You can only collect person information where it is reasonably necessary for your activities, and you can only collect sensitive information with the consent of the individual concerned (APP3). Again, there are certain limited exceptions, and these need to be considered carefully before relying on them.
You have to take reasonable steps to notify the individual of your organisation's details, and the reasons you are collecting their personal information (APP5). Personal information may only be used for the purpose for which it was collected, unless consent is obtained from the individual (APP6), or one of the exceptions in APP6 is satisfied.
It is important to understand that the effect of the APPs extends beyond Australia. To disclose personal information outside of Australia, you must take reasonable steps to ensure the offshore recipient does not breach the APPs in respect of that information (APP8).
The privacy obligations are not one time only responsibilities. Once collected, there are ongoing responsibilities to ensure the information is kept up to date, is accurate and complete (APP10).
In addition to keeping the information up to date, you are also obliged to take reasonable steps to protect it (APP11). Under that same APP, where you have personal information you no longer have a use for (i.e. authorised use), then you cannot passively retain it -- you have a positive obligation to destroy it or de-personalise it.
It is worth looking at another example to consider how important these requirements may be. The Privacy Commissioner is currently investigating yet another data breach incident, this time involving Westnet, a subsidiary of iiNet.
It appears a hacker comprised a database containing Westnet customer information, and then offered that information for sale online.
The Commissioner would no doubt be investigating to see if Westnet had taken reasonable steps to protect the information. iiNet has itself referred to the information compromised as "old customer information stored on a legacy system." It would be ironic in the extreme if this statement, no doubt intended to tone down alarm over what was compromised, led to a further investigation into whether APP 11 had been breached.
There is a general obligation to provide individuals access to their personal information that you hold, with some exceptions (APP12).
The final obligation under the APPs is to correct personal information you hold, where there is reason to suspect it is not correct or up to date (APP13).
You need to give time and resources to understanding your Privacy responsibilities and ensuring you comply with them. A failure to do so may have consequences well beyond breaches of the Act, which is in itself serious enough.
You need to be sure you understand all of your obligations, and where there is any uncertainty, seek appropriate advice.
Sign up for CIO Asia eNewsletters.