Welcome back! This is where you left us. Not what you wanted?

Module 1 Introduction to the Privacy Act and key concepts

20 minutes

Learning objectives

This module introduces you to the Privacy Act and some of its key concepts.

At the end of this topic you should be able to:

  • identify the legislative framework governing privacy for Australian Government agencies
  • define key terms including ‘personal information’, ‘sensitive information’, ‘health information’ and ‘consent’
  • identify and explain the 13 Australian Privacy Principles.

Ready? Click the Play button to start the video.

Video transcript

Australian Government agencies are entrusted with a significant amount of personal information — information that identifies or can be used to identify a person.

This is essential in delivering many government services. Data containing personal information can also be used to benefit the Australian community more broadly. For example, it can support better policy decision making, and enhance research.

Depending on your role and the agency you work with, you may come into contact with a lot of personal information or only a little. Regardless of how much personal information you handle, you must understand your privacy obligations.

Ignoring privacy could result in your agency losing the public’s trust in your information handling. This damage to your agency’s reputation can significantly impact your ability to build support for innovative uses of data.

Ignoring privacy may also mean you risk breaching the Australian Privacy Principles under the Privacy Act 1988.

Privacy is not about secrecy — it is about transparency and accountability. When put into practice, these principles ensure individuals can make informed choices about their personal information. It also means agencies and businesses maintain a high standard of privacy protection, which is vital to building and maintaining people’s trust.

For more information, you can contact your agency’s Privacy Officer, or visit www.oaic.gov.au.

Direct YouTube link: https://youtu.be/i2aIz6QKIsw. If YouTube is blocked, try this video.

Understanding privacy

The Privacy Act

The Privacy Act protects ‘information privacy’ — that is, people’s personal information. Information privacy gives individuals the right to exercise control over their personal information. This can include exercising control over when, how, and to what extent personal information is used and disclosed.

The Privacy Act is about transparency and accountability, so that people know:

  • what personal information is being collected about them and why
  • how it will be used
  • how it will be kept secure and safe.

The Privacy Act also provides individuals with the right to access and correct that information.

The Privacy Act applies to the personal information handled by most Australian Government agencies, as well as many private sector organisations.

Personal information

Personal information is defined in the Privacy Act as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in a material form or not’.

Some common examples of personal information include:

  • a person’s name and address
  • signature
  • telephone number
  • date of birth
  • medical records
  • bank account details
  • debit or credit card
  • commentary or opinion about a person
  • a photograph where the person’s identity is clear or can reasonably be worked out from the image.

Information doesn’t need to have a name attached to it to be ‘personal information’. A person can also be identified if information can be linked with other information to work out who they are or to work out something about them.

What constitutes personal information will vary, but you will generally need to consider:

  • whether the information, when linked with other information, or used in another context, can identify someone
  • who will hold and have access to the information
  • other resources, databases or records available to the people who will have access to the information.

The OAIC’s guide What is personal information? contains more information about when an individual may be ‘reasonably identifiable’.

Personal information? (1 of 2)

Max has somebody’s client identifier. He can use an agency records management system to look up the identifier and find out who the client identifier belongs to. Is the client identifier ‘personal information’?

Correct!

Max has easy access to the records management system, so it’s reasonable to assume that he would be able to link the number to its owner. As the client identifier could reasonably be used to identify an individual, it is considered personal information. Sometimes, because of the resources available to an agency (including the ability to link information across different data sources), information may be personal information when it’s held by the agency but not when it is held by someone else.

Incorrect — try again.

Consider that Max has easy access to the records management system — it’s reasonable to assume that he would be able to link the client identifier to its owner.

Personal information? (2 of 2)

Somebody takes an aerial photograph, which shows a person standing on the steps of the Sydney Opera House. The photograph does not show enough detail to determine their gender or identifying features. Is the photo likely to contain personal information?

Incorrect — try again.

Images of individuals in photographs or video are treated as personal information where the person's identity is clear or can reasonably be worked out from that image. Consider that the photograph does not show enough detail to determine this person’s gender or identifying features.

Correct!

Images of individuals in photographs or video are personal information where the person's identity is clear or can reasonably be worked out from that image. It is unlikely that this photo would show enough detail to enable the person to be identified. A similar photo taken at a closer distance and showing identifying details about the person would be more likely to be personal information.

Sensitive information

Sensitive information is a subset of personal information. Sensitive information includes information about a person’s:

  • health
  • genetic and biometric profile (such as a fingerprint)
  • race or ethnicity
  • political opinions or associations
  • religious or philosophical beliefs
  • sexual orientation
  • criminal record.

The consequences of inappropriate handling of sensitive information could be particularly serious. For example, discrimination or mistreatment is sometimes based on a person’s race, ethnic origin or sexual orientation. Mishandling of sensitive information may also cause embarrassment or humiliation or undermine a person’s dignity.

For this reason, the Privacy Act applies a higher level of protection to this kind of information. We will look at this in more detail later in the course.

Activity Identify sensitive information

Which of these may contain sensitive information?
Start
Select each tile that may contain sensitive information.

