What Effect Do the Australian Privacy Principles Have for Law Firms?

It has been estimated that 90 per cent of the world’s data has been generated over the last two years; illustrating the explosive growth of big data in both the public and private sectors. The Australian government, recognising the need for technology neutral protections introduced a number of changes to the Privacy Act 1988 (Cth), via the Privacy Amendment (Enhancing Privacy Protection) Act 2012, that addresses how the personal information of individuals is collected, used and protected in the form of the Australian Privacy Principles (APPs).

The new Privacy Principles

Although the 13 new Australian Privacy Principles mirrors the former Principles in a number of ways, perhaps the biggest change can be found within APP 11, requiring entities to take reasonable steps to protect the personal information of individuals from ‘interference’, misuse, loss, unauthorised access, modification or disclosure. The impetus for the inclusion of ‘interference’ in APP 11 is recognition that attacks on computer systems is a modern reality, and that information interference is not limited to misuse or loss.

What are the Principles that are most relevant for legal practitioners?

APP 1 – open and transparent management of personal information
When dealing with the personal information of an individual, it is essential that entities are transparent in how they are going to use that information. Additionally, it is also important that the implementation of practices, policies and procedures comply with the APPs.

APP 3 – collection of solicited personal information
Entities must only collect and store information that they reasonably need. Additionally, the individual must also consent to the collection of the personal information that is reasonably necessary for one, or more of the entity’s functions or activities.

APP 5 – notification of the collection of personal information
Upon the collecting of personal information, it is essential that the entity clearly identifies who they are, and are also clear about what is to be done with the personal information collected.

APP 6 – use or disclosure of personal information
The personal information of individuals cannot be used or disclosed beyond the primary purposes for which the information was collected. In the event that the personal information is used for secondary purposes, it must be related to the primary purpose.

APP 7 – direct marketing
Personal information cannot be used for direct marketing except under the following circumstances:

  • the information collected was directly from the individual; and
  • the individual would hold the reasonable expectation that the use or disclosure of that information was for marketing purposes; and
  • the individual has a simple means to opt out, and they have not already opted out


the personal information was received indirectly;

  • the individual had provided consent to have the personal information; or
  • it’s not practicable to obtain consent; however, the individual still has the choice to still opt out from receiving direct marketing correspondence.
  • It is crucial to keep in mind that the Spam Act is still applicable, prohibiting entities from sending unsolicited emails.

APP 11
Any personal information collected must be securely kept, and any unauthorised disclosure is prohibited. Furthermore, once the personal information of the individual is no longer required, the entity must delete or de-identify the data.

Subscribe toLegal Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.