RenterPay LogoRenterPay

Privacy Policy for a Residential Property Management App in Victoria, Australia: A Legal and Operational Framework

Author: Iris | Team: MetaGPT X | Time: September 29, 2025 | Remarks: This report is for reference only

1. Introduction and Legal Framework

This Privacy Policy outlines how [App Name], a residential property management application platform operating in Victoria, Australia, collects, uses, stores, and discloses personal information. The purpose of this section is to provide a foundational understanding of the legal framework governing our privacy practices, ensuring compliance with both Australian federal and Victorian state privacy legislation. This policy is designed to uphold your privacy rights and manage your personal information transparently and securely.

Our operations are primarily governed by the Privacy Act 1988(Cth) and, under specific circumstances, by relevant Victorian state legislation.

Australian Federal Legislation: Privacy Act 1988 (Cth)

The Privacy Act 1988 (Cth) (the Act) is Australia'sprincipal federal legislation regulating the handling of personal information by most private sector organizations [1] . For a residential property management app, the Act is generally applicable if the app's managing entity has an annual turnover exceeding AU$3 million . It also applies to health service providers, businesses engaged in trading personal information, and contractors to the Australian government, irrespective of their turnover [1] . Given its nature, a residential property management app is highly likely to fall under the scope of this Act due to its extensive handling of personal information, potentially meeting the turnover threshold or engaging in significant data processing [1] . The Act applies to Australian entities operating domestically and overseas entities processing Australian residents data [1]

The Act includes 13 Australian Privacy Principles (APPs), which are central to how personal information is handled. Key APPs relevant to our operations include:

  • APP 1 (Open and Transparent Management of Personal Information):Requires us to manage personal information openly and to maintain a clear, up-to-date privacy policy detailing our data handling practices [1]
  • APP 3 (Collection of Solicited Personal Information):Stipulates that personal information can only be collected if it is reasonably necessary for the app's functions, such as processing rental applications or managing leases [1] . Sensitive information, a subset receiving higher protection, requires explicit consent for collection and must also be reasonably necessary [1] .
  • APP 5 (Notification of the Collection of Personal Information):Mandates that individuals be notified about the purposes of collection and other key details at the time their information is collected .
  • APP 6 (Use or Disclosure of Personal Information):Generally restricts the use or disclosure of personal information to the primary purpose for which it was collected, unless consent for a secondary purpose is obtained or specific exceptions apply .
  • APP 8 (Cross-border Disclosure of Personal Information):Requires us to take reasonable steps to ensure that overseas recipients of personal information comply with the APPs if data is disclosed internationally.
  • APP 11 (Security of Personal Information):Obliges us to take reasonable steps to protect personal information
  • APP 12 (Access to Personal Information):Grants individuals the right to access their personal information held by us
  • APP 13 (Correction of Personal Information):Grants individuals the right to request corrections to their personal information if it is inaccurate or misleading

Additionally, the Act incorporates the Notifiable Data Breaches (NDB) scheme, which requires notification to affected individuals and the Office of the Australian Information Commissioner (OAIC) if a data breach is likely to result in serious harm

Victorian State Legislation

While the federal Privacy Act 1988 (Cth) is the primary legislation, Victorian state laws may also apply in specific circumstances:

  • Privacy and Data Protection Act 2014 (Vic) (PDP Act):This Act primarily governs Victorian public sector organizations and certain contracted service providers [2] . As a private residential property management app, we are generally not directly subject to the PDP Act unless we operate as a contracted service provider for a Victorian government agency [2] .
  • Health Records Act 2001 (Vic) (HR Act):This Act is highly relevant if our app collects, uses, or discloses health information (e.g., medical certificates related to tenancy adjustments or accessibility needs) [2] . The HR Act applies to both public and private organizations handling health information in Victoria and contains 11 Health Privacy Principles (HPPs) [2] .

Interaction of Federal and State Laws

For [App Name], the federal Privacy Act 1988 (Cth) serves as the primary and most comprehensive legislation governing the general handling of personal information . While the Privacy and Data Protection Act 2014 (Vic) typically does not directly apply to our private operations unless specific contracting scenarios arise [2] , the Health Records Act 2001 (Vic) will apply concurrently with the federal Act if any health information is handled [2] . In cases where both federal and state laws apply to specific types of information (e.g., health information), our practice is to adhere to the stricter requirements to ensure maximum protection of your privacy [2] . This foundational legal framework guides our approach to privacy, ensuring we meet all applicable obligations in Victoria, Australia.