Passport

Name and address on a Post-it note

Signature

Bank statement

Mobile with phone number on screen

Medical prescription

Bank card

Social media page with comments

Photograph of a person

A reference for a job applicant

The Australian Privacy Principles

The Privacy Act includes 13 Australian Privacy Principles (APPs). The APPs impose specific obligations on how agencies and organisations must handle personal information throughout the information lifecycle — from before collection, through the time that you collect and hold the information to the time that you dispose of it.

Let’s look at an overview of the 13 Australian Privacy Principles ...

The Australian Privacy Principles

Planning and governance APPs 1–2

Plan how to protect and manage personal information, and communicate how it will be handled.

  • APP 1 — Open and transparent management of personal information
     Your agency should manage personal information in an open and transparent way. This includes having a clearly expressed and up to date privacy policy, and practices, procedures and systems that will help to make sure that you and your agency comply with the APPs.
  • APP 2 — Anonymity and pseudonymity
     Your agency should give individuals the option of not identifying themselves, or of using a pseudonym (where possible). Limited exceptions apply.

Collection APPs 3–5

What to think about before collecting personal information.

  • APP 3 — Collecting personal information
     Generally, your agency should only collect personal information that it really needs, and should collect directly from the person that the information is about. A person’s consent is generally required to collect sensitive information, unless an exception applies.
  • APP 4 — Unsolicited personal information
     APP 4 sets out how your agency must deal with unsolicited personal information. Unsolicited personal information is personal information received by your agency when it has taken no active steps to collect the information.
  • APP 5 — Giving notice
     Generally, your agency must let individuals know when it collects their personal information and why it is collecting it.

Handling APPs 6–9

What to consider once you hold the information.

  • APP 6 — Use or disclosure of personal information
     Generally, you should only use or disclose personal information for the purpose for which you collected it. Some exceptions apply, such as if the person has consented to their information being used for a different purpose, or if they would expect it, or where the use or disclosure is required or authorised by law.
  • APP 7 — Direct marketing
     Personal information must not be used or disclosed for the purpose of direct marketing, unless an exception applies. This APP generally only applies to organisations, not agencies.
  • APP 8 — Cross-border disclosure of personal information
     There are certain steps that your agency must take to protect personal information before it discloses it overseas.
  • APP 9 — Government related identifiers
     A government related identifier is an identifier (a number, letter or symbol or combination of these things that is used to identify someone) that has been assigned by an agency or a State or Territory authority. There are limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual. This APP only applies to organisations, not agencies.

Integrity APPs 10–11

How to keep personal information safe and ensure that it’s accurate.

  • APP 10 — Quality of personal information
     Take reasonable steps to make sure that personal information that you collect is accurate, up to date and complete. You must also take reasonable steps to ensure that personal information is accurate, up to date, complete and relevant before it is used or disclosed.
  • APP 11 — Security of personal information
     Your agency must take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Your agency has obligations to destroy or de-identify personal information in certain circumstances, if the information is not contained in a Commonwealth record.

Access and Correction APPs 12–13

Allow people to have access to and correct their personal information.

  • APP 12 — Access to personal information
     Your agency has obligations to give individuals access to the personal information you hold about them if they request it, unless a specific exception applies.
  • APP 13 — Correction of personal information
     Your agency is required to take reasonable steps to correct personal information to ensure that it is accurate, up to date, complete, relevant and not misleading. This applies where your agency realises information needs correcting or on request from the individual.

The APPs are technology neutral — they apply to whatever systems or processes your agency uses to handle personal information.

See the full text of the APPs and the OAIC’s APP Guidelines for further information.

Consent

Let’s look at the concept of consent.

Consent is not always required when handling personal information. However, in some cases you may need to obtain consent to collect, use or disclose information in certain ways, particularly if it is sensitive information.

Consent isn’t just about ticking a box on a form. There are four parts to obtaining valid consent. Click on each for more information.

Four elements of valid consent

  1. The individual must be adequately informed

    An individual must know what they’re agreeing to, and be made aware of the consequences of providing their personal information – for example, who is it likely to be shared with, and for what reasons?

  2. Consent must be voluntary

    An individual must have a genuine opportunity to decline. Consent is not voluntary where several requests for consent are bundled together. This is because the individual cannot exercise control over which information use they consent to and which they don’t.

  3. Consent must be current and specific

    You should not ask for consent to undefined future uses. Consent given at a particular time and in particular circumstances cannot be assumed to endure indefinitely. Remember, an individual should be able to withdraw their consent at any time.

  4. The individual must have capacity to understand and communicate their consent

    An individual must be capable of understanding what is being asked of them. For example, consent should be sought in simple, clear and direct terms. As a general principle, children under the age of 18 have capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. You may presume that an individual aged 15 or over has capacity to consent, unless there is something to suggest otherwise. An individual aged under 15 is presumed not to have capacity to consent.

Consent is defined in the Chapter B: Key concepts of the APP Guidelines.

Completed

Knowledge check

You are now ready for the final Module 1 knowledge check. Answer the five questions.

Question 1

Which of these is not considered ‘personal information’?

Question 2

Which of these may contain ‘sensitive information’ as defined by the Privacy Act?

Question 3

The kind of information that is regarded as ‘personal’ depends on whether:

Question 4

Which of these is not one of the four elements of valid consent?

Question 5

Which of the following is an example of an undefined future use?

Go to Module 2