Scribd
Upload
209 views11 pages

Australian Privacy Principles (OAIC)

This document provides the text of the 13 Australian Privacy Principles (APPs) which replace the National Privacy Principles and Information Privacy Principles. The APPs came into effect on March 12, 2014 and apply to organizations and Australian government agencies. The APPs cover open and transparent management of personal information, including requiring entities to have a clearly expressed privacy policy. They also cover the anonymity and pseudonymity of individuals, and restrictions on the collection of solicited personal information, including sensitive information. Entities must not collect personal information unless it is reasonably necessary for their functions or activities.

Uploaded by

Camilo Perez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
209 views11 pages

Australian Privacy Principles (OAIC)

This document provides the text of the 13 Australian Privacy Principles (APPs) which replace the National Privacy Principles and Information Privacy Principles. The APPs came into effect on March 12, 2014 and apply to organizations and Australian government agencies. The APPs cover open and transparent management of personal information, including requiring entities to have a clearly expressed privacy policy. They also cover the anonymity and pseudonymity of individuals, and restrictions on the collection of solicited personal information, including sensitive information. Entities must not collect personal information unless it is reasonably necessary for their functions or activities.

Uploaded by

Camilo Perez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Privacy fact sheet 17

Australian Privacy Principles


January 2014

From 12 March 2014, the Australian Privacy Principles (APPs) will replace the National Privacy Principles
and Information Privacy Principles and will apply to organisations, and Australian Government (and Norfolk Island
Government) agencies.
This privacy fact sheet provides the text of the 13 APPs from Schedule 1 of the Privacy Amendment (Enhancing
Privacy Protection) Act 2012, which amends the Privacy Act 1988. For the latest versions of these Acts visit
the ComLaw website: www.comlaw.gov.au.

Part 1—Consideration of personal (b) how the entity collects and holds personal
information privacy information;
(c) the purposes for which the entity collects,
Australian Privacy Principle 1—open and
holds, uses and discloses personal
transparent management of personal information;
information
(d) how an individual may access personal
1.1 The object of this principle is to ensure that APP information about the individual that is held
entities manage personal information in an open by the entity and seek the correction of
and transparent way. such information;

Compliance with the Australian Privacy (e) how an individual may complain about a
Principles etc. breach of the Australian Privacy Principles,
or a registered APP code (if any) that binds
1.2 An APP entity must take such steps as are the entity, and how the entity will deal with
reasonable in the circumstances to implement such a complaint;
practices, procedures and systems relating to the
entity’s functions or activities that: (f) whether the entity is likely to disclose
personal information to overseas recipients;
(a) will ensure that the entity complies with the
Australian Privacy Principles and a registered (g) if the entity is likely to disclose personal
APP code (if any) that binds the entity; and information to overseas recipients—the
countries in which such recipients are likely
(b) will enable the entity to deal with inquiries to be located if it is practicable to specify
or complaints from individuals about the those countries in the policy.
entity’s compliance with the Australian
Privacy Principles or such a code.
Availability of APP privacy policy etc.
APP Privacy policy 1.5 An APP entity must take such steps as are
1.3 An APP entity must have a clearly expressed and reasonable in the circumstances to make its APP
up to date policy (the APP privacy policy) about the privacy policy available:
management of personal information by the entity. (a) free of charge; and
1.4 Without limiting subclause 1.3, the APP privacy (b) in such form as is appropriate.
policy of the APP entity must contain the following Note: An APP entity will usually make its APP privacy
information: policy available on the entity’s website.
(a) the kinds of personal information that the
entity collects and holds;

