To reach this conclusion, the ALRC first examined the concept of privacy[2]: Paragraph 1.29 In addition, in this opinion, the Commissioner stresses the importance for controllers to adopt data protection directives, which should include, inter alia: The notification procedure and the publication of the information contained therein are essential, ensure transparency for the public and, therefore, protect personal data. Access to the electronic register of controllers gives the public the opportunity to understand how personal data are processed by supervisory authorities. With respect to government agencies, the OAIC recommends that DPOs have sufficient seniority to participate in many aspects of the Agency`s operations, including its decision-making processes. APP 1 requires an APP entity to implement privacy practices, procedures and systems: APP 1 aims to ensure that personal data is managed in an open and transparent manner. Companies are required to implement practices, procedures and systems to comply with APAs and enable them to deal with requests/complaints in this regard. This also requires a clearly worded privacy policy that is available for free. Consent to the collection of sensitive information may be withheld by the collecting authority if it is reasonably necessary to reduce or prevent a serious threat to public health or safety, to locate a missing person, if there is a suspicion of illegal activity or serious misconduct, or if it is necessary for the diplomatic or consular functions or activities of a The facility is reasonably necessary. APP 11 states that companies must take reasonable steps to protect personal data: If an APP company rejects a request for rectification, it must inform the individual of the reasons for the refusal and may be required to attach a statement to the personal data demonstrating the individual`s opinion that the information is incorrect. The right of access to personal data that APP Company holds on this person is covered by APP 12.1. For example, ACMA reported in January 2020 that telecommunications company Optus paid a $504,000 violation report for violating anti-spam laws. The infringements concerned sending marketing messages via email after consumers unsubscribed and sending commercial emails without an unsubscribe function.

In addition, in mid-2019, ACMA issued a $46,000 Notice of Violation to a utility that makes telemarketing calls to numbers listed in the Do Not Call Registry. On the other hand, while data protection law is silent on anonymous reporting, the OAIC requires contact information for people who complain to it about data breaches. Although data protection law and APAs do not explicitly refer to processors, the OAIC believes that APP companies that are outsourced service providers that store personal data, even if they do not control it as such, must comply with this legal system. At the request of the data subject, a company holding personal data must grant the data subject access to that information. This does not apply if the information is retained by a government body that has a legitimate reason for withholding it, or in certain circumstances, such as if access would pose a serious threat to health or safety or would unreasonably compromise the privacy of others. Sensitive data: A subset of personal data consists of “sensitive information”, which defines personal data, information or an opinion about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or professional association, trade union membership, sexual orientation or practices. Criminal record and health information, genetic information and/or biometric information used for automated biometric verification or biometric identification. Generally speaking, the legal basis on which a company can process personal data is the consent of the individual. However, most PPAs contain restrictions or extensions regarding the application of Commonwealth laws, records and/or agreements. APP 3.5 states that personal data may only be collected by lawful and fair means. State and territorial government agencies must comply with relevant data protection laws at the state or territory level.

APP 7.1 imposes a general prohibition on the use of personal data for direct marketing purposes. This does not apply where the organisation provides a simple means by which the individual can opt out of marketing and: The transfer of personal data to jurisdictions outside Australia is governed by APP 8. APP 8.1 requires companies to take reasonable steps to ensure that a foreign recipient of personal data must comply with the APPs. However, according to APP 8.2, this is not necessary if: The OAIC`s recent lawsuit against Facebook Inc. in relation to Cambridge Analytica`s activities is aimed for the first time at imposing such fines. While this is significant and still in its infancy (in July 2020), it seems far more significant that the OAIC may seek to impose the fine on each of the approximately 320,000 Australians allegedly affected by Facebook`s alleged serious and/or repeated invasions of their privacy.