The Privacy Act 1988 (Cth) (‘Privacy Act’) and Australian Privacy Principles (‘APPs’) do limit the ability to use personal information in some ways. However, being aware of the legal obligations connected to the use and disclosure of personal information can foster business flexibility and mitigate inherent risks associated with using personal information.
Using Personal Information
Personal information can be used for the primary purpose that it was collected for or another purpose connected with that primary purpose. For example, if a business collects an address and contact details from customers to ship products, that same information may also be used to address complaints or follow up on missing shipments.
Despite the ability to use personal information for related purposes, there are limits. Any secondary use must be ‘reasonably expected’ by an individual. This will mean that if personal information is collected to send products to that customer, their address details cannot be used to send unrelated third party marketing materials.
Transparency is recommended regarding the use of personal information. In order to fully comply with the APPs and Privacy Act, the safest approach is to always disclose all possible uses of information to individuals at the time of collection.
Can Personal Information be transferred?
If you notify your customers about any intended transfer or disclosure of the personal information you collect, at the time it is collected, there is no general prohibition on who the personal information may be transferred to. However, the disclosures must still align with the primary purpose the information was collected for and if disclosure to another entity is frequent and consistent, it should be disclosed at the time of collection.
If you are going to disclose information to a third party in a way that was not previously contemplated by your privacy policy, you should update your privacy policy and notify customers of any relevant changes.
Can information be transferred overseas?
It is common for information to be sent overseas for storage and processing. While Australian privacy laws do not prohibit this, there are a number of compliance matters that must be considered before information is transferred overseas. Australian companies must:
disclose in their privacy policy that they send information overseas;
ensure that any transfer of information overseas aligns with the primary purpose of collecting that information; and
ensure that information sent overseas is protected from unauthorised use.
This requires careful consideration of any arrangement between an Australian entity and overseas data processors and requires you to take steps to assess your digital services. Where unsure, as a general rule, Australian businesses should only send personal information overseas when they are satisfied that the information will only be used and stored in a safe and secure manner.
If you have any queries regarding your privacy obligations or wish to discuss privacy law, data protection and your business, contact us and our consumer protection and privacy law experts can assist you.
This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.