Some exceptions may apply, for example, if an organization has a valid reason to deny a person access to his/her data. However, for the most part, if your company is covered by the Privacy Act, you should be able to respond to the requests above when managing images of people.
Principles affecting your image management
While there are many aspects to the Australian Privacy Act that may affect your image management, some of the Principles are particularly impactful:
APP 3 - Collection of solicited personal data
Principle 3 outlines when and how an APP entity (an agency or organization that the Australian Privacy Act covers) can collect personal information. Most notably, APP 3 states that all collection and solicitation of personal data should be reasonably necessary for the APP entity’s functions or activities and that sensitive information requires explicit consent unless an exception applies.
LEARN MORE: How to collect and manage image consent forms in Fotoware
APP 3 also states that an APP entity should only collect personal information by lawful and fair means. By “lawful means,” one typically refers to processes that are adhering to the law, meaning that an organization should obtain from collecting information through, for example, data hacking or trespassing. However, “fair means” is a bit more abstract and refers to a way of collecting information that “does not involve intimidation or deception, and is not unreasonably intrusive.”
Some examples of when collecting personal information can be considered unfair include:
- collecting from a file dumped by accident on a street or from an electronic device that is lost or left unattended
- collecting from an individual who is traumatized, in a state of shock, or intoxicated
- collecting in a way that disrespects cultural differences
- misrepresenting the purpose or effect of collection, or the consequences for the individual of not providing the requested information
- collecting by telephoning an individual in the middle of the night
- collecting by deception, for example, wrongly claiming to be a police officer, doctor, or trusted organization
APP 6 - Use and disclosure of personal information
APP 6 states that: “An entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.” Amongst these exceptions are emergency situations but also explicit consent, suggesting that an organization would need to gather consent if using images for so-called secondary purposes.
The Principle aims to ensure that personal information is only used in situations where the individual would reasonably expect it to or have explicitly consented to (unless there’s a pressing matter justifying exceptions). While it may not require explicit consent for using images for their primary purpose, this should still be considered a best practice to avoid misunderstandings or bad press.
APP 12 - Access to personal information
As explained briefly above, individuals have the right to request access to their personal information, including images. Similar to other Principals, there are exceptions to APP 12, for example, the grounds on which such requests can be denied under the Freedom of Information Act or instances where access can cause harm to individuals or society.
However, when using images of people in your marketing or public communication, you’re unlikely to be offered an exception. Therefore, you should be able to provide access to these images and other forms of personal data “within a reasonable period after the request is made,” which shouldn't exceed 30 calendar days.
How to comply with the APPs when using images
So, what can Australian organizations do to efficiently company with the APPs when storing and using images of people? And how can they ensure best practices for image management and privacy?
The answer is Digital Asset Management (DAM). With a proper DAM system in place, organizations can easily keep track of all images, videos, and other files. By using metadata, a DAM helps you to quickly sort images based on information, such as usage rights, featured person(s), associated campaign(s), etc. This way, it’s easier to comply should an individual ask for access to photos taken of him/her.
