The handling and processing of personal data in Australia brings with it several questions, which are highlighted in this article. For starters, there is no requirement under Australian law that the holding of Personal Identifiable Information (PII) be legitimized on specific grounds; however, the Australia Privacy Protections (APPs) provide that an APP entity may only hold, use or disclose personal information for the primary purpose for which it was collected, or any other purpose for which the information was collected. The Privacy Act does distinguish between personal information generally and sensitive information specifically and also APP 5 does require APP entities to take such steps as are reasonable in the circumstances to notify the individual of various matters at or before the time their personal information is collected. The notification requirement in APP 5 is not an absolute requirement, but it does require APP entities to take such steps as are reasonable in the circumstances to notify the individual. Owners of PII need not specifically offer individuals any degree of choice or control over the use of their information, but individuals must be given access to their information on request and must be able to direct that information be updated where it is no longer accurate. There is no specific limit on the amount of information that may be collected or the period for which it may be held, but there are general principles that impose limits on similar grounds. An APP entity can only use or disclose personal information for the purpose for which it was collected or for a related purpose and finally, generally speaking, personal information may only be used for the purposes disclosed in the APP entity’s privacy policy or any related purposes.
