ‘Commonwealth record’ means:

B.34 Some categories of records are excluded from that definition:

B.35 It is likely that all or most personal information collected or received by an agency will be included in a ‘Commonwealth record’. Where an organisation is a contracted service provider under a Commonwealth contract, the records collected, received or held by that organisation under the contract may also be Commonwealth records.

B.36 APPs 4.3 and 11.2 require the destruction or de-identification of personal information in certain circumstances (see Chapters 4 and 11). These requirements do not apply to information contained in a Commonwealth record. Retention, destruction and alteration of Commonwealth records is governed by the Archives Act. A Commonwealth record can, as a general rule, only be destroyed or altered in accordance with s 24 of the Archives Act. The grounds on which this may be done include with the permission of the National Archives of Australia (as set out in a records disposal authority) or in accordance with ‘normal administrative practice’. Further information about Archives Act requirements is available from the National Archives of Australia at <www.naa.gov.au>.

B.37 Consent is relevant to the operation of a number of APPs. In some, consent is an exception to a general prohibition against personal information being handled in a particular way (for example, APPs 3.3(a) and 6.1(a)). In others, consent provides authority to handle personal information in a particular way (for example, APPs 7.3, 7.4 and 8.2(b)).

B.38 Consent means ‘express consent or implied consent’ (s 6(1)). The four key elements of consent are:

B.39 Express consent is given explicitly, either orally or in writing. This could include a handwritten signature, an oral statement, or use of an electronic medium or voice signature to signify agreement.

B.40 Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the APP entity.

B.41 An APP entity should not assume that an individual has consented to a collection, use or disclosure that appears to be advantageous to that person. Nor can an entity establish implied consent by asserting that if the individual knew about the benefits of the collection, use or disclosure, they would probably consent to it.

B.42 Generally, it should not be assumed that an individual has given consent on the basis alone that they did not object to a proposal to handle personal information in a particular way. An APP entity cannot infer consent simply because it provided an individual with notice of a proposed collection, use or disclosure of personal information. It will be difficult for an entity to establish that an individual’s silence can be taken as consent. Consent may not be implied if an individual’s intent is ambiguous or there is reasonable doubt about the individual’s intention.

B.43 Use of an opt-out mechanism to infer an individual’s consent will only be appropriate in limited circumstances, as the individual’s intention in failing to opt-out may be ambiguous. An APP entity will be in a better position to establish the individual’s implied consent the more that the following factors, where relevant, are met:

B.44 An APP entity should generally seek express consent from an individual before handling the individual’s sensitive information, given the greater privacy impact this could have.

B.45 An APP entity should as far as practicable implement procedures and systems to obtain and record consent. This may resolve any doubt about whether consent was given (either on the basis of express or implied consent).

Voluntary

B.46 Consent is voluntary if an individual has a genuine opportunity to provide or withhold consent. Consent is not voluntary where there is duress, coercion or pressure that could overpower the person’s will.

B.47 Factors relevant to deciding whether consent is voluntary include:

B.48 Bundled consent refers to the practice of an APP entity ‘bundling’ together multiple requests for an individual’s consent to a wide range of collections, uses and disclosures of personal information, without giving the individual the opportunity to choose which collections, uses and disclosures they agree to and which they do not.

B.49 This practice has the potential to undermine the voluntary nature of the consent. If a bundled consent is contemplated, an APP entity could consider whether:

Informed

B.50 An individual must be aware of the implications of providing or withholding consent, for example, whether access to a service will be denied if consent is not given to collection of a specific item of personal information. An APP entity should ensure that an individual is properly and clearly informed about how their personal information will be handled, so they can decide whether to give consent (see also, discussion of ‘capacity’ below). The information should be written in plain English, without legal or industry jargon.

Current and specific

B.51 An APP entity should generally seek consent from an individual for collection and proposed uses and disclosures of personal information at the time the information is collected. Alternatively, if consent was not sought at the time of collection, or that consent did not cover a proposed use or disclosure, an entity should seek the individual’s consent at the time of the use or disclosure.

