The main changes to the Privacy Act are contained in the APPs; however, there are other changes that agencies need to understand. This summary sets out some of the key provisions that are not contained in the APPs.
Exceptions to the APPs
The general rule is that an agency covered by the APPs must not act in a way that breaches them; however, there are exceptions. The main exceptions are in "permitted general situations" and "permitted health situations".
Exception 1—permitted general situations
Personal information may be collected, used or disclosed without breaching the APPs where:
- it is unreasonable or impracticable to obtain the individual's consent and the agency reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety of an individual or is necessary for public health and safety, or
- there is reason to suspect there is unlawful activity or serious misconduct relating to the agency and the agency reasonably believes that the collection, use or disclosure is necessary to take appropriate action in relation to the matter, or
- the agency reasonably believes it is necessary to help locate a missing person, (providing this is in keeping with any rules made by the Privacy Commissioner), or
- the agency reasonably believes it is necessary for its diplomatic or consular functions or activities.
The Defence Force may also collect, use or disclose personal information where it reasonably believes it is necessary for its overseas operations.
Exception 2—permitted health situations
Health information may be collected, used and disclosed in certain situations without breaching the APPs. This exception is essentially the same as under the 2000 reform to the Privacy Act, which permits the collection, use or disclosure where the information is necessary to provide a health service to the individual and it is:
- required by or authorised under Australian law, or
- in line with rules established by competent health or medical bodies.
Other obligations not contained in the APPs
Agencies will also need to be aware of obligations and key concepts contained in other provisions of the Act, including:
- the definitions of key concepts, including some of those referred to in the APPs
- expansion of the extra-territorial operation of the Privacy Act
- responsibilities of agencies where they disclose personal information to an overseas recipient
- external dispute resolution schemes
- APP Codes, and
- obligations on agencies if they engage contracted service providers.
Information Commissioner's guidance, monitoring and advice-related functions
The amendments enhance the Office of the Australian Information Commissioner's (Information Commissioner) powers of guidance, monitoring and advice functions, and auditing compliance.
In particular, the Information Commissioner may:
- accept enforceable undertakings from an entity
- apply to the Federal Court or Federal Circuit Court for an order that an entity pay a civil penalty, and
- conduct own-motion assessments of compliance with the APPs.
Related links
- Overview of the Australia Privacy Principles
- Privacy developments: what's next?
- Topics covered by the draft OAIC APP Guidance
- Getting started
- AAPT hacking case study: what would happen if it was an agency under the new law?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
