Compliance to APP ‐ Australian Privacy Principles - SarahJChong/emergency-duress-app GitHub Wiki
Overview
There are 13 Australian Privacy Principles and they govern standards, rights and obligations around:
- the collection, use and disclosure of personal information
- an organisation or agency’s governance and accountability
- integrity and correction of personal information
- the rights of individuals to access their personal information. The Australian Privacy Principles are principles-based law. This gives an organisation or agency flexibility to tailor their personal information handling practices to their business models and the diverse needs of individuals. They are also technology neutral, which allows them to adapt to changing technologies.
A breach of an Australian Privacy Principle is an ‘interference with the privacy of an individual’ and can lead to regulatory action and penalties.
13 Australian Privacy Principles(APP)
Note: Compliance to the Australian Privacy Principles (APP) will largely depend on the implementor and their implementation / usage of the app, including the hosting and 3rd party services they integrate with.
| Principle | Title & Purpose | Comment |
|---|---|---|
| APP 1 | Open and transparent management of personal information - Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy. | By default, the app will only contain a placeholder privacy /terms of use policy. It will be up to Implementor's update the Privacy policy to specify how they comply to this principle |
| APP 2 | Anonymity and pseudonymity - Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply. | End users will be able to specify if they want to make a Distress call as a (1) Guest mode/unauthenticated users OR (2) Anonymous user, which means their person information will be redacted |
| APP 3 | Collection of solicited personal information - Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of sensitive information. | End user will need to provide consent to sharing their personal data |
| APP 4 | Dealing with unsolicited personal information - Outlines how APP entities must deal with unsolicited personal information. | By default, the app doesn't collect any unsolicited data. |
| APP 5 | Notification of the collection of personal information - Outlines when and in what circumstances an APP entity that collects personal information must tell an individual about certain matters. | When an end user provides consent to sharing their personal data, the consent screen will specify what personal information is collected and why. By default, the app will only contain a placeholder privacy /terms of use policy. It will be up to Implementor's update the Privacy policy to specify how they comply to this principle |
| APP 6 | Use or disclosure of personal information - Outlines the circumstances in which an APP entity may use or disclose personal information that it holds. | Refer to APP-5 above |
| APP 7 | Direct marketing - An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. | By default, the app does not do any marketing nor collect information for marketing. However, it is up to Implementor if/how they comply to this principle. |
| APP 8 | Cross-border disclosure of personal information - Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas. | By default, the app does not sent data cross-border. However, it is up to Implementor if/how they comply to this principle, e.g. it depends on their hosting provider and how their environment is setup |
| APP 9 | Adoption, use or disclosure of government related identifiers - Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual. | By default, the app does not don't use GOV Identifiers. However, it is up to Implementor if/how they comply to this principle, since it depends on which ID provider they selected. |
| APP 10 | Quality of personal information - An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure. | By default in the app, the end users will be update their info in their profile. Updating personal information held in ID Provider, will depend on the ID provider selected. It is up to Implementor if/how they comply to this principle, since it depends on which ID provider they selected. |
| APP 11 | Security of personal information - An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances. | By default the app use Role Based Access Controls. It also encrypt sensitive data both in transit and at rest. |
| APP 12 | Access to personal information - Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies. | By default, the app will only contain a placeholder privacy /terms of use policy. It will be up to Implementor's update the Privacy policy to specify how they comply to this principle. |
| APP 13 | Correction of personal information - Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals. | By default, the app will only contain a placeholder privacy /terms of use policy. It will be up to Implementor's update the Privacy policy to specify how they comply to this principle. |