OAIC Releases New Guidance on Australian Privacy Principles


The Office of Australian Information Commissioner (OAIC) has released the draft Australian Privacy Principles (APPs) Guidelines for public consultation. The guidelines outline how the OAIC will interpret and apply the APPs. To access the draft guidelines, click here.

The APPs set out the rules for collection, use, disclosure, access and correction of personal information and replace the National Privacy Principles from 12 March 2014. The APPs will apply to private and public sector organisations.

The OAIC expects to release the guidelines for interpreting the APPs in three tranches. At this stage, the OAIC has released draft guidelines for APPs 1 - 5. Further draft guidance is expected to be released in coming weeks.

Organisations are encouraged to review the draft guidelines and provide feedback to the OAIC within the consultation period which ends on 20 September 2013.

Bundled Consents

The draft guidelines include a chapter setting out "Key Concepts" which outlines the OAIC’s interpretation of some key words and phrases that are used in the Privacy Act 1988 (Cth) (Privacy Act) as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).

In that chapter, the OAIC states that the key elements of consent are:

  • it must be provided voluntarily
  • the individual must be adequately informed of what they are consenting to
  • it must be current and specific, and
  • the individual must have the capacity to understand and communicate their consent.

Bundled consent is where an organisation gets an individual to consent to a wide range of collection, uses and disclosure of personal information through a single affirmation consent. The draft guidelines raise some concerns about organisations' use of bundled consents. Paragraph B.33 of Chapter B states that the bundled consents have "the potential to undermine the voluntary nature of the consent" as the individual is not given the opportunity to choose which collections, uses and disclosures they agree to and which they do not. This could mean that bundled consents may not satisfy the key elements of consent as set out above.

There may well be practical IT difficulties in refining the use of bundled consents.

Organisations may wish to provide feedback to the OAIC to seek further clarity about the use of bundled consents.

Privacy Commissioner Reviews Website Privacy Policies

On 14 August 2013, the OAIC released the results of its review of privacy policies listed on over 50 websites. In its review, the OAIC assessed the privacy policies for their accessibility, readability and content.

The review found that over 65% of the privacy policies provided information that was not relevant to the handling of personal information, and was potentially confusing.

Organisations are reminded that under APP 1, they are required to have a clearly expressed and up-to-date privacy policy about how the organisation manages personal information. APP 1.4 contains a non-exhaustive list of information that must be included in the privacy policy such as how the organisation collects, uses and discloses personal information.

As the privacy policy is going to be made available on public websites, organisations should ensure that their information handling practices are correctly reflected in their privacy policy. This will not only avoid confusion and consumer complaints, but also any claims of misleading or deceptive conduct.

Starting the Privacy Project

The changes to the Privacy Act commencing in March 2014 require organisations to not only update their policies and procedures before the start date but also impose additional ongoing commitments. The Privacy Commissioner has further commented that organisations should make a commitment to conducting a Privacy Impact Assessment for any new projects in which personal information will be handled.

Organisations can obtain a better understanding of their information handling practices by completing a simple questionnaire developed by K&L Gates. This survey will identify the information flows and any privacy hot spots within the organisation. This questionnaire can also form part of a Privacy Impact Assessment for any new project.

K&L Gates has developed a Privacy Compliance Checklist which organisations can use to assess their readiness for the privacy reforms and review compliance with the amended Privacy Act on an ongoing basis post March 2014.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© K&L Gates LLP | Attorney Advertising

Written by:


K&L Gates LLP on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.