National Legal Hotline

1300 636 846

7am to midnight, 7 days

Call our lawyers now or,
have our lawyers call you

Privacy Act Obligations to Protect Clients’ Personal Information

There are a number of Commonwealth statutes that impose commercial obligations on companies and organisations to protect the privacy of individuals’ personal information. This article discusses the obligations of organisations to protect clients’ personal information under the Privacy Act.


The Privacy Act 1988 (Cth) outlines the Australian Privacy Principles (APP). The APP replaced the National Privacy Principles and came into effect in 2014.

What organisations must comply with the AAP?

Organisations that have Privacy Act obligations are defined as follows:

  • Organisations that are non-government entities; and
  • Organisations that are not classified as a ‘small business.’

A small business is defined in section 6D of the Privacy Act as an entity with an annual turnover of less than $3 million. However, health service providers and credit reporting bodies are not small businesses. This means that regardless of size, health service providers and credit reporting bodies have obligations under the Privacy Act.

What is personal information?

Section 6 of the Act states that personal information is information that can be used to specifically identify or ‘reasonably’ identify a person given the contents of the information. While some individual information looked at in isolation may not be identifiable, when considered in combination with other available information it may become identifiable and therefore personal.When unsure as to whether the information can reasonably identify an individual, organisations should err on the side of caution and treat the information as personal.

Personal information in relation to Privacy Act obligations includes the following:

  • names;
  • addresses;
  • occupations;
  • medical or financial records.

The truth of the information and whether it has been recorded in a material form is irrelevant for the purposes of determining whether it is personal.

Privacy Act obligations of organisations

There is a total of 13 Australian Privacy Principles which outline the Privacy Act obligations for organisations to manage personal information.

Specifically, APP 11 compels an organisation to take reasonable steps to protect personal information it holds from loss, interference, unauthorised access, modification, misuse or disclosure.

Under section 6(1) of the Act an entity holds personal information if there is sufficient control or possession of a record which contains personal information. As a result, outsourcing the storage of information but retaining access rights is still considered holding personal information

APP 3 states that entities have Privacy Act obligations to only gather personal information that is reasonably necessary to carry out their ordinary business functions.

What are ‘reasonable steps’ that must be taken?

The particular reasonable steps that an organisation must take in order to meet its Privacy Act obligations depends on a variety of factors. Factors which are relevant to determining what reasonable steps must be taken include the following:

  • The potential harm a disclosure would have on identified individuals;
  • The practicality of implementing preventative measures; and
  • The sensitivity of the information.

The nature of the organisation, such as its size and available resources, is also relevant in determining what reasonable steps must be taken.

Organisations will still need to comply with APP 11 even if the possible protective measures are inconvenient, expensive, or tedious. Overall, determining reasonable steps is finding the right balance between the burden on the organisation and the potential for adverse consequences for the identified person.

Even though what is reasonable will depend on the specific circumstances of each matter, there are general steps organisations can take to ensure compliance with APP 11 and their Privacy Act obligations.

These steps include:

  • providing staff training that aims to foster cultural awareness and minimise the chances of inadvertent disclosure;
  • notifying staff of changes to the organisation’s security policies;
  • implementing preventative policies, such as guidelines for the printing of documents containing personal information as well as ensuring identity authentication procedures when granting access to personal information;
  • creating clear lines of authority for information security decisions;
  • establishing technological security measures, such as anti-virus software, firewalls, electronic encryption, password protocols, whitelisting and blacklisting.
  • establishing physical security measures;
  • ensuring the use of appropriate back-up systems;
  • undertaking appropriate due diligence when engaging third parties for storage services, such as cloud computing, to verify the adequacy of their security controls; and
  • formulating a response plan to potential data breaches.

This list is not exhaustive, and organisations do not have to implement all the listed measures.

Ongoing obligations

When implementing reasonable steps to comply with their Privacy Act obligations, companies must undertake appropriate testing in order to address any defects. It is also expected that entities will regularly monitor and review the effectiveness of their preventative measures.

Undertaking reoccurring assessments and updating processes is vital as measures may become obsolete over time because of technological advancements.

It is not necessary for companies to safeguard against every possible breach as this would be impossible. Nevertheless, companies have an obligation under APP 1.2 to document their internal practices, procedures and systems which are used to meet their APP 11 obligations. It is therefore vital that entities regularly update this documentation to ensure compliance with their Privacy Act obligations.

What happens in the event of a breach?

While there are no Privacy Act obligations setting out how organisations must respond to a breach or suspected breach, the Office of the Australian Information Commissioner (OAIC), has outlined four steps that can be used as a guide:

  1. Contain the breach to minimise the harm;
  2. Perform a preliminary assessment;
  3. Evaluate the risks associated with the breach;
  4. Notify affected clients and the OAIC when necessary. While notification is not mandated it may be considered a reasonable step in preventing future breaches; and
  5. Identify ways to improve policies and procedures and implement changes.

If you require legal advice or representation in any legal matter, please contact Go To Court Lawyers.

7am to midnight, 7 days

Call our lawyers NOW or, have our lawyers CALL YOU

1300 636 846

7am to midnight, 7 days
Call our Legal Hotline now