Term
|
GDPR
Article 4,9
|
APA
Section 6, 26WA, APP11
|
Personal Data under GDPR
Personal Information under APA
|
Personal data refers to any information related to an identified or identifiable natural person. This identification can be direct (like using their name) or indirect (such as through an identifier like a number, location, or online data). It also includes unique physical, genetic, mental, economic, cultural, or social characteristics that could identify the person. |
In comparison, the equivalent term used in APA is ‘personal information’ and refers to information/opinions about an identified or reasonably identifiable individual:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Thus, while the GDPR focuses on specific identifiers and indirect identification, the APA takes a broader approach, including opinions as well as information.
|
Consent |
Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes via a statement or by a clear affirmative action that signifies agreement to the processing of their personal data.
Individuals have the right to withdraw their consent at any time, where consent is the legal basis for processing.
|
In the APA , consent is not defined according to its characteristics, rather it is categorized as express consent or implied consent.
Express consent occurs when it is given clearly and explicitly, either verbally or in writing, such as by signing your name. On the other hand, implied consent is when an organization reasonably believes they have permission to handle non-sensitive personal information without explicit verbal or written consent.
Similar to the GDPR, consent can be withdrawn at any time.
|
Sensitive Data under GDPR
Sensitive Information under the APA
|
Under the GDPR, sensitive personal data includes:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade-union membership;
- genetic data;
- biometric data processed solely to identify a human being;
- health-related data; or
- data concerning a person’s sex life or sexual orientation.
|
Comparatively, the APA contains a more detailed list of information that would be categorized as sensitive, although most of them are similar to the GDPR. It includes information or an opinion about an individual’s:
- racial or ethnic origin;
- political opinions, religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association and unions;
- sexual orientation or practices; criminal record;
- health information
- genetic information
- biometric information used for automated biometric verification or biometric identification; or
- biometric templates.
|
Pseudonymization |
The processing of personal data in a way that it can't be linked to an individual without extra information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an individual. |
The APA does not define pseudonymization. However, it defines 'de-identified' information as information that no longer identifies an individual (i.e., a natural person). |
Controller |
The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. If Union or Member State law defines these purposes and methods, the controller or criteria for appointing one may also be specified by the Union or Member State law. |
The APA does not define a data controller or distinguish between data controllers and data processors. Instead, it provides the concept of 'APP entities. It includes private organizations such as individuals, corporate bodies, partnerships, unincorporated associations, trusts, and Commonwealth Government agencies with an annual turnover exceeding AUD 3 million, whether they are acting as data controllers or processors. |
Processor |
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. |
As stated before, the APA does not define data processors. Instead, it provides the concept of 'APP entities', which encompasses both data controllers and data processors. |
Data Subject |
GDPR specifies that a data subjectis 'an identified or identifiable natural person' to whom the personal data is related to. |
The APA does not define a data subject. |
Data Breach |
A security incident that results in the accidental or illegal destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that is transmitted, stored, or otherwise processed. |
The equivalent terminology in the APA is ‘eligible data breach’. It occurs when personal information held by an entity is accessed, disclosed, or lost without authorization, and this breach is likely to cause serious harm to the affected individuals. |
Key insights:
- The GDPR’s definition of personal data includes both direct and indirect identifiers of individuals. The APA takes a broader approach, including information and opinions about identifiable individuals.
- GDPR mandates consent to be explicit, informed, and unambiguous. In contrast, the APA distinguishes between express consent (clearly given) and implied consent (reasonably inferred). Both laws address sensitive data/information, but the GDPR’s list is more focused, while the APA includes additional categories like criminal records.
- The GDPR defines pseudonymization as processing that separates data from an individual, with additional safeguards. The APA lacks a pseudonymization definition but uses ‘de-identified’ to describe data that no longer identifies an individual.
- GDPR clearly defines data controllers and processors with specific roles. The APA broadly uses the term ‘APP entities’ to cover all entities involved in data handling without distinct definitions for controllers and processors.
|