5 min read

How the Australian Privacy Act affects your image management

How to comply with the Australian Privacy Principles when using images of people

Like the EU, Australia also has rules and guidelines for how organizations should manage personal data. Established in 1988, the Privacy Act is the principal piece of Australian legislation concerned with protecting personal data. It provides 13 principles that most agencies and organizations - with a yearly turnover of $3 million or more - must comply with.

Since the legislation is principle-based, it mainly aims to protect individuals' privacy without burdening organizations with inflexible rules. However, in the case of severe or repeated breaches, financial penalties can be issued by the Office of the Australian Information Commissioner (OAIC). Additionally, adhering to the principles is considered best practice and can greatly benefit an organization’s overall reputation.

In this article, we’ll explain how the Australian Privacy Principles (APPs) can affect the image management of organizations operating in Australia and what you can do to ensure effective compliance.

Table of contents

The APPs and images

Principles affecting your image management

How to comply with the APPs when using images

How FotoWare ensures best practices 


The APPs and images

Just like with the GDPR, the Australian Privacy Act treats images as personal information. This includes all visuals where an individual’s identity is clear or can be reasonably worked out based on the information offered in the image. In some cases, images may even be treated as sensitive data if it, for example, reveals a person’s ethnicity or religious and political beliefs.

LEARN MORE: 5 things you should know about GDPR for images

In cases where personal data is of a sensitive nature, the Australian Privacy Act requires you to collect explicit consent before using images of recognizable individuals. While this is not the case for other forms of data, it’s still considered a best practice as most people are sensitive to photos and videos of them being published. Additionally, individuals have the right to be notified if their personal data is gathered, receive access to the files upon request, have the images removed/deleted, and be informed if the data is sent to stakeholders outside of Australia.


Some exceptions may apply, for example, if an organization has a valid reason to deny a person access to his/her data. However, for the most part, if your company is covered by the Privacy Act, you should be able to respond to the requests above when managing images of people.

Principles affecting your image management

While there are many aspects to the Australian Privacy Act that may affect your image management, some of the Principles are particularly impactful:

APP 3 - Collection of solicited personal data

Principle 3 outlines when and how an APP entity (an agency or organization that the Australian Privacy Act covers) can collect personal information. Most notably, APP 3 states that all collection and solicitation of personal data should be reasonably necessary for the APP entity’s functions or activities and that sensitive information requires explicit consent unless an exception applies.

LEARN MORE: How to collect and manage image consent forms in FotoWare

APP 3 also states that an APP entity should only collect personal information by lawful and fair means. By “lawful means,” one typically refers to processes that are adhering to the law, meaning that an organization should obtain from collecting information through, for example, data hacking or trespassing. However, “fair means” is a bit more abstract and refers to a way of collecting information that “does not involve intimidation or deception, and is not unreasonably intrusive.”

Some examples of when collecting personal information can be considered unfair include:

  • collecting from a file dumped by accident on a street or from an electronic device that is lost or left unattended
  • collecting from an individual who is traumatized, in a state of shock, or intoxicated
  • collecting in a way that disrespects cultural differences
  • misrepresenting the purpose or effect of collection, or the consequences for the individual of not providing the requested information
  • collecting by telephoning an individual in the middle of the night
  • collecting by deception, for example, wrongly claiming to be a police officer, doctor, or trusted organization

APP 6 - Use and disclosure of personal information

APP 6 states that: “An entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.” Amongst these exceptions are emergency situations but also explicit consent, suggesting that an organization would need to gather consent if using images for so-called secondary purposes.

The Principle aims to ensure that personal information is only used in situations where the individual would reasonably expect it to or have explicitly consented to (unless there’s a pressing matter justifying exceptions). While it may not require explicit consent for using images for their primary purpose, this should still be considered a best practice to avoid misunderstandings or bad press.

APP 12 - Access to personal information

As explained briefly above, individuals have the right to request access to their personal information, including images. Similar to other Principals, there are exceptions to APP 12, for example, the grounds on which such requests can be denied under the Freedom of Information Act or instances where access can cause harm to individuals or society.

However, when using images of people in your marketing or public communication, you’re unlikely to be offered an exception. Therefore, you should be able to provide access to these images and other forms of personal data “within a reasonable period after the request is made,” which shouldn't exceed 30 calendar days.


How to comply with the APPs when using images

So, what can Australian organizations do to efficiently company with the APPs when storing and using images of people? And how can they ensure best practices for image management and privacy?

The answer is Digital Asset Management (DAM). With a proper DAM system in place, organizations can easily keep track of all images, videos, and other files. By using metadata, a DAM helps you to quickly sort images based on information, such as usage rights, featured person(s), associated campaign(s), etc. This way, it’s easier to comply should an individual ask for access to photos taken of him/her.

Tilted-tablet device showing book cover on the screen

7 Digital Asset Management Workflows                                 
Learn about 7 of the most common time-saving workflows.


A DAM can also enable you to add markers and notes to your files to communicate something about them. For example, you may store images containing sensitive information, which are bound by stricter privacy regulations. You may also want to mark and sort content based on consent status, as many organizations consider this best practice. All of which is easily done with a DAM.

LEARN MORE: 5 reasons why Sydney Living Museums moved to DAM in the cloud

How FotoWare helps in ensures best practices 

While there are many ways of managing visuals, no solution is as effective and secure as a DAM system. By having your digital assets in FotoWare, you’re not only ensuring a single source of truth across the organization, but you’re also able to attach customizable consent forms to your assets. This can be useful for many purposes, for example, if an image contains sensitive information about an individual or if you simply want to ensure best practices when using images of people.

The advanced metadata functionalities available in FotoWare also enable you to efficiently mark your assets based on the consent status, usage rights, campaign(s), or whatever else you deem relevant. This way, everyone who works with the files can easily know what should be used in which situations, ensuring that images are only applied for their primary use.

Do you want to learn more about what FotoWare can offer your team? Book a consultation call with one of our experts to discuss your challenges and see the solution for yourself.


FotoWare empowers organizations to be GDPR-compliant through proper use of its Digital Asset Management system, and cannot advise on any legal aspect of the GDPR or the Australian Privacy Act. FotoWare makes no representation, warranty or guarantee of GDPR- or APP-compliance when using the product.

Digital Innovation in Law Enforcement & Defense 2022

Lately, the law enforcement and defense industries have increasingly begun to digitize records to make information more searchable, auditable, and...

Introducing Asset Linking to FotoWare Consent Management

Introducing Asset Linking: Helping you ensure efficient GDPR compliance

We’re proud to announce that Asset Linking is now available to all FotoWare SaaS users. This greatly improves our Consent Management feature, further...

The main differences between an On-Premises and a SaaS DAM system

SaaS vs. On-Premises: What system to choose?

When looking into Digital Asset Management (DAM) systems, you might have stumbled upon the terms SaaS and On-Premises. A SaaS DAM system is hosted in...