Australian Privacy FAQ Australian Privacy FAQ

Australian Privacy FAQ

Sally McEwan Sally McEwan


Does my agency or organisation have privacy obligations?

The Privacy Act 1988 (Privacy Act), including the Australian Privacy Principles (APPs), governs the way APP entities must handle personal information.

APP entities include:

  • Commonwealth agencies; and
  • organisations that:
    • have an annual turnover of greater than $3 million;
    • provide a health service to a person, even if the service is not your primary activity;
    • trades in personal information;
    • are contracted service provider under a Commonwealth contract;
    • has voluntarily opted-in to the Privacy Act; or
    • is related to a larger body corporate that is subject to the Privacy Act.

If your agency or organisation is an APP entity, it must comply with the Privacy Act.


Are there any requirements for collecting personal information?

Where an APP entity collects personal information about an individual, it must take reasonable steps to notify the individual of certain matters or to ensure the individual is aware of those matters. The reasonable steps must be taken before or at the time of collection, or as soon as practicable after collection.


Here is a privacy notice template that your agency or organisation can use:

The [system name], on behalf of [agency or organisation], collects your personal information for the purposes of [purpose]. Without this information, we may be unable to [consequence]. Your personal information will be used and otherwise handled in accordance with the Privacy Act 1988. We may disclose your personal information to [entities, including any overseas entities] for this purpose.

For further information about the collection and handling of your personal information, and how to access or correct your personal information or make a complaint, please see the [agency or organisation’s] privacy policy: [link].


Does my agency or organisation need to consider data breaches?

Yes, if the Privacy Act covers your organisation or agency, you must comply with the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches (NDB) Scheme. The NDB Scheme requires you notify the OAIC of any data breach involving personal information that is likely to result in serious harm to the affected individuals.


Can Acorn LMS support right to be forgotten requirements?

Yes, we have a process to ensure that right to be forgotten requests can be actioned. While our usual account deletion process retains information about user activity for administrator reporting, there are additional steps that can fully obfuscate all personal user information. This can ensure that admin reporting remains, but no user information is retained. This can be performed with the assistance of our technical support team.


Is data stored in Acorn LMS stored on-shore?

Yes, the data hosting provided by Acorn LMS includes the option to specify the region where data is stored. We use AWS for our hosting, which has data centres in numerous countries and regions across the world. As part of the initial setup of your site, we will agree which region is most appropriate for your data storage requirements. The data will remain in that region for the lifetime of the site.

Add comment

Please sign in to leave a comment.