< Compliance
CenturyLink can assist with APP compliance.

Australian Data Privacy, Laws & Regulations

Australian Privacy Principles regulate the handling of personal information by both Australian government agencies and businesses.

CenturyLink and Australian Data Privacy Compliance

Effective March 2014, the Privacy Amendment Act introduced significant changes to the Australian Privacy Act of 1988. The Privacy Amendment Act includes a set of new privacy principles; Australian Privacy Principles (APPs) regulate the handling of personal information by both Australian government agencies and businesses. These principles replaced the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to businesses. The APPs outline the obligations of APP Entities that are subject to the Act and CenturyLink encourages customers to understand the APPs, how their business activities comply with the APPs, and how to effectively select and use CenturyLink services in those efforts. As a service provider, CenturyLink has focused on a few key APPs.

APP number 8 (cross–border disclosure of personal information) regulates the disclosure of personal information by an APP entity to a different entity offshore. Before disclosure of personal information offshore, the APP entity must take reasonable steps to ensure the overseas recipient will comply with/not breach the APPs. However, the APP entity will (subject to limited exceptions) remain liable for the overseas recipient’s acts and practices in respect of the personal information. Disclosure of information to an entity is treated differently under the APPs than the use of information by an entity. In the former, the disclosing entity effectively cedes control of the information to the other. On the other hand, an entity only uses information provided to it when the other entity continues to have effective control over the information. Because customers retain control over their information and how it is processed when using CenturyLink services, CenturyLink takes the position that it may merely use customer information in providing its services and that it is not the recipient of a cross border disclosure.

APP number 11 (Security of personal information) requires that an organization must “take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorized access, modification or disclosure”. The Office of the Australian Commissioner (OAIC) has issued guidance as to what these “reasonable steps” might include, which details what the OAIC suggests, is required to meet this “reasonable steps” obligation. CenturyLink has taken what it considers to be reasonable steps to protect the security of its infrastructure services, enabling customers to leverage those foundational protections to meet their broader obligations under the APPs.

Additional Privacy Regulatory Obligations

Customers should seek appropriate advice to ensure they identify and understand the requirements applying to them. Other Australian privacy laws, aside from the Privacy Act, may also be applicable, including state based laws and industry specific requirements. The relevant privacy and data protection laws and regulations pertinent to individual customers will depend on several factors, including the nature of the content, where the content is stored, from whom the content originates, the industry in which the customer operates and the customer location.


APP entity

An ‘APP entity’ is defined to be an agency or organization.

An ‘organization’ is defined to be:

  • an individual (including a sole trader)
  • a body corporate
  • a partnership
  • any other unincorporated association, or
  • a trust unless it is a small business operator, registered political party, State or Territory authority or a prescribed instrumentality of a State.


An APP entity collects personal information ‘only if the entity collects the personal information for inclusion in a record or generally available publication’.


An APP entity ‘holds’ personal information if ‘the entity has possession or control of a record that contains the personal information’.

Overseas Recipient

Under APP 8.1, an ‘overseas recipient’ is a person who receives personal information from an APP entity and is:

  • not in Australia or an external Territory
  • not the APP entity disclosing the personal information, and
  • not the individual to whom the personal information relates.

This means that where an APP entity in Australia sends information to an overseas office of the entity, APP 8 will not apply, as the recipient is the same entity. This is to be distinguished from the case where an APP entity in Australia sends personal information to a ‘related body corporate’ located outside of Australia. In that case, the related body corporate is a different entity to the APP entity in Australia. It will therefore be an ‘overseas recipient’ and APP 8 will apply.

Personal information

‘Personal information’ is defined as any ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not’.

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person.

Related Products

Cloud Services

Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.

Managed Services

Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.

Managed Security

A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.

Managed Hosting

Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.

Managed Storage & Backups

Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.