Organisations must protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
An organisation that collects personal information about an individual must at the time or before or, if that is not practicable, as soon as practicable after such collection, take steps, as are reasonable in the circumstances, to notify the individual of:
- the identity and contact details of the organisation;
- the fact that the entity collects or has collected information, the information collected and the circumstances of that collection, in the case where the entity collects the personal information from someone other than the individual or in the case the individual may not be aware that the organisation has collected such personal information;
- the fact that the collection is required or authorised by or under an Australian law or a court/tribunal order, when that is the case (including the name of the Australian law or details of the court/tribunal order);
- the purposes for which the organisation collects the personal information;
- the main consequences for the individual if all or some of the personal information is not collected by the organisation;
- any other organisation to which the organisation concerned usually discloses personal information of the kind collected by the entity;
- whether the organisation is likely to disclose the personal information to overseas recipients, and in that case, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.
If the aforementioned notifications are not possible, then the organisation must ensure that the individual is aware of the collection of personal information, at the time or before the time of the collection or, if that is not practicable, as soon as possible after such collection.
The Direct Marketing Privacy Principle (APP 7) provides that an organisation may use or disclose non-sensitive personal information for the purpose of direct marketing if it allows an individual to request not to receive direct marketing communications (also known as ‘opting out’) and complies with that request. An organisation must, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.