Privacy fact sheet 17 – Australian Privacy Princples


1.6 If a person or body requests a copy of the APP (i) if the entity is an agency—the
privacy policy of an APP entity in a particular form, information is reasonably necessary for,
the entity must take such steps as are reasonable in or directly related to, one or more of
the circumstances to give the person or body a copy the entity’s functions or activities; or
in that form.
(ii) if the entity is an organisation—the
information is reasonably necessary for
Australian Privacy Principle 2—anonymity and one or more of the entity’s functions or
pseudonymity activities; or
2.1 Individuals must have the option of not (b) subclause 3.4 applies in relation to the
identifying themselves, or of using a pseudonym, information.
when dealing with an APP entity in relation to a
particular matter. 3.4 This subclause applies in relation to sensitive
information about an individual if:
2.2 Subclause 2.1 does not apply if, in relation to
(a) the collection of the information is required
that matter:
or authorised by or under an Australian law
(a) the APP entity is required or authorised or a court/tribunal order; or
by or under an Australian law, or a court/
(b) a permitted general situation exists in
tribunal order, to deal with individuals who
relation to the collection of the information
have identified themselves; or
by the APP entity; or
(b) it is impracticable for the APP entity to deal
(c) the APP entity is an organisation and a
with individuals who have not identified
permitted health situation exists in relation
themselves or who have used a pseudonym.
to the collection of the information by the
entity; or
Part 2—Collection of personal information (d) the APP entity is an enforcement body and
Australian Privacy Principle 3—collection of the entity reasonably believes that:
solicited personal information (i) if the entity is the Immigration
Personal information other than sensitive Department—the collection of the
information is reasonably necessary
information
for, or directly related to, one or
3.1 If an APP entity is an agency, the entity must not more enforcement related activities
collect personal information (other than sensitive conducted by, or on behalf of, the
information) unless the information is reasonably entity; or
necessary for, or directly related to, one or more of
(ii) otherwise—the collection of the
the entity’s functions or activities.
information is reasonably necessary
3.2 If an APP entity is an organisation, the entity for, or directly related to, one or more
must not collect personal information (other than of the entity’s functions or activities; or
sensitive information) unless the information is (e) the APP entity is a non-profit organisation
reasonably necessary for one or more of the entity’s and both of the following apply:
functions or activities.
(i) the information relates to the activities
of the organisation;
Sensitive information
(ii) the information relates solely to the
3.3 An APP entity must not collect sensitive members of the organisation, or to
information about an individual unless: individuals who have regular contact
(a) the individual consents to the collection of with the organisation in connection
the information and: with its activities.

Privacy fact sheet 17 – Australian Privacy Principles 2


Note: For permitted general situation, see section 16A. (b) the information is not contained in a
For permitted health situation, see section 16B. Commonwealth record;
the entity must, as soon as practicable but only if
Means of collection it is lawful and reasonable to do so, destroy the
3.5 An APP entity must collect personal information information or ensure that the information is de-
only by lawful and fair means. identified.

3.6 An APP entity must collect personal information 4.4 If subclause 4.3 does not apply in relation to the
about an individual only from the individual unless: personal information, Australian Privacy Principles
5 to 13 apply in relation to the information as if
(a) if the entity is an agency: the entity had collected the information under
(i) the individual consents to the collection Australian Privacy Principle 3.
of the information from someone other
than the individual; or
Australian Privacy Principle 5—notification of
(ii) the entity is required or authorised the collection of personal information
by or under an Australian law, or a
court/tribunal order, to collect the 5.1 At or before the time or, if that is not practicable,
information from someone other than as soon as practicable after, an APP entity collects
the individual; or personal information about an individual, the entity
must take such steps (if any) as are reasonable in
(b) it is unreasonable or impracticable to do so. the circumstances:
(a) to notify the individual of such matters
Solicited personal information
referred to in subclause 5.2 as are
3.7 This principle applies to the collection of personal reasonable in the circumstances; or
information that is solicited by an APP entity.
(b) to otherwise ensure that the individual is
aware of any such matters.
Australian Privacy Principle 4—dealing with
unsolicited personal information 5.2 The matters for the purposes of subclause 5.1
are as follows:
4.1 If:
(a) the identity and contact details of the APP
(a) an APP entity receives personal information; entity;
and
(b) if:
(b) the entity did not solicit the information;
(i) the APP entity collects the personal
the entity must, within a reasonable period after information from someone other than
receiving the information, determine whether or the individual; or
not the entity could have collected the information
under Australian Privacy Principle 3 if the entity had (ii) the individual may not be aware
solicited the information. that the APP entity has collected the
personal information;
4.2 The APP entity may use or disclose the personal
the fact that the entity so collects, or
information for the purposes of making the
has collected, the information and the
determination under subclause 4.1.
circumstances of that collection;
4.3 If: (c) if the collection of the personal information
(a) the APP entity determines that the entity is required or authorised by or under an
could not have collected the personal Australian law or a court/tribunal order—
information; and the fact that the collection is so required

