5 Common Myths About Privacy in Australia

Privacy can be complex, so it’s not surprising there are so many myths that circulate about privacy in Australia. While the widespread belief that de-identified data is always anonymous is a myth, the reality is that privacy myths can lead to serious compliance gaps. 

In this post, we break down common myths and misconceptions about privacy in Australia that privacy professionals and legal counsel should know about to plug the gaps those myths can cause. 

Common Myths About Australia’s Privacy Laws

Myth 1: Australians have a constitutional right to privacy

Privacy is recognised as a basic human right in Article 12 of the Universal Declaration of Human Rights. But that doesn’t mean the Australian constitution states the same thing. In fact, Australia’s constitution is silent on privacy. Instead, privacy is tackled through a patchwork of federal and state laws – none of which offer an absolute right to privacy in Australia. 

This can be a problem for Australian organisations, since there’s a disconnect between what the law requires and what Australians may believe their rights are. Managing that disconnect isn’t an exact science – and in our experience, explaining that what your organisation is doing is compliant with the laws doesn’t tend to help the Australian public feel better about it. 

This disconnect is one reason that human-centric privacy practices shine when it comes to building and maintaining trust with customers. Human-centric privacy places individuals at the core of privacy practices. It emphasizes the importance of understanding and respecting people’s rights, preferences, and values. You can learn more about it in our detailed blog post. 

Myth 2: Privacy only protects confidential / secret information

Organisations that operate on the belief that only confidential information is subject to privacy rights often have significant privacy compliance gaps. The reality is that even public information is protected under Australia’s privacy law, and organisations don’t have carte blanche to use public data or data that isn’t confidential or sensitive or secret in any way they wish. 

If your organisation is in this position, reach out for a free consultation with our team. Alternatively, you can get started with the OAIC’s Privacy Foundations Tool, which is a helpful resource. 

Myth 3: Privacy and security are the same

There’s a common misconception that privacy = data breach. We aren’t surprised this is so pervasive, since privacy often comes up in the media in the context of data breaches. Often (but not always) data breaches are actually more of a cyber security issue that infringes on personal privacy. The reality is that privacy is much broader than just being impacted when a data breach occurs. 

Privacy involves freedom from interference and intrusion, as well as control over who sees and uses your information. Clearly, data breaches can impact personal privacy. But it is also clear that privacy is much more nuanced than simply protecting personal information from being breached. It’s a culture, a competitive advantage, and everything that happens from when you make the decision to collect data right through to when you dispose of it. 

Myth 4: You need my consent to collect / use my personal information

Don’t get us wrong – consent is often a good idea, and it is always necessary when you’re collecting sensitive personal information or collecting information for secondary purposes the customer may not expect (if you’re covered by the Privacy Act (1988)). 

But, consent is not actually always required before collecting personal information under Australian federal privacy laws. You can collect personal information in some circumstances, such as if it’s reasonably necessary for your functions so long as you provide notice and collect the information fairly. Organisations can also use or disclose personal information for the purpose it was collected or a closely related purpose, so long as that information isn’t sensitive. 

That being said, it is a good practice to collect consent where practicable, even where exceptions apply, to build trust with your customers. And if you’re uncertain whether you need to collect consent, reach out to your organisation’s privacy team – or our team if you need some outsourced privacy help. 

Myth 5: If you don’t have a name – it’s not personal information

This myth is fairly widespread – if you don’t have a name, it’s not personal information. This is not true. 

Information can be personal information if it can be used to identify a person. Here are some examples of how information can be used to identify someone: 

• Location Data: A person’s GPS location data from their mobile phone or car can reveal their home address, workplace, and daily routines. When this data is tracked over time (even a short period), it becomes highly personal and can easily identify an individual.
• Biometric Data: Fingerprints, facial scans, and voiceprints are unique to a person. Even if not linked to a name, this data is inherently personal and can be used to identify an individual with a high degree of accuracy. This data is particularly sensitive because it cannot be changed. 
• Online Identifiers: IP addresses, device identifiers, and cookie data are all forms of personal information. An IP address, for example, can often be traced back to a specific internet connection and, when combined with other data, can identify a person. Similarly, a unique user ID assigned to you on a website, even if it’s a random string of numbers, is personal information because it is used to track your activity and preferences.
• Purchase History: A person’s credit card purchase history, especially when linked to a loyalty program number, can paint a detailed picture of their lifestyle, health, and beliefs. Someone who regularly buys certain medications, for example, could be identified as having a particular medical condition.
• Demographic and Behavioural Data: A combination of a person’s age, gender, postcode, and their browsing habits can often be enough to identify them. The Office of the Australian Information Commissioner (OAIC) has highlighted that even de-identified data can be re-identified when combined with other public datasets, underscoring that a person’s identity (and personal information) is more than just their name.

If you’ve read these myths and suspect your organization may have compliance gaps or needs a privacy maturity assessment, our team of privacy consultants can help.