APP 1: Open and Transparent Management of Personal
Information APP entities will be deemed accountable for taking
proactive steps to manage risks to data at every stage from
collection, use and storage to destruction. Emphasis is placed on
the importance of IT security systems, privacy impact assessments
for new projects and procedures for reporting breaches. Also
important are easily accessible and up-to-date privacy
APP 2: Anonymity and Pseudonymity It is anticipated that individuals will have the right to
deal with organisations where they cannot be identified from the
data they provide, by opting not to provide personal information,
or by providing a different name, term or descriptor. The aim is to
give individuals greater control over their personal information
and is seen as a method of assisting organisations with reducing
their compliance burden. Organisations would need to prominently
state when it is not necessary for an individual to provide
APP 3: Collection of Solicited Personal
APP entities will only be able to solicit information collected
from other entites which is reasonably necessary or directly
related to the entities functions or activities. There willl also
be an additional obligation to seek explicit direct consent from
individuals when soliciting sensitive personal data except (a)
where it is permitted by law (b) where a permitted general
situation exists or 3.4 (c) where a permitted health situation
exists (d) for an enforcement activity or (e) by a non-profit
APP 4: Dealing with Unsolicited Personal
Information This principle aims to address how organisations should
deal with data which it has not actively sought to collect yet but
falls within its control, such as information received that is
surplus to its function. If the data could not have been collected
under APP 3, then it must be either destroyed or
APP 5: Notification of the Collection of Personal
Information Before or at the time of collection of any information,
organisations will be expected to ensure that individuals are fully
informed as to the APP entity's identity, the purpose for
collection, the consequences if that information is not collected
and any intended disclosure.
Further draft guidelines are expected to be released over the
next few weeks and will cover the remaining APPS which deal with
topics including direct marketing, cross-border disclosure or
personal information and data security.
This article is presented for informational purposes only
and is not intended to constitute legal advice.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).