| APP |
Key areas covered by draft guidance |
| General matters |
- who is covered
- what happens if an entity breaches the APPs
- clarification of some of the key concepts contained in the
APPs, such as their extraterritorial application, collection,
Commonwealth records, consent, disclosure, health information,
necessary and reasonably necessary, personal information and
purpose
- what the "permitted general situation" exception
includes, and
- what the "permitted health situation" exception
includes.
|
| APP 1 open and transparent management of personal
information |
- what constitutes reasonable steps
- examples of practices, procedures and systems that entities
should consider implementing
- information that must be included in an entity's privacy
policy, and
- availability of the privacy policy to the public.
|
| APP 2 anonymity and pseudonymity |
- anonymous and pseudonymous options
- when identification is required or authorised by law, and
- when it is impracticable for an entity to deal with an
individual who has not identified themselves.
|
| APP 3 collection of solicited personal
information |
- examples of solicited information
- process for determining whether the collection of personal
information is:
-
- reasonably necessary (for organisations), or
- directly related to (for agencies) the entity's
functions
- collection of sensitive information where:
-
- it is required or authorised by law
- a permitted general situation exists
- a permitted health situation exists, and
- it is for an enforcement activity
- what constitutes lawful and fair means
- the exceptions to the requirement to collect directly from the
individual, where:
-
- it is unreasonable or impractical
- the individual consents to the collection from someone else
(for agencies), and
- it is required or authorised by law.
|
| APP 4 dealing with unsolicited personal
information |
- examples of unsolicited information
- issues in dealing with unsolicited information, such as:
-
- Commonwealth records
- when is destruction or de-identification lawful
- factors to consider in deciding whether destruction or
de-identification is reasonable, and
- dealing with information that is not destroyed or
de-identified.
|
| APP 5 notification of the collection of personal
information |
- factors that are relevant to assessing whether reasonable steps
to notify or ensure awareness have been taken
- examples of reasonable steps that could be taken
- examples of when not taking any steps is reasonable
- the matters that must be notified, and
- when the notification must occur.
|
| APP 6 use or disclosure of personal
information |
- the meaning of "hold", "use",
"disclose" and "purpose"
- use or disclosure for a secondary purpose
- use or disclosure of sensitive information with the
individual's consent
-
- where reasonably expected by the individual
- as required or authorised by law
- where a permitted general situation exists
- where a permitted health situation exists
- for an enforcement related activity
- disclosure of biometric information to an enforcement body
- de-identification of certain health information before
disclosure, and
- use or disclosure between related bodies corporate.
|
| APP 7 direct marketing |
- the principles only apply to some agencies engaged in
commercial activities
- examples of direct marketing
- when agencies are covered
- use and disclosure of personal information for the purpose of
direct marketing
-
- where reasonably expected by the individual, and
- where there is no reasonable expectation of the individual, or
the information is collected from a third party
- use and disclosure of sensitive information for the purpose of
direct marketing
-
- with the individual's consent, and
- by contracted service providers
- requests to stop direct marketing communications
- requests to stop facilitating direct marketing, and
- interaction with other legislation.
|
| APP 8 cross-border disclosure of personal
information |
- what constitutes an overseas recipient
- when does an entity disclose personal information to an
overseas recipient
- when will an entity have taken reasonable steps
- when is an overseas recipient subject to a similar law or
binding scheme
- disclosure to an overseas recipient:
-
- with consent after the individual is expressly informed
- as required or authorised by law
- where a permitted general situation exists
- as required or authorised under an international agreement
relating to information sharing (for agencies)
- for an enforcement-related activity, and
- when is an entity accountable for personal information that it
discloses to an overseas recipient.
|
| APP 9 adoption, use or disclosure of
governmentrelated identifiers |
- the principles only apply to some agencies engaged in
commercial activities
- what is a government-related identifier
- when are agencies covered by APP 9
- what does adoption mean
- adoptions as required or authorised by or under law
- use and disclosure of government-related identifiers
- use or disclosure where it is reasonably necessary
-
- to verify the identity of the individual, and
- to fulfil obligations to an agency or a state or territory
authority
- use or disclosure as required or authorised under law
- use or disclosure where a permitted general situation exists,
and
- use or disclosure to an enforcement body for nforcement-related
activities.
|
| APP 10 quality of personal information |
- what are reasonable steps
- examples of reasonable steps
- what are the quality considerations, and
- interaction with other APPs.
|
| APP 11 security of personal information |
- when does an entity hold personal information
- what are reasonable steps
- what are the security considerations, and
- destruction or de-identification of personal information.
|
