Australia

Australia Image
LEG-01:

Legislation enacted specifically for data privacy?
– Privacy Act 1988
– Australian Information Commissioner Act 2010

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Spam Act 2003
– National Health Act 1953
– Data-matching Program (Assistance and Tax) Act 1990
– Do Not Call Register Act 2006
– Telecommunications (Interception and Access) Act 1979 (TIA)

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy.
– OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
– APEC Cross-border Privacy Enforcement Arrangement (CPEA)
– APEC Privacy Framework
– United Kingdom – United States of America Agreement (UKUSA)

LEG-04:

Local government has any Bills going through the legislative process.
– Privacy Amendment (Notification of Serious Data Breaches) Bill 2015

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.
– Australian Privacy Principles guidelines (part of Privacy Act 1988)
– Convention on Cybercrime 2001

LEG-06:

Has other state laws related to privacy.Note: these will not be identified as too extensive.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.
-Privacy Act 1988 Section 82

PRI-02:

There is a requirement to establish a privacy commissioner.
-Privacy Act 1988 Section 27
-Australian Information Commissioner Act 2010 Section 14

PRI-03:

The functions of the authority clearly set out.
-Privacy Act 1988 Section 83

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.
Notes: Not required but is recommended by the Information commissioner.

PRI-05:

Contact details of the privacy officer are made available.

PRI-06:

Each company to have an internal privacy policy proposed and displayed.
– Privacy Act 1988 Schedule 1 Principle 1

PRI-07:

An internal audit process is outlined for each company.
Notes: Section 33 C of the Privacy Act gives the commissioner the power to audit if required

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– Privacy Act 1988 Section 6
– Telecommunications (Interception and Access) Act Section 187LA

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline
– Privacy Act 1988 Section 6

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
– Privacy Act 1988 Schedule 1, Principle 2

PCP-05:

Type of consent required is either explicit or implicit.
– Privacy Act 1988 Section 6

PCP-06:

Consent needs to be written or verbal.

PCP-07:

Level of consent different for different age groups .
Notes: There is no specific age for consent but the Australian Privacy Principles Guidelines give some guidance in Sections B.50 – B.52. As long as the individual has “sufficient understanding and maturity to understand what is being proposed”.

PCP-08:

Consent may be withdrawn at any time.
-Australian Privacy Principles guidelines B.45

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
-Privacy Act 1988 Schedule 1, Principle 1 and Principle 5
-National Health Act 1953 Section 9BA – National HPV Vaccination Program Register

PRO-01:

Individual has the ability to access their data by request.
-Privacy Act 1988 Schedule 1, Principle 12

PRO-02:

Individual has the ability to update or amend their data for accuracy.
-Privacy Act 1988 Schedule 1, Principle 13

PRO-03:

Data can be sent to a third party for processing.

PRO-04:

Data is only used for the purposed outlined at pre collection stage.
Note: Not including general exceptions that may apply, EG where safety or national security is involved.

-Privacy Act 1988 Schedule 1, Principle 6

PRO-05:

Encryption used for processing of data to ensure anonymity
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.

PRO-06:

Unique identifiers can be used .
-Privacy Act 1988 Schedule 1, Principle 9

PRO-07:

Information may not be disclosed, sold or interfered with.
Note: Not including general exceptions that may apply, EG where safety or national security is involved.

-Privacy Act 1988 Section 13

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
-Privacy Act 1988 Section 80Q

PRO-09:

A complaints process is setup to deal with any breach of privacy.
-Privacy Act 1988 Schedule 1, Principle 1

STO-01:

All data is stored with at least a “reasonable” level of security.
-Privacy Act 1988 Schedule 1, Principle 11

STO-02:

Encryption techniques used to store data.
Notes:Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.

STO-03:

Data can be transferred to third-parties to use.

STO-04:

Data can be stored off shore in different Country.

STO-05:

Data can be stored off site but in same Country.
-Privacy Act 1988 Section 16C and Schedule 1, Principle 8
-Australian Privacy Principles guidelines Chapter 8

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
-Privacy Act 1988 Schedule 1, Principle 11

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.
-Privacy Act 1988 Schedule 1, Principle 11

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
-Privacy Act 1988 Section 80Q

STO-09:

Notification has to be given to individuals in case of a data breach.
Notes: Data breach policy and response plan recommended.

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.
-Spam Act 2003 Section 18

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
-Spam Act 2003 Section 17

SPM-03:

Subject line to be clear and not misleading.

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.
-Spam Act 2003 Part 3

SPM-05:

A form of a “Do Not Call” register is in place.
-Do Not Call Register Act 2006

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.
-Spam Act 2003 Section 16

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.
-Spam Act 2003 Section 16

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.

INT-02:

A data collection agency can refuse to turn over personal information.
-TIA Section 107
Notes: This includes offences for refusing to give information and giving inaccurate or false information

INT-03:

A warrant is needed to have the ability to intercept personal data.
-TIA Section 108(2)

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.
-TIA Part 5-4
Notes: Section 190 sets out the obligation for a carrier to comply with determinations set by the Minister

INT-05:

External countries have the ability to intercept data with permission from the host country.
-TIA Division 3

Australia

Australia Image