You will be required to comply with the Australian Privacy Principles (APP) if you intend to handle or collect personal/sensitive information. Subject to some exceptions, you will be required to comply with the Australian Privacy Principles if you are a:
- Private sector organisation with an annual turnover of $3 million or more;
- Private sector health service provider, including child care centre, private school or private tertiary educational institution;
- Employee association registered or recognised under the Fair Work (Registered Organisations) Act;
- Business that sells or purchases personal information;
- Credit reporting body;
- Business that handles personal information in the course of providing services under a government contract;
- Reporting entity under the Anti Money Laundering and Counter Terrorism Financing regime;
- Business that handles consumer credit information, tax file numbers, information on old convictions or health records; or a
- Business that has opted-in to the Privacy Act.
The Principles are not prescriptive, but you must consider how they apply to your operations. They broadly cover the collection, use, disclosure and storage of personal information and regulate the way this information is handled. More stringent obligations apply to you if you intend to handle sensitive information about somebody's health, race, ethnicity, political opinions, membership of political or trade associations, religion, sexual orientation, criminal record or biometric information.
Handling your employees' or former employees' personal information is exempt from the APP, provided that it is within the scope of the employment relationship. For example, an employer could not sell a list of their employees to another organisation for marketing purposes. Please consult the Agency Contact Officer for more information and to ascertain the level of compliance (if any) that may be required by your business.