Privacy fact sheet 17 – Australian Privacy Principles 3


or authorised (including the name of the Part 3—Dealing with personal
Australian law, or details of the court/ information
tribunal order, that requires or authorises
the collection); Australian Privacy Principle 6—use or
(d) the purposes for which the APP entity disclosure of personal information
collects the personal information; Use or disclosure
(e) the main consequences (if any) for the 6.1 If an APP entity holds personal information
individual if all or some of the personal about an individual that was collected for a
information is not collected by the APP particular purpose (the primary purpose), the
entity; entity must not use or disclose the information for
(f) any other APP entity, body or person, or another purpose (the secondary purpose) unless:
the types of any other APP entities, bodies (a) the individual has consented to the use or
or persons, to which the APP entity usually disclosure of the information; or
discloses personal information of the kind
collected by the entity; (b) subclause 6.2 or 6.3 applies in relation to
the use or disclosure of the information.
(g) that the APP privacy policy of the APP
entity contains information about how Note: Australian Privacy Principle 8 sets out
the individual may access the personal requirements for the disclosure of personal
information about the individual that is information to a person who is not in Australia or an
held by the entity and seek the correction external Territory.
of such information;
6.2 This subclause applies in relation to the use
(h) that the APP privacy policy of the APP or disclosure of personal information about an
entity contains information about how the individual if:
individual may complain about a breach
(a) the individual would reasonably expect the
of the Australian Privacy Principles, or a
APP entity to use or disclose the information
registered APP code (if any) that binds the
for the secondary purpose and the
entity, and how the entity will deal with
secondary purpose is:
such a complaint;
(i) if the information is sensitive
(i) whether the APP entity is likely to disclose
information—directly related to the
the personal information to overseas
primary purpose; or
recipients;
(ii) if the information is not sensitive
(j) if the APP entity is likely to disclose
information—related to the primary
the personal information to overseas
purpose; or
recipients—the countries in which such
recipients are likely to be located if it is (b) the use or disclosure of the information
practicable to specify those countries in is required or authorised by or under an
the notification or to otherwise make the Australian law or a court/tribunal order; or
individual aware of them. (c) a permitted general situation exists in
relation to the use or disclosure of the
information by the APP entity; or
(d) the APP entity is an organisation and a
permitted health situation exists in relation
to the use or disclosure of the information
by the entity; or