B.52 Consent given at a particular time in particular circumstances cannot be assumed to endure indefinitely. It is good practice to inform the individual of the period for which the consent will be relied on in the absence of a material change of circumstances.

B.53 An APP entity should not seek a broader consent than is necessary for its purposes, for example, consent for undefined future uses, or consent to ‘all legitimate uses or disclosures' (see also, discussion of ‘bundled consent’ above). When seeking consent, an entity should describe the purpose to which it relates. The level of specificity required will depend on the circumstances, including the sensitivity of the personal information.

B.54 An individual may withdraw their consent at any time, and this should be an easy and accessible process. Once an individual has withdrawn consent, an APP entity can no longer rely on that past consent for any future use or disclosure of the individual’s personal information. Individuals should be made aware of the potential implications of withdrawing consent, such as no longer being able to access a service.

Capacity

B.55 An individual must have the capacity to consent. This means that the individual is capable of understanding the nature of a consent decision, including the effect of giving or withholding consent, forming a view based on reasoned judgement and how to communicate a consent decision. An APP entity can ordinarily presume that an individual has the capacity to consent, unless there is something to alert it otherwise, for example, the individual is a child or young person (see below). If an entity is uncertain as to whether an individual has capacity to consent at a particular time, it should not rely on any statement of consent given by the individual at that time.

B.56 Issues that could affect an individual’s capacity to consent include:

B.57 An APP entity should consider whether any such issue could be addressed by providing the individual with appropriate support to enable them to have capacity to consent. If an individual does not have capacity to consent, even with support or the provision of additional resources such as an interpreter or alternative communication methods, and consent is required, an entity should consider who can act on the individual’s behalf. Options include:

B.58 An individual who lacks the capacity to consent should nevertheless be involved, as far as practicable, in any decision-making process. To the extent practicable in the circumstances, an APP entity should ensure that privacy issues are discussed with individuals who have impaired decision-making capacity in a way that is understandable and comprehensible.

Children and young people

B.59 The Privacy Act does not specify an age after which individuals can make their own privacy decisions. An APP entity will need to determine on a case-by-case basis whether an individual under the age of 18 has the capacity to consent.

B.60 As a general principle, an individual under the age of 18 has capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person, for example, if the child is young or lacks the maturity or understanding to do so themselves.

B.61 If it is not practicable or reasonable for an APP entity to assess the capacity of individuals under the age of 18 on a case-by-case basis, the entity may presume that an individual aged 15 or over has capacity to consent, unless there is something to suggest otherwise. An individual aged under 15 is presumed not to have capacity to consent.

De-identification

B.62 Personal information is de-identified ‘if the information is no longer about an identifiable individual or an individual who is reasonably identifiable’ (s 6(1)). De-identified information is not ‘personal information’ (see paragraphs B.85–B.96).

B.63 De-identification involves removing or altering information that identifies an individual or is reasonably likely to do so. Generally, de-identification includes two steps:

B.64 De-identification may not altogether remove the risk that an individual can be re-identified. There may, for example, be a possibility that another dataset or other information could be matched with the de-identified information. The risk of re-identification must be actively assessed and managed to mitigate this risk. Relevant factors to consider when determining whether information has been effectively de-identified could include the cost, difficulty, practicality and likelihood of re-identification.[16]

B.65 For more information on when and how to de-identify information, and how to manage and mitigate the risk of re-identification, see De-identification and the Privacy Act.[17]

Disclosure

B.66 Disclosure is not defined in the Privacy Act.

B.67 An APP entity discloses personal information when it makes it accessible or visible to others outside the entity and releases the subsequent handling of the personal information from its effective control. This focuses on the act done by the disclosing party, and not on the actions or knowledge of the recipient. Disclosure, in the context of the Privacy Act, can occur even where the personal information is already known to the recipient.[18]

B.68The release may be a proactive release, a release in response to a specific request, an accidental release or an unauthorised release by an employee.

B.69 Examples include where an APP entity:

B.70 Where an APP entity engages a contractor to perform services on its behalf, the provision of personal information to that contractor will in most circumstances be a disclosure (see paragraph B.144 for the limited circumstances where it will be a ‘use’).

