02 March 2021
The issue of online data privacy and protection has taken the world by storm ever since the European Union's General Data Protection Regulation (GDPR) became effective in 2018. It's a topic that has been top of mind for privacy advocates and politicians ever since, and in 2020 it's moved into the realm of a push to enforce laws regarding privacy protection.
However, Australia was ahead of the curve when the modern Commonwealth nation passed its Australian Privacy Act (APA) way back in 1988. Obviously, that privacy law predates the internet, which didn't get underway until 1991. However, it established standards when it comes to a consumer's right to access private data.
Regardless of the kind of company you run, the APA gives your customers the right to ask for access to their data. For example, consumers may ask for information such as:
The act also provides specific instructions as to what you should do if you receive such a request. There are particular times when you may refuse a privacy access request as long as you have a valid reason, but these instances are rare.
Below, we'll go over precisely what you should know when it comes to complying with the APA's requirements for how businesses should deal with privacy access requests.
Let's start with the basics.
The APA was enacted with the purpose of protecting the private, sensitive data of consumers living in Australia. Additionally, legislators sought to regulate how that data was handled by both federal agencies as well as private businesses.
According to the act, the definition of "private information" may include the following:
The APA's jurisdiction covers both the government as well as the private sectors.
The act defines and organization as:
An exception will be if any of the above are also a small business operator, a registered political party, a state or territory authority, or a prescribed instrumentality of a state.
These types of organizations must have an annual revenue that exceeds $3 million in order to be bound to follow the APA's privacy regulations.
In contrast, the APA covers specific types of small businesses that have an annual revenue of less than $3 million. For example, these businesses include:
Additionally, as noted above, even if your company isn't located in Australia, if you merely do business on the continent and your organization falls under the Act's definition of organizations, then you are obliged to comply with the act's privacy regulations.
The APA also regulates medical and health reporting in addition to credit reporting.
With all that said, there are specific aspects of the APA that you should pay close attention to as a business owner.
TermsFeed is the world's leading generator of legal agreements for websites and apps.
This really is the most incredible service that most website owners should consider using.
Easy to generate custom policies in minutes & having the peace of mind & protection these policies can offer is priceless. Will definitely recommend it to others. Thank you.
- Bluesky's review for TermsFeed. Read all our testimonials here.
With TermsFeed, you can generate:
These are the 13 Australian Privacy Principles (APPs), which the act outlines. These principles allow business owners and agencies the freedom to create their own processes and systems to gather and secure sensitive data. The caveat is that whatever methods you put in place must still adhere to the APPS standards and the APA.
Similar to the GDPR in some ways, the APPs of the APA cover:
According to the APA, personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
The act isn't too terribly specific and there are no examples of personal information to be found within its pages. However, it has been interpreted since then to mean data, which identifies a specific consumer or their home and family.
Private data examples include the following:
If you collect, process, use, share, or store this kind of private information, then Australian consumers have the right to request access to it.
The APA provides consumers with the right to request access to their private data. Specifically, consumers have the right to request access to confidential, personal information from federal agencies and private companies under the APA's APP 12.
The requested information may include either their own data or data, which is connected to someone else's. (An example of this might be a marriage certificate.)
When a consumer makes a privacy access request from you, they don't have to do so in any specific format or manner. According to APP 12, it is left up to your business as to the process a consumer must follow when requesting access to their data from you.
With that said, you must ensure that whatever process you choose, whether formal or informal, adheres to the APP's overall standards. The regulations of the APP will only apply to your business if you "hold" that data.
According to APP 12, you hold that data if you possess or control "the record that contains the personal information." Simply put, if a third party has possession of a hard copy of the information, but you control the access to that data, then your business is the holder of the record in question.
In addition to the above, a consumer's access rights are specifically spelled out by APP 12. The first thing you need to recall is that you have to honor it if you receive a request. As APP 12, part 5 notes:
12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.
Take into account that there are exceptions to this.
For example, if your business is an agency and is authorized to withhold information under the Freedom of Information Act, any other Act of the Commonwealth, or a Norfolk Island enactment. Another example of exceptions is when you're an organization and you believe that "giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety."
Above, we mentioned that according to the APA, your business has the right to lay out the procedure that consumers must follow to request access to their personal data as long as you adhere to the act's overall standards. However, you can't force consumers to follow that procedure.
In other words, say you state that a consumer makes a request through email, and they send an email instead. You're still required to honor their request, according to the APA.
As the formal guidance for the APA states, as seen below:
Additionally, you can't stall or put the request off. You must respond within a reasonable period of time after receiving the request, which in most cases will mean within 30 calendar days.
You can't charge users for making the requests or accessing the information.
Make it as easy as possible for people to request access, and make sure your instructions are clear and straightforward for your average person to understand.
The process you should follow after receiving a privacy access request looks something like this under APP 12:
Ask yourself if you can verify the identity of the consumer requesting access.
If the answer is "yes," then you need to try to locate the requested information
If you can locate the information, you must ask yourself if there is a valid reason to deny access.
Let's look at this process in more detail.
If you receive a request for privacy access, it will likely come from an individual. However, you may also receive a request from an authorized agent, a legal guardian, or through power of attorney.
The manner in which you verify a consumer's identity might be through the following as long as they have a photo:
It's possible that someone's information may be more sensitive than others. In that case, you may need a more in-depth process for identification verification.
According to the APA, you must check the photo against the appearance of the individual in person. Alternatively, you can check one ID against another by correlation over the phone.
When it comes to locating a consumer's private data, you must first be sure that you are in possession of the information or that you control it. That information can be in the form of hard copies, digital copies of documents, electronic calendars, emails, and more.
If a consumer makes a privacy request, it must be specific. No rule says you must provide any information above and beyond what is actually asked for.
However, you are required to take reasonable steps to ensure that the consumer receives the requested information. Some of these measures might be contacting third parties to whom you've outsourced work, checking with contractors and staff, and of course, searching through your own databases.
As noted at the beginning of this article, there are times when you are allowed to refuse a privacy request, although those instances are rare.
Here's a partial list of circumstances under which you're permitted to refuse:
Suppose you own or run a company in the private sector that holds data on Australian residents. In that case, you must comply with the regulations within the APA.
The bottom line is that you must give consumers access to their private data if they request it unless there is a valid reason to refuse.
Remember that you are not allowed to charge anyone who wants to see their information, although you can charge administrative costs, including postage, staff costs for searching records, and costs for producing or sending data.