LAWS70082 · Privacy Law
Australian Privacy Principles
The 13 Australian Privacy Principles in Schedule 1 of the Privacy Act 1988 (Cth) are the operative rules for handling personal information — the black-letter engine of any take-home problem. They group into five Parts: transparency and anonymity (APP 1–2); collection (APP 3–5); use and disclosure (APP 6–9); integrity (APP 10–11); and access and correction (APP 12–13). The drilled method is to clear the two gates first — is the actor an APP entity (s 6C; not exempt under s 6D / s 7B), and is the data personal / sensitive / health information (s 6, s 6FA; Telstra)? — then march through the APPs in order, pinpoint-citing the sub-clause (e.g. APP 6.2, APP 11.2) and naming the key exception, and noting that each breach is an interference with privacy (s 13) with possible s 13G exposure. APP 6 (use/disclosure) and APP 11 (security) are the workhorses; several exemptions are flagged as live reform targets. The take-home is open-resource, so you work with the OAIC APP Guidelines supplied on Canvas.
What this chapter covers
- 01The two gates: APP entity (s 6C) + personal information (s 6; Telstra)
- 02Part 1 (APP 1–2): transparency, open management, anonymity/pseudonymity
- 03Part 2 (APP 3–5): collection — solicited, unsolicited, notification
- 04Part 3 (APP 6–9): use & disclosure — APP 6 the workhorse; direct marketing; cross-border (APP 8)
- 05Part 4 (APP 10–11): data quality and security — APP 11 the workhorse
- 06Part 5 (APP 12–13): access and correction
- 07Pinpoint-citing the sub-clause and naming the exception
- 08Each breach = an interference (s 13); flag s 13G
Worked example: marching the APPs on a disclosure
- +1Clear the gates: the retailer is an APP entity (s 6C), and emails tied to customers are personal information (s 6; Telstra) — the APPs apply.
- +1APP 6 (use & disclosure): selling the list is a disclosure for a secondary purpose (advertising) unrelated to the primary purpose (order processing) and outside the customer’s reasonable expectations — a likely APP 6.1 breach absent an exception.
- +1APP 5 / APP 1: failing to notify the collection purpose (APP 5) and lacking an open, transparent privacy policy covering the sale (APP 1) are further breaches.
- +1APP 7 (direct marketing): if the advertiser markets to the list, APP 7 is engaged — direct marketing has its own opt-out rules.
- +1Enforcement: each breach is an interference with privacy (s 13); a pattern of selling data may be serious or repeated under s 13G, exposing the retailer to civil penalties.
Key terms
- The two gates
- The threshold both APP questions clear before the principles bite: (1) the actor is an APP entity (s 6C, not exempt under s 6D / s 7B), and (2) the thing handled is personal / sensitive / health information (s 6, s 6FA; Telstra). Fail a gate and no APP applies.
- APP 6 (use and disclosure)
- The workhorse principle: personal information collected for a primary purpose may generally only be used or disclosed for that purpose, unless a secondary use falls within the individual’s reasonable expectations or an exception applies. Most problems turn on APP 6.
- APP 11 (security)
- The integrity workhorse: an APP entity must take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, and to destroy or de-identify it when no longer needed. The principle most data-breach scenarios engage.
- APP 8 (cross-border disclosure)
- Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the recipient complies with the APPs — and generally remains accountable for the recipient’s handling. The principle for offshore-transfer facts.
- Pinpoint citation
- The marking-relevant habit of citing the exact sub-clause (APP 6.2, APP 11.2) and naming the operative exception, rather than the bare principle — the difference between a passing and a strong open-resource answer.
Australian Privacy Principles FAQ
How do I structure an APP problem answer?
Clear the two gates (APP entity + personal information), then march the APPs in order through the five Parts, stopping only at the ones the facts engage. For each, state the rule with its number, name the key exception, apply it, then note the breach is an interference (s 13) and flag s 13G. Order and pinpoint citation are what markers reward.
Which APPs come up most?
APP 6 (use and disclosure) and APP 11 (security) are the workhorses, with APP 5 (notification), APP 3 (collection), APP 7 (direct marketing) and APP 8 (cross-border) close behind. Most fact patterns are an APP 6 or APP 11 issue dressed in different facts.
Can I just quote the APP from the Guidelines?
The take-home is open-resource and the OAIC APP Guidelines are supplied, so use them — but the marks are for applying the principle to the facts with pinpoint citation, not copying the text. Lift the rule, then argue it; name the exception and decide whether it is satisfied.
Do sensitive or health information change the analysis?
Yes — sensitive information (incl. health, s 6FA) attracts heightened collection and use rules (e.g. stricter consent for collection under APP 3). Spot it early, because the higher bar changes whether an APP is breached.
Exam move
Learn the five Parts as a checklist so you can march APP 1 to APP 13 in order without missing one, and make APP 6 and APP 11 second nature since most problems are one of them. Practise the two gates as a reflex opening move, and train pinpoint citation (APP 6.2, APP 11.2) plus naming the exception — the habit that separates strong open-resource answers. Close each breach with the enforcement tag: interference (s 13), then s 13G if serious or repeated, then the NDB scheme if data was breached. Keep the OAIC APP Guidelines tabbed so you can lift the rule fast and spend your time applying it.