Who is bound by the Privacy Act 1988?
The first step in determining your obligations under the Privacy Act is to determine if you are required to comply.
Businesses that have had annual turnover of more than $3 million in any year since 2002 must comply with the Privacy Act. Annual turnover is calculated by including income from all sources but excludes assets held, capital gains, and the proceeds of capital sales. The Privacy Act also covers a number of business regardless of turnover where, for example, that business is a health services provider or trades in personal information.
What are your obligations under the Privacy Act?
if your business is required to comply with the Privacy Act, it must comply with the Australian Privacy Principles (APPs).
The APPs include various obligations setting out how you must collect, store, de-identify, use, and disclose personal information.
The concept of personal information is broad and it can be difficult to determine whether information is personal information. Personal information is defined in the Privacy Act to be information or an opinion about an identified individual, or individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.
Personal information is further categorised into sensitive information, health information, credit information, employee record information, and tax file number information. Additional obligations apply to each of these further subcategories.