Privacy fact sheet 17 – Australian Privacy Principles 4


(e) the APP entity reasonably believes that this principle applies as if the entity’s primary
the use or disclosure of the information purpose for the collection of the information were
is reasonably necessary for one or more the primary purpose for which the related body
enforcement related activities conducted corporate collected the information.
by, or on behalf of, an enforcement body.
Note: For permitted general situation, see section 16A. Exceptions
For permitted health situation, see section 16B. 6.7 This principle does not apply to the use or
disclosure by an organisation of:
6.3 This subclause applies in relation to the
disclosure of personal information about an (a) personal information for the purpose of
individual by an APP entity that is an agency if: direct marketing; or
(a) the agency is not an enforcement body; and (b) government related identifiers.
(b) the information is biometric information or
biometric templates; and Australian Privacy Principle 7—direct marketing
(c) the recipient of the information is an Direct marketing
enforcement body; and 7.1 If an organisation holds personal information
(d) the disclosure is conducted in accordance about an individual, the organisation must not use
with the guidelines made by the or disclose the information for the purpose of direct
Commissioner for the purposes of this marketing.
paragraph. Note: An act or practice of an agency may be
treated as an act or practice of an organisation, see
6.4 If: section 7A.
(a) the APP entity is an organisation; and
(b) subsection 16B(2) applied in relation to the Exceptions—personal information other than
collection of the personal information by the sensitive information
entity; 7.2 Despite subclause 7.1, an organisation may
the entity must take such steps as are reasonable use or disclose personal information (other than
in the circumstances to ensure that the information sensitive information) about an individual for the
is de-identified before the entity discloses it in purpose of direct marketing if:
accordance with subclause 6.1 or 6.2. (a) the organisation collected the information
from the individual; and
Written note of use or disclosure (b) the individual would reasonably expect
6.5 If an APP entity uses or discloses personal the organisation to use or disclose the
information in accordance with paragraph 6.2(e), information for that purpose; and
the entity must make a written note of the use or
disclosure. (c) the organisation provides a simple means by
which the individual may easily request not
to receive direct marketing communications
Related bodies corporate from the organisation; and
6.6 If: (d) the individual has not made such a request
(a) an APP entity is a body corporate; and to the organisation.
(b) the entity collects personal information
from a related body corporate;

Privacy fact sheet 17 – Australian Privacy Principles 5


7.3 Despite subclause 7.1, an organisation may Exception—contracted service providers
use or disclose personal information (other than 7.5 Despite subclause 7.1, an organisation may use
sensitive information) about an individual for the or disclose personal information for the purpose of
purpose of direct marketing if: direct marketing if:
(a) the organisation collected the information (a) the organisation is a contracted service
from: provider for a Commonwealth contract; and
(i) the individual and the individual (b) the organisation collected the information
would not reasonably expect the for the purpose of meeting (directly or
organisation to use or disclose the indirectly) an obligation under the contract;
information for that purpose; or and
(ii) someone other than the individual; (c) the use or disclosure is necessary to meet
and (directly or indirectly) such an obligation.
(b) either:
(i) the individual has consented to the Individual may request not to receive direct
use or disclosure of the information marketing communications etc.
for that purpose; or 7.6 If an organisation (the first organisation) uses or
(ii) it is impracticable to obtain that discloses personal information about an individual:
consent; and (a) for the purpose of direct marketing by the
(c) the organisation provides a simple means by first organisation; or
which the individual may easily request not (b) for the purpose of facilitating direct
to receive direct marketing communications marketing by other organisations;
from the organisation; and
the individual may:
(d) in each direct marketing communication
with the individual: (c) if paragraph (a) applies—request not to
receive direct marketing communications
(i) the organisation includes a prominent from the first organisation; and
statement that the individual may
make such a request; or (d) if paragraph (b) applies—request the
organisation not to use or disclose the
(ii) the organisation otherwise draws information for the purpose referred to in
the individual’s attention to the fact that paragraph; and
that the individual may make such a
request; and (e) request the first organisation to provide its
source of the information.
(e) the individual has not made such a request
to the organisation. 7.7 If an individual makes a request under
subclause 7.6, the first organisation must not charge
Exception—sensitive information the individual for the making of, or to give effect to,
the request and:
7.4 Despite subclause 7.1, an organisation may use
or disclose sensitive information about an individual (a) if the request is of a kind referred to in
for the purpose of direct marketing if the individual paragraph 7.6(c) or (d)—the first organisation
has consented to the use or disclosure of the must give effect to the request within a
information for that purpose. reasonable period after the request is made;
and

