APP guidelines released

The Office of the Australian Information Commissioner (OAIC) has released the finalised Australian Privacy Principles (APP) guidelines.

The APP guidelines outline the mandatory requirements of the APPs (which commence on 12 March 2014), how the OAIC will interpret the APPs, and matters it may take into account when exercising functions and powers under the Privacy Act. The APP guidelines also give examples of how the APPs may apply in particular circumstances and contain suggestions for good privacy practice.

Direct marketing is one area where most businesses will be affected.

The guidelines on direct marketing give the Commissioner’s views on when a person’s consent is not required to send them marketing material.

APP 7.2 provides that an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
• the organisation collected the personal information from the individual
• the individual would reasonably expect the organisation to use or disclose the personal information for that purpose
• the organisation provides a simple way for the individual to request not to receive direct marketing communications from the organisation (also known as ‘opting out’), and
• the individual has not made an opt-out request to the organisation.

The guidelines discuss the meaning of “reasonably expect”. Paragraph 7.15 says the ‘reasonably expect’ test is an objective test that has regard to what a reasonable person, who is properly informed, would expect in the circumstances. This is a question of fact in each individual case. It is the responsibility of the organisation to be able to justify its conduct.

Factors that may be important in deciding whether an individual has a reasonable expectation that their personal information will be used or disclosed for the purpose of direct marketing include where:

• the individual has consented to the use or disclosure of their personal information for that purpose;
• the organisation has notified the individual under APP 5 that one of the purposes for which it collects the personal information is for the purpose of direct marketing;
• the organisation made the individual aware that they could request not to receive direct marketing communications from the organisation, and the individual does not make such a request.

The guidelines state that an organisation should not assume that an individual would reasonably expect their personal information to be used or disclosed for the purpose of direct marketing in the following circumstances:

  • because the organisation believes that the individual would welcome the direct marketing, for example, because of the individual’s profession, interest or hobby.
  • when the organisation has notified the individual that their personal information will only be used for a particular purpose unrelated to direct marketing. For example, where an individual provides personal information to their bank when setting up internet banking, and the bank tells the individual that it will only use that personal information for enabling security for internet banking, the individual is not likely to have a reasonable expectation that their personal information will then be used or disclosed for the purpose of direct marketing.
 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.