Information We Collect

In adherence to the Privacy Act 1988 (Cth) and the Victorian Privacy and Data Protection Act 2014 (PDP Act), this section outlines the categories of personal information we collect through our residential property management platform. Our collection practices are guided by the principles of reasonable necessity, lawful and fair means, and transparent consent, particularly for sensitive information. Personal information is broadly defined as information that identifies an individual or makes them reasonably identifiable [3] . Sensitive information, a subset of personal information, receives a higher level of protection due to its nature, including details such as health information or racial origin [3] .

The following table details the types of personal information we may collect:

CategorySpecific ExamplesLegal ClassificationKey Considerations
Identity InformationName, postal address, phone number, email address, gender, date of birth, signature [5] . Formal identification documents or details thereof, such as driver's licence (including photo ID), passport, Medicare card, pension card, or healthcare card [5]Personal InformationThis information is primarily collected for verifying your identity and eligibility to rent [6] . Basic identity information is generally considered reasonably necessary. However, collecting multiple identity verifiers or excessive detail beyond what is required for verification may not be deemed reasonably necessary [5]
Contact InformationPhone number, email address, postal address [5] . Social media accounts/profiles, social network data (e.g., user name, site ID, profile photo) if you choose to link such accounts [5]Personal InformationCollected to facilitate communication with applicants and tenants. While basic contact details are reasonably necessary, requests for social media profiles are often considered intrusive and are generally not reasonably necessary for tenancy assessment, as they could lead to discriminatory decisions [10].
Financial InformationBank account details, credit card details, credit information, loan information [5] . Bank statements (which may show income and expenditure), financial status, investments, and cash in bank [5] . Records of rent payments and utility bills [5]Personal InformationEssential for assessing an applicant's ability to pay rent [6] . However, requests for extensive financial histories, such as three years of bank statements showing all expenditures, may exceed the "reasonably necessary" threshold and are considered highly intrusive [7] .
Employment & Tenancy HistoryOccupation, employment status, employment history, job titles, salary details, employment contracts [5] . Professional qualifications [5] . Tenancy history, tenant ledger reports, references (including opinions about character) [5] . Questions about past tribunal actions [7] . Visa status [10] .Personal InformationUsed to demonstrate your suitability as a tenant and verify income [6] . While generally necessary, questions about past tribunal actions are contentious and may be considered inappropriate if used to discriminate against tenants who have asserted their legal rights [7] .
Property-Related InformationCurrent living arrangements [5] . Photographs/images of personal possessions or the standard of living (e.g., taken during property inspections) [8] . Motor vehicle registration details [5]Personal InformationThis information is collected to manage the premises and assess the care of property [6] . Photographs taken during inspections are generally relevant. However, the collection and retention of such images, especially of personal possessions, must be justified as reasonably necessary and adhere to secure storage and destruction policies [8]
Usage Data / Behavioral Information Internet activities, website browsing history [5] . Activity on app providers' websites (e.g., preferences, interests, and behavior related to transactions) [5] . IP addresses, cookie identifiers, and location information from mobile devices [3] . Inferences drawn from your activities [6] .Personal InformationThis data is often collected to provide a "better or more relevant and personalised experience," targeted advertising, or to improve products and services [5] . Extensive tracking of online activities, interests, and location data is often not "reasonably necessary" for the core function of property management [9] . If used for advertising or sharing with third parties, opt-in consent may be required or individuals must be informed [5] .
Potentially Sensitive InformationMarital status [10] . Medical records [10] . Personal interests [5] . Gender [5] .Sensitive InformationThe collection of sensitive information always requires your explicit consent, in addition to being reasonably necessary for our functions [9] . Requests for marital status or medical records are rarely justifiable and are highly unlikely to meet the "reasonably necessary" and consent requirements for property management [10] . We will only collect such information in specific, limited circumstances where it is legally required or directly relevant to a service you request and for which you provide explicit consent.

For all personal information collected, we adhere to Australian Privacy