Privacy fact sheet 17 – Australian Privacy Principles 6


(b) if the request is of a kind referred to information in a way that, overall, is at
in paragraph 7.6(e)—the organisation least substantially similar to the way in
must, within a reasonable period after which the Australian Privacy Principles
the request is made, notify the individual protect the information; and
of its source unless it is impracticable or
(ii) there are mechanisms that the
unreasonable to do so.
individual can access to take action to
enforce that protection of the law or
Interaction with other legislation binding scheme; or
7.8 This principle does not apply to the extent that (b) both of the following apply:
any of the following apply:
(i) the entity expressly informs the
(a) the Do Not Call Register Act 2006; individual that if he or she consents
(b) the Spam Act 2003; to the disclosure of the information,
subclause 8.1 will not apply to the
(c) any other Act of the Commonwealth, or a
disclosure;
Norfolk Island enactment, prescribed by the
regulations. (ii) after being so informed, the individual
consents to the disclosure; or
Australian Privacy Principle 8—cross-border (c) the disclosure of the information is required
disclosure of personal information or authorised by or under an Australian law
8.1 Before an APP entity discloses personal or a court/tribunal order; or
information about an individual to a person (the (d) a permitted general situation (other than
overseas recipient): the situation referred to in item 4 or 5 of the
(a) who is not in Australia or an external table in subsection 16A(1)) exists in relation
Territory; and to the disclosure of the information by the
APP entity; or
(b) who is not the entity or the individual;
(e) the entity is an agency and the disclosure
the entity must take such steps as are reasonable of the information is required or authorised
in the circumstances to ensure that the overseas by or under an international agreement
recipient does not breach the Australian Privacy relating to information sharing to which
Principles (other than Australian Privacy Principle 1) Australia is a party; or
in relation to the information.
(f) the entity is an agency and both of the
Note: In certain circumstances, an act done, or a following apply:
practice engaged in, by the overseas recipient is
taken, under section 16C, to have been done, or
(i) the entity reasonably believes that
engaged in, by the APP entity and to be a breach of
the disclosure of the information
the Australian Privacy Principles.
is reasonably necessary for one or
more enforcement related activities
8.2 Subclause 8.1 does not apply to the disclosure conducted by, or on behalf of, an
of personal information about an individual by an enforcement body;
APP entity to the overseas recipient if: (ii) the recipient is a body that performs
(a) the entity reasonably believes that: functions, or exercises powers, that are
similar to those performed or exercised
(i) the recipient of the information is
by an enforcement body.
subject to a law, or binding scheme,
that has the effect of protecting the Note: For permitted general situation, see section 16A.

Privacy fact sheet 17 – Australian Privacy Principles 7


Australian Privacy Principle 9—adoption, use or Note 1: An act or practice of an agency may be
disclosure of government related identifiers treated as an act or practice of an organisation, see
section 7A.
Adoption of government related identifiers
Note 2: For permitted general situation, see
9.1 An organisation must not adopt a government section 16A.
related identifier of an individual as its own
identifier of the individual unless:
Regulations about adoption, use or disclosure
(a) the adoption of the government related 9.3 This subclause applies in relation to the
identifier is required or authorised by or adoption, use or disclosure by an organisation of a
under an Australian law or a court/tribunal government related identifier of an individual if:
order; or
(a) the identifier is prescribed by the
(b) subclause 9.3 applies in relation to the regulations; and
adoption.
(b) the organisation is prescribed by the
Note: An act or practice of an agency may be treated regulations, or is included in a class of
as an act or practice of an organisation, see section 7A. organisations prescribed by the regulations;
and
Use or disclosure of government related
(c) the adoption, use or disclosure occurs
identifiers
in the circumstances prescribed by the
9.2 An organisation must not use or disclose a regulations.
government related identifier of an individual
Note: There are prerequisites that must be satisfied
unless:
before the matters mentioned in this subclause are
(a) the use or disclosure of the identifier is prescribed, see subsections 100(2) and (3).
reasonably necessary for the organisation to
verify the identity of the individual for the
purposes of the organisation’s activities or Part 4—Integrity of personal information
functions; or
Australian Privacy Principle 10—quality of
(b) the use or disclosure of the identifier is personal information
reasonably necessary for the organisation to
fulfil its obligations to an agency or a State 10.1 An APP entity must take such steps (if any) as
or Territory authority; or are reasonable in the circumstances to ensure that
the personal information that the entity collects is
(c) the use or disclosure of the identifier is accurate, up to date and complete.
required or authorised by or under an
Australian law or a court/tribunal order; or 10.2 An APP entity must take such steps (if any) as
are reasonable in the circumstances to ensure that
(d) a permitted general situation (other than
the personal information that the entity uses or
the situation referred to in item 4 or 5 of the
discloses is, having regard to the purpose of the use
table in subsection 16A(1)) exists in relation
or disclosure, accurate, up to date, complete and
to the use or disclosure of the identifier; or
relevant.
(e) the organisation reasonably believes that
the use or disclosure of the identifier is
reasonably necessary for one or more Australian Privacy Principle 11—security of
enforcement related activities conducted personal information
by, or on behalf of, an enforcement body; or 11.1 If an APP entity holds personal information, the
(f) subclause 9.3 applies in relation to the use entity must take such steps as are reasonable in the
or disclosure. circumstances to protect the information:

Privacy fact sheet 17 – Australian Privacy Principles 8


(a) from misuse, interference and loss; and then, despite subclause 12.1, the entity is not
required to give access to the extent that the entity
(b) from unauthorised access, modification or
is required or authorised to refuse to give access.
disclosure.

11.2 If: Exception to access—organisation


(a) an APP entity holds personal information 12.3 If the APP entity is an organisation then,
about an individual; and despite subclause 12.1, the entity is not required
to give the individual access to the personal
(b) the entity no longer needs the information
information to the extent that:
for any purpose for which the information
may be used or disclosed by the entity (a) the entity reasonably believes that giving
under this Schedule; and access would pose a serious threat to the
life, health or safety of any individual, or to
(c) the information is not contained in a
public health or public safety; or
Commonwealth record; and
(b) giving access would have an unreasonable
(d) the entity is not required by or under an
impact on the privacy of other individuals; or
Australian law, or a court/tribunal order, to
retain the information; (c) the request for access is frivolous or
vexatious; or
the entity must take such steps as are reasonable in
the circumstances to destroy the information or to (d) the information relates to existing or
ensure that the information is de-identified. anticipated legal proceedings between the
entity and the individual, and would not be
accessible by the process of discovery in
Part 5—Access to, and correction of, those proceedings; or
personal information (e) giving access would reveal the intentions of
Australian Privacy Principle 12—access to the entity in relation to negotiations with
personal information the individual in such a way as to prejudice
those negotiations; or
Access (f) giving access would be unlawful; or
12.1 If an APP entity holds personal information
(g) denying access is required or authorised
about an individual, the entity must, on request
by or under an Australian law or a court/
by the individual, give the individual access to the
tribunal order; or
information.
(h) both of the following apply:
Exception to access—agency (i) the entity has reason to suspect that
12.2 If: unlawful activity, or misconduct of
a serious nature, that relates to the
(a) the APP entity is an agency; and entity’s functions or activities has been,
(b) the entity is required or authorised to is being or may be engaged in;
refuse to give the individual access to the (ii) giving access would be likely to
personal information by or under: prejudice the taking of appropriate
(i) the Freedom of Information Act; or action in relation to the matter; or
(ii) any other Act of the Commonwealth, (i) giving access would be likely to prejudice
or a Norfolk Island enactment, that one or more enforcement related
provides for access by persons to activities conducted by, or on behalf of, an
documents; enforcement body; or

