LawTalk Blog

Associations and the Australian Privacy Principles


Recently, Andersons Solicitors delivered a Question & Answer session to Educators SA Members on how The Privacy Act 1988 applies to incorporated associations. Many associations had concerns over the content of their privacy duty. This blog post explains the Privacy Act and the obligations of entities.

Summary of the Privacy Act

The Privacy Act is a Federal Act that regulates the way in which an organisation, association, business etc, (entity) can collect, store and use an individual's personal data. Not all entities must comply with the Act and it is important to understand the specific obligations your entity has.

Irrespective of any legal obligation, aspiring to a privacy framework that is compliant with the Act would be best practice no matter your profession or industry.

What information is subject to Privacy laws?

The Privacy Act imposes obligations on entities depending on the type of information being collected. To understand those obligations, you must understand whether your entity collects or holds information that can be characterised as personal, sensitive or health information.

  • Personal information

    Personal information includes a person's name, address, birthdate, contact details, gender, sexuality and race. These details do not have to be true and don’t need to directly identify the individual.
  • Sensitive information

    Sensitive information is about a person in respect to their ethnic origin, political opinions or memberships, religious or philosophical beliefs, membership of a trade union, sexual preference and/or a person's criminal record.
  • Health information

    Health information includes an individual's physical and mental health, health preferences, disabilities, bodily donations and genetics.

Depending on the type of information your entity comes into contact with will depend on the different thresholds and standards of managing that data.

Are we subject to The Privacy Act 1988?

Once you identify the type of data your entity collects you then must consider which Privacy Laws apply to your organisation. Whilst this blog focusses on the Federal Privacy Act, an organisation can be subject to both State and Federal legislation depending on the type of personal information collected.

Whether your entity operates as a trust, unincorporated association or incorporated association it is likely you will be captured under the definition of an 'organisation' in the Privacy Act.

How organisations must comply with the Privacy Act

All organisations must comply with the Privacy Act, and in particular, the Australian Privacy Principles (APPs) if they:

  • have an annual turnover in excess of $3 million
  • provide a health service to a person (includes gyms, weight loss clinics, child care centres and private educators)
  • receive a benefit for disclosing personal information about others
  • are a contracted service provider to the Commonwealth Government
  • are a credit reporting body
  • are a subsidiary of a body corporate that is required to comply with the Act

An organisation may also choose to opt in to the Privacy Act obligations.

What are the Australian Privacy Principles (APPs)?

The APPs are legal obligations found in the Privacy Act that define how an organisation must treat and deal with personal information. They are put in place to protect the personal data of the general public that choose to engage with those entities.

The obligations are dealt with under the following headings:


Open and transparent management of personal information


Anonymity and pseudonymity


Collection of solicited personal information


Dealing with unsolicited personal information


Notification of the collection of personal information


Use or disclosure of personal information


Direct Marketing


Cross-border disclosure of personal information


Adoption, use or disclosure of government related identifiers

APP 10

Quality of personal information

APP 11

Security of personal information

APP 12

Access to personal information

APP 13

Correction of personal information

These 13 principles define and set basic standards that include specifying to individuals:

  • how their information is to be collected
  • what is being collected
  • whether their personal information is held locally or offshore
  • to whom their information is disclosed to
  • how they can access their information and have it corrected.

All APP entities are required to have a publicly available Privacy Policy addressing the APP standards.

It is recommended that a lawyer draft this policy to correctly incorporate both the APPs and the day-to-day operations of your organisation. 

This is something the Commercial Department at Andersons Solicitors can assist you with. Contact Andersons Solicitors today.

This blog post has been written by Law Clerk, Antony Boonen and settled by Partner, Felix Hoelscher.



Get in touch with today's blog writer:
Felix Hoelscher

Partner in Commercial Law and Business Law  and  Wills and Estates

Please note, this Blog is posted in Adelaide, South Australia by Andersons Solicitors. It relates to Australian Federal and South Australian legislation. Andersons Solicitors is a medium sized law firm servicing metropolitan Adelaide and regional South Australia across all areas of law for individuals and businesses.

Contact Us

For enquiries, please fill in the following contact form