The Australian Privacy Principles (APPs) contain many obligations and requirements as to how "APP Entities" collect, hold, use and disclose personal information. An APP Entity is any organisation (whether a sole trader, company, partnership or trust) that is not a "Small Business Operator" - that is, any organisation that does not have less than $3 million annual turnover.
However, even if your organisation is a "Small Business Operator" with annual turnover of less than $3 million, do not assume the APPs don't apply to you. There are a number of exceptions to the Small Business Operator rule, which may require your organisation to comply with the APPs.
For example, if your organisation has less than $3 million annual turnover but provides health services and holds "health information" about an individual (other than in an employee record), then your organisation must comply with the APPs. "Health information" includes any personal information about:
• the health or disability of an individual at any time (whether physical or mental);
• a health service provided to or requested by an individual; or
• other information collected to provide, or in providing, a health service.
"Health information" is interpreted broadly. For example, the records of fitness clubs relating to individuals will fall within this exception, and therefore such fitness clubs must comply with the APPs regardless of whether it was a Small Business Operator with less than $3 million annual turnover.
Another example where your organisation may be required to comply with the APPs (regardless of whether it has less than $3 million annual turnover) is where your organisation discloses personal information about individuals to receive a benefit or advantage, or to provide a service. This also applies to organisations that provide a benefit, service or advantage to collect personal information about individual from anyone else. Organisations caught by this include those that sell lists of personal information to another entity so that the other entity can use it for direct marketing.
However, a Small Business Operator will not be required to comply with the APPs for trading in personal information if the Small Business Operator does so with the consent of the individuals concerned. Whether satisfactory consent has been obtained from the relevant individuals for this to apply then becomes critical to get right.
As you can see, whether your business is bound by the APPs is not simply a matter of whether or not your organisation exceeds an annual turnover of $3 million. At Motus Legal, we have advised many of our clients on privacy matters and compliance with the APPs, including specifically in the health sector.
Get in touch with us at Motus Legal to find out how the Australian Privacy Principles apply to your business.