Privacy fact sheet 17 – Australian Privacy Principles 9


(j) giving access would reveal evaluative the charge must not be excessive and must not
information generated within the entity in apply to the making of the request.
connection with a commercially sensitive
decision-making process. Refusal to give access
12.9 If the APP entity refuses to give access to the
Dealing with requests for access personal information because of subclause 12.2 or
12.4 The APP entity must: 12.3, or to give access in the manner requested by
the individual, the entity must give the individual a
(a) respond to the request for access to the written notice that sets out:
personal information:
(a) the reasons for the refusal except to the
(i) if the entity is an agency—within 30 extent that, having regard to the grounds for
days after the request is made; or the refusal, it would be unreasonable to do
(ii) if the entity is an organisation—within so; and
a reasonable period after the request is
(b) the mechanisms available to complain
made; and
about the refusal; and
(b) give access to the information in the
(c) any other matter prescribed by the
manner requested by the individual, if it is
regulations.
reasonable and practicable to do so.
12.10 If the APP entity refuses to give access to
Other means of access the personal information because of paragraph
12.5 If the APP entity refuses: 12.3(j), the reasons for the refusal may include an
explanation for the commercially sensitive decision.
(a) to give access to the personal information
because of subclause 12.2 or 12.3; or
(b) to give access in the manner requested by Australian Privacy Principle 13—correction of
the individual; personal information

the entity must take such steps (if any) as are Correction
reasonable in the circumstances to give access in 13.1 If:
a way that meets the needs of the entity and the
(a) an APP entity holds personal information
individual.
about an individual; and
12.6 Without limiting subclause 12.5, access may (b) either:
be given through the use of a mutually agreed (i) the entity is satisfied that, having
intermediary. regard to a purpose for which the
information is held, the information
Access charges is inaccurate, out of date, incomplete,
12.7 If the APP entity is an agency, the entity irrelevant or misleading; or
must not charge the individual for the making of (ii) the individual requests the entity to
the request or for giving access to the personal correct the information;
information.
the entity must take such steps (if any) as are
12.8 If: reasonable in the circumstances to correct that
(a) the APP entity is an organisation; and information to ensure that, having regard to the
purpose for which it is held, the information is
(b) the entity charges the individual for giving accurate, up to date, complete, relevant and not
access to the personal information; misleading.

Privacy fact sheet 17 – Australian Privacy Principles 10


Notification of correction to third parties Dealing with requests
13.2 If: 13.5 If a request is made under subclause 13.1 or
13.4, the APP entity:
(a) the APP entity corrects personal information
about an individual that the entity previously (a) must respond to the request:
disclosed to another APP entity; and
(i) if the entity is an agency—within 30
(b) the individual requests the entity to notify days after the request is made; or
the other APP entity of the correction;
(ii) if the entity is an organisation—within
the entity must take such steps (if any) as are a reasonable period after the request is
reasonable in the circumstances to give that made; and
notification unless it is impracticable or unlawful
(b) must not charge the individual for the
to do so.
making of the request, for correcting the
personal information or for associating the
Refusal to correct information statement with the personal information (as
13.3 If the APP entity refuses to correct the the case may be).
personal information as requested by the individual,
the entity must give the individual a written notice
that sets out: The information provided in this fact sheet is of a
general nature. It is not a substitute for legal advice.
(a) the reasons for the refusal except to the
extent that it would be unreasonable to do
so; and
(b) the mechanisms available to complain For further information
about the refusal; and telephone: 1300 363 992
(c) any other matter prescribed by the email: [email protected]
regulations. write: GPO Box 5218, Sydney NSW 2001
or visit our website at www.oaic.gov.au
Request to associate a statement
13.4 If:
(a) the APP entity refuses to correct the personal
information as requested by the individual;
and
(b) the individual requests the entity to associate
with the information a statement that
the information is inaccurate, out of date,
incomplete, irrelevant or misleading;
the entity must take such steps as are reasonable
in the circumstances to associate the statement in
such a way that will make the statement apparent
to users of the information.

Privacy fact sheet 17 – Australian Privacy Principles 11

You might also like