B.71 ‘Disclosure’ is a separate concept from:

B.72 In a number of APPs the same requirements apply to the ‘use’ or ‘disclosure’ of personal information (for example, APP 6.1 (see Chapter 6), APP 7 (see Chapter 7), APP 9.2 (see Chapter 9) and APP 10.2 (see Chapter 10)). For these, it is not necessary to distinguish between a ‘use’ and a ‘disclosure’. However, the distinction is relevant to the following principles and exceptions that only apply to the ‘disclosure’ of personal information, and not to its ‘use’:

Key concepts E to P

Enforcement body

B.73 ‘Enforcement body’ is defined to mean:

B.74 ‘Enforcement related activity’ is defined to mean:

B.75 This definition recognises that ‘enforcement related activities’ can include lawful surveillance, intelligence gathering or monitoring activities where there may not be an existing investigation.[23] Those activities are distinct but may also overlap.

B.76 Examples of surveillance activities include optical surveillance of an individual or property where information obtained from that surveillance may lead to an investigation of a criminal offence. Examples of intelligence gathering include the collection of personal information about an individual to detect whether an offence has occurred, or to determine whether to initiate an investigation into that offence; the collection of information about whether an individual is planning to commit an offence and whether there are fellow criminal associates. Examples of monitoring activities include the monitoring by an enforcement body of a person who has presented themself to that body in compliance with a court order.[24]

Health information

B.77 ‘Health information’ is defined to mean:

B.78 Examples of health information include:

B.79 The definition of ‘sensitive information’ in s 6(1) includes health information. Sensitive information, including health information, attracts additional privacy protections compared to other types of personal information (see for example, APP 3 in Chapter 3). There are also a number of provisions and APPs that deal specifically with health information, including the ‘permitted health situation’ exceptions set out in s 16B (see Chapter D (Permitted health situations)).

Health service

B.80 ‘Health service’ is defined to mean:

B.81 The Privacy Act generally applies to all organisations that provide a health service, including an organisation that is a small business.[25] Examples of organisations that provide a health service include:

Holds

B.82 An APP entity ‘holds’ personal information if ‘the entity has possession or control of a record that contains the personal information’ (s 6(1)).

B.83 The term ‘record’ is defined in s 6(1) and includes a document or an electronic or other device. Some items are excluded from the definition, such as anything kept in a library, art gallery or museum for the purposes of reference study or exhibition and Commonwealth records in the open access period.

B.84 The term ‘holds’ extends beyond physical possession of a record to include a record that an APP entity has the right or power to deal with. Whether an APP entity ‘holds’ a particular item of personal information may therefore depend on the particular information collection, management and storage arrangements it has adopted. For example, an APP entity ‘holds’ personal information where:

B.85 An agency that has placed a record of personal information in the care of the National Archives of Australia, or in the custody of the Australian War Memorial, is considered to be the agency that holds the record for the purposes of the Privacy Act (s 10(4)).

Immigration Department

B.86 ‘Immigration Department’ means ‘the Department administered by the Minister administering the Migration Act 1958 (s 6(1)). Information about the particular Minister and Department that administer the Migration Act 1958 can be found on the Federal Register of Legislation. [26]

B.87 The definition of ‘enforcement body’ includes the ‘Immigration Department’ (see paragraph B.70). This means that the exception in APP 3.4(d)(i) that permits the collection of sensitive information, and the exceptions in APPS 6.2(e) and 8.2(f) that permit the use and disclosure of personal information, extend to the ‘enforcement related activities’ of the Immigration Department (see Chapters 3, 6 and 8).[27]

Personal information

B.88 ‘Personal information’ is defined as any ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

B.89 Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person.

B.90 Personal information of one individual may also be personal information of another individual. Examples include a marriage certificate that contains personal information of both parties to a marriage, and a vocational reference that includes personal information about both the author and the subject of the reference.

B.91 The personal information ‘about’ an individual may be broader than the item of information that identifies them. For example, a vocational reference or assessment may comment on a person’s career, performance, attitudes and aptitude. Similarly, the views expressed by the author of the reference may also be personal information about the author.

B.92 Personal information that has been de-identified will no longer be personal information. Personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable (see paragraph B.59).

B.93 What constitutes personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances.

Meaning of 'reasonably identifiable’

B.94 Whether an individual is ‘reasonably identifiable’ from particular information will depend on considerations that include:[28]

B.95 The following are given as examples of how those considerations may apply to particular items of information:

B.96 Whether a person is ‘reasonably identifiable’ is an objective test that has practical regard to the context in which the issue arises. Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as ‘personal information’.[31] An individual may not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly in all the circumstances.

B.97 Where it is unclear whether an individual is ‘reasonably identifiable’, an APP entity should err on the side of caution and treat the information as personal information.

Deceased persons

B.98 The definition of ‘personal information’ in s 6(1) refers to information or an opinion about an ‘individual.’ An ‘individual’ means ‘a natural person’ (s 6(1)). The ordinary meaning of ‘natural person’ does not include deceased persons.[32]

B.99 Information about a deceased person may include information about a living individual and be ‘personal information’ for the purposes of the Privacy Act. For example, information that a deceased person had an inheritable medical condition may indicate that the deceased person’s descendants have an increased risk of that condition. If the descendants are identifiable, that information would be personal information about the descendants. The privacy interests of family members could therefore be considered when handling information about deceased persons.

Purpose

B.100 The purpose of an action is the reason why it is done. The purpose for which an APP entity collects, holds, uses and discloses personal information can be relevant to:

Primary purpose and secondary purpose

B.101 The purpose for which an APP entity collects personal information is known as the ‘primary purpose’ of collection. This is the specific function or activity for which the entity collects the personal information. If an APP entity uses or discloses the personal information for another purpose this is known as a ‘secondary purpose’. APP 6 sets out when an APP entity may use or disclose personal information for a secondary purpose (see Chapter 6 (APP 6)).

B.102 Where an APP entity collects personal information directly from an individual, the context will help in identifying the primary purpose of collection. For example, the individual may provide the personal information for a particular purpose, such as buying a particular product or receiving a particular service. This is the primary purpose of collection, even if the entity has additional secondary purposes in mind.

B.103 Where an APP entity receives unsolicited personal information or collects personal information about an individual from a third party, the context will again be relevant in identifying the primary purpose of collection. It will also be relevant to consider the function or activity which the personal information is reasonably necessary for, or to which it directly relates. In some instances, an APP entity that receives unsolicited personal information and retains it will have no primary purpose of collection. For example, where the entity could not have collected personal information under APP 3.1 but nevertheless retains it under APP 4, because the information is contained in a Commonwealth record, or because it is not lawful or reasonable for the entity to destroy it (see APP 4, Chapter 4).

Describing the primary purpose

B.104 How broadly a purpose can be described will depend on the circumstances and should be determined on a case-by-case basis. In cases of ambiguity, and with a view to protecting individual privacy, the primary purpose for collection, use or disclosure should be construed narrowly rather than expansively.

B.105 The primary purpose may nevertheless be described in general terms, as long as the description is adequate to inform an individual of how the APP entity may use or disclose their personal information. A description – the information will be used ‘for the functions of the entity’ – would generally be considered too broad. Instead, the primary purpose of collection could be described as to:

B.106 An APP entity does not need to include in its description internal purposes that form part of normal business practices, such as auditing, business planning, billing or de-identifying personal information.

Key concepts R to Z

Reasonable, reasonably

B.107 The terms ‘reasonable’ and ‘reasonably’ are used in the Privacy Act and APPs to qualify a test or obligation. Examples include that ‘personal information’ is information about an individual who is ‘reasonably’ identifiable (s 6(1)) and an APP entity must not collect personal information unless it is ‘reasonably necessary’ for one or more of the entity’s functions or activities (APP 3).

B.108 ‘Reasonable’ and ‘reasonably’ are not defined in the Privacy Act. The terms bear their ordinary meaning, as being based upon or according to reason and capable of sound explanation. What is reasonable is a question of fact in each individual case. It is an objective test that has regard to how a reasonable person, who is properly informed, would be expected to act in the circumstances. What is reasonable can be influenced by current standards and practices.[33] It is the responsibility of an APP entity to be able to justify that its conduct was reasonable. In a related context, the High Court has observed that whether there are ‘reasonable grounds’ to support a course of action ‘requires the existence of facts which are sufficient to [persuade] a reasonable person’;[34] it ‘involves an evaluation of the known facts, circumstances and considerations which may bear rationally upon the issue in question’.[35] As that indicates, there may be a conflicting range of objective circumstances to be considered, and the factors in support of a conclusion should outweigh those against.

B.109 The terms ‘reasonable’ and ‘reasonably’ are discussed further in the APP guidelines, as they arise in the context of each of the relevant APPs.

Reasonable steps

B.110 A number of the APPs require an APP entity to ‘take such steps as are reasonable in the circumstances’ (for example, APP 1.2 (see Chapter 1), APP 8.1 (see Chapter 8) and APP 11(see Chapter 11). The shorthand expression used in the APP guidelines is ‘reasonable steps’.[36]

B.111 The ‘reasonable steps’ test is an objective test, and is to be applied in the same manner as ‘reasonable’ and ‘reasonably’. It is the responsibility of an APP entity to be able to justify that reasonable steps were taken.

B.112 Some APPs require an APP entity to take ‘such steps (if any) as are reasonable in the circumstances’ (for example, APP 5.1 (see Chapter 5), APP 10 (see Chapter 10), APP 12.5 (see Chapter 12), APPs 13.1 and 13.2 (see Chapter 13). The inclusion of ‘(if any)’ acknowledges that it in some circumstances an entity will satisfy the requirement to take reasonable steps by taking no steps.

Reasonably believes

B.113 A number of the exceptions to the APPs require an APP entity to have a ‘reasonable belief’ about a particular matter (see for example, APP 3.4 (Chapter 3), APP 6.2(e) (Chapter 6), APP 8.2 (Chapter 8), Permitted general situations, (Chapter C)).

B.114 The phrase ‘reasonable belief’ is to be applied in the same manner as ‘reasonable’ and ‘reasonably’. That is, the APP entity must have a reasonable basis for the belief, and not merely a genuine or subjective belief. The requirement for a reasonable belief precludes arbitrary action, but may still leave something to surmise or conjecture.[37] It is the responsibility of an entity to be able to justify its reasonable belief.

Reasonably necessary and necessary

B.115 A number of APPs require a collection, use or disclosure to be ‘reasonably necessary’ for a particular purpose – see APPs 3, 6, 8 and 9. Certain permitted general situations and permitted health situations refer to a collection, use or disclosure being ‘necessary’ for a particular purpose (see Chapters C and D), and APP 7 refers to a use or disclosure being ‘necessary’ to meet a contractual obligation (see Chapter 7).

B.116 The term ‘reasonable’ is discussed at paragraphs B.104–B.106. ‘Necessary’ is not defined in the Privacy Act. The High Court of Australia has noted that ‘there is, in Australia, a long history of judicial and legislative use of the term ’necessary’, not as meaning essential or indispensable, but as meaning reasonably appropriate and adapted’.[38] However, in the context of the Privacy Act, it would not be sufficient if the collection, use or disclosure is merely helpful, desirable or convenient.

B.117 The ‘reasonably necessary’ test is an objective test: whether a reasonable person who is properly informed would agree that the collection, use or disclosure is necessary. It is the responsibility of an APP entity to be able to justify that the particular collection, use or disclosure is reasonably necessary.

B.118 The test must be applied in a practical sense. For example, under APP 3 if an entity cannot in practice effectively pursue a function or activity without collecting personal information, the collection would usually be considered reasonably necessary for that function or activity. However, a collection, use or disclosure of personal information will not usually be considered reasonably necessary if there are reasonable alternatives available, for example, if de-identified information would be sufficient for the function or activity.

B.119 An APP entity cannot rely solely on normal business practice in assessing whether a collection, use or disclosure is reasonably necessary. The primary issue is whether, in the circumstances of a particular entity, a collection, use or disclosure is reasonably necessary for a particular function or activity.

B.120 The term ‘necessary’ rather than ‘reasonably necessary’ is used in certain permitted general situations and permitted health situations, and in APP 7. The context explains this different usage. For example, a permitted health situation may exist if the collection of personal information is ‘necessary’ for public health research that is conducted in accordance with relevant guidelines. Similarly, APP 7.5 refers to the use or disclosure of personal information for the purpose of direct marketing where that is ‘necessary’ to meet a contractual obligation. In some of the permitted general situations and permitted health situations the test is whether an APP entity ‘reasonably believes’ that the collection, use or disclosure of personal information is ‘necessary’ for a particular purpose, such as lessening or preventing a serious threat to a person’s health or safety.

Recognised external dispute resolution scheme

B.121 ‘Recognised external dispute resolution scheme’ is defined as ‘an external dispute resolution scheme recognised under section 35A’ (s 6(1)).

B.122 Section 35A(1) gives the Information Commissioner power to recognise an external dispute resolution scheme for an entity or a class of entities, or for a specified purpose. A register of recognised external dispute resolution schemes is maintained on the Office of the Australian Information Commissioner website.[39]

B.123 An individual who considers that an APP entity has interfered with their privacy may complain to a recognised EDR scheme of which the entity is a member, if the complaint falls within the scope of the EDR scheme’s recognition. For further discussion of recognised EDR schemes, and their role in handling privacy-related complaints, see Guidelines for Recognising External Dispute Resolution Schemes under s 35A of the Privacy Act.[40]

Registered APP code

B.124 A ‘registered APP code’ is defined as an APP code that is included on the Codes Register and that is in force (s 26B(1)). A registered APP code is a legislative instrument (s 26B(2)). The requirements in relation to registered APP codes are set out in Division 2 of Part IIIB.

B.125 An ‘APP code’ is defined as a written code of practice about information privacy (s 26C). It can be developed by an APP entity, either on its own initiative or on request from the Information Commissioner, or by the Information Commissioner directly (ss 26E and 26G). A code may be expressed to apply to all or a specified type of personal information, a specified activity or class of activities of an APP entity, a specified industry sector or professions or specified class of industry sectors or professions, or APP entities that use technology of a specified kind (s 26C(4)).

B.126 The Information Commissioner has power to approve and register an APP code (provided certain conditions are met) by including it on the Codes Register (s 26H).

B.127 Once an APP code is registered, an APP entity bound by the code must not do an act, or engage in a practice, that breaches that code. A breach of a registered APP code will be ‘an interference with the privacy of an individual’ by the entity under s 13(1)(b).

B.128 A registered APP code does not replace the APPs for the entities which it binds, but operates in addition to the requirements of the APPs.[41] For further discussion about the development of APP codes, and the requirements and process for recognition, see the Guidelines for Developing Codes.[42]

Related body corporate

B.129 Section 6(8) provides that ‘the question whether bodies corporate are related to each other is determined in the manner in which that question is determined under the _Corporations Act 2001_’.

B.130 Section 13B(1) permits related bodies corporate to share personal information (other than sensitive information) in certain circumstances. The effect of s 13B(1) is discussed further in Chapter 3 (APP 3) and Chapter 6 (APP 6).

B.131 A number of the APPs provide an exception if an APP entity is ‘required or authorised by or under an Australian law or a court/tribunal order’ to act differently (for example, APP 3.4(a) (Chapter 3), APP 6.2(b) (Chapter 6) and APP 12.3(g) (Chapter 12)). Some other provisions refer more narrowly to an act that is ‘required by or under an Australian law (other than this Act)’ (s 16B(2) (Chapter D)) or ‘required by or under an Australian law, or a court order’ (APP 11.2(d) (Chapter 11)), and do not include an act that is ‘authorised’.

Meaning of ‘required’

B.132 An APP entity that is ‘required’ by an Australian law or a court/tribunal order to handle information in a particular way has a legal obligation to do so, and cannot choose to act differently. The obligation will usually be indicated by words such as ‘must’ or ‘shall’, and may be accompanied by a sanction for non-compliance.

Meaning of ‘authorised’

B.133 An APP entity that is ‘authorised’ under an Australian law or a court/tribunal order has discretion as to whether it will handle information in a particular way. The entity is permitted to take the action but is not required to do so. The authorisation may be indicated by a word such as ‘may’, but may also be implied rather than expressed in the law or order.

B.134 An APP entity may be impliedly authorised by law to handle personal information in a particular way, where a law requires or authorises a function or activity, and this directly entails the information handling practice. For example, a statute that authorises an APP entity to collect personal information about an individual from a third party implicitly authorises the entity to disclose the individual’s identity to the third party.

B.135 An act or practice is not ‘authorised’ solely because there is no law or court/tribunal order prohibiting it. Nor can an act or practice rely solely on a general or incidental authority conferred by statute upon an agency to do anything necessary or convenient for, or incidental to or consequential upon, the specific functions and powers of the agency. The reason is that the purpose of the APPs is to protect the privacy of individuals by imposing obligations on APP entities in handling personal information. A law will not authorise an exception to those requirements unless it does so by clear and direct language.[43]

Meaning of ‘Australian law’

B.136 ‘Australian law’ is defined as:

B.137 The definition of Australian law does not include a contract.[44] Consequently, an obligation imposed by contract upon a party to handle information in a particular way will not provide authority for the purposes of the ‘required or authorised by or under an Australian law or court/tribunal order’ exception.

Meaning of ‘court/tribunal order’

B.138 ‘Court/tribunal order’ is defined as an order, direction or other instrument made by a court, a tribunal, a judge, a magistrate, a person acting as a judge or magistrate, a judge or magistrate acting in a personal capacity, and a member or an officer of a tribunal (s 6(1)).

B.139 The definition applies to orders and the like issued by Commonwealth, State and Territory courts, tribunals and members and officers. The definition includes an order, direction or other instrument that is of an interim or interlocutory nature.

B.140 The reference to a judge or a magistrate acting in a personal capacity means that the definition applies to an order or direction issued by a judge or magistrate who has been appointed by government to an office or inquiry that involves the exercise of administrative or executive functions, including functions that are quasi-judicial in nature.[45] An example is a judge who is appointed by government to conduct a royal commission.

Sensitive information

B.141 ‘Sensitive information’ is a subset of personal information and is defined as:

B.142 Information may be sensitive information where it clearly implies one of these matters. For example, many surnames have a particular racial or ethnic origin, but that alone will not constitute sensitive information that clearly indicates the racial or ethnic origin of an individual with that surname.

B.143 Terms such as ‘political opinions’ and ‘philosophical beliefs’ are not defined in the Privacy Act. They take their ordinary meaning and should be interpreted broadly. However, not every value, belief or opinion of an individual will be considered to be a political opinion or philosophical belief.

B.144 Sensitive information is generally afforded a higher level of privacy protection under the APPs than other personal information (for example, see APPs 3, 6 and 7). This recognises that inappropriate handling of sensitive information can have adverse consequences for an individual or those associated with the individual. For example, discrimination or mistreatment is sometimes based on a person’s race or ethnic origin or union membership. Mishandling of sensitive information may also cause humiliation or embarrassment or undermine an individual’s dignity.

Use

B.145 ‘Use’ is not defined in the Privacy Act. Use is a separate concept from disclosure, which is discussed at paragraphs B.63–B.68. As noted at paragraph B.69, many APP requirements apply to both the ‘use’ and ‘disclosure’ of personal information, and in those situations it is not necessary to distinguish both concepts.

B.146 Generally, an APP entity uses personal information when it handles and manages that information within the entity’s effective control. Examples include:

B.147 In limited circumstances, providing personal information to a contractor to perform services on behalf of the APP entity may be a use, rather than a disclosure (see paragraph B.63–B.68). This occurs where the entity does not release the subsequent handling of personal information from its effective control. For example, if an entity provides personal information to a cloud service provider for the limited purpose of performing the services of storing and ensuring the entity may access the personal information, this may be a ‘use’ by the entity in the following circumstances: