Personal information (Australian Privacy Principles)
Complaints we commonly receive about privacy include claims that a telecommunications provider:
- refused a consumer access to their personal information
- disclosed a consumer’s personal information without authority
- holds personal information about the consumer that is inaccurate.
Laws and Codes of practice
The relevant law for telecommunications complaints involving personal information is the Privacy Act 1988, in particular the Australian Privacy Principles – the APPs – within it. The APPs set minimum standards for the protection of personal information.
The Office of the Australian Information Commissioner has prepared APP guidelines that outline good privacy practice with examples that explain how the APPs may apply in particular circumstances.
When we deal with personal information complaints, we consider the law, good industry practice, and fairness in all the circumstances.
The APPs set out the rights and obligations that regulate the handling, holding, accessing, and correcting personal information.
Providers that meet the Act’s definition of a small business operator are not obliged to comply with the APPs unless they choose to.
With some exceptions, the principles dealing with access to and disclosure of personal information include:
- A provider that holds personal information about an individual must, on request, give that individual access to the information.
- A provider can use and disclose an individual’s personal information only for the particular purpose for which it was collected, and in related ways the individual would reasonably expect.
When the complaint is not made by an individual
Complaints from entities that are not individuals cannot be dealt with as personal information complaints. We may consider a complaint from a non-individual about disclosure of information if it relates to a contractual obligation of confidentiality.
When the provider is a small business operator
It is good practice that providers have procedures that are consistent with the APPs, and handle all personal information complaints as if the provider is obliged to comply.
If a provider thinks it is not obliged to comply with the APPs, and can show us that it meets the definition of small business operator in the Act, we will resolve any personal information complaint by considering other obligations under the law, the contract, and what is fair in the circumstances.
Dealing with a dispute
To assess a complaint we ask for information from the individual and provider.
Complaints about denial of a request to access personal information
- What personal information is the consumer asking for?
- If access was denied, has the provider given valid reasons?
Complaints about disclosure of personal information
- What personal information was disclosed?
- Can the provider show that the disclosure was authorised?
- If it was unauthorised, what is the effect of the disclosure on the individual?
Complaints about inaccurate personal information
- How is the personal information inaccurate?
- What did the individual do to try to update their personal information?
- What needs to be done to make it accurate?
- If correction was refused, has the provider given valid reasons?
- What is the effect of the inaccuracy on the individual?
If our view is that the provider did not follow appropriate APPs, we expect the provider to address the impact of the contravention on the individual. Depending on the circumstances, we may also decide another remedy should be considered. This may include:
- giving access to information or reducing charges for access
- correcting inaccurate personal information
- compensating for financial loss incurred as a result of a breach of the APPs, and
- compensating for injury to feelings and humiliation caused by an interference with the individual’s privacy .
We may also recommend that improvements to systems, procedures and staff training be considered by the provider.
Effective date: 11 March 2016
This page provides broad guidance on the law, good industry practice, and what the TIO may consider to be fair and reasonable in general circumstances. It is not a full statement of the law or good industry practice. The TIO considers each matter brought to it on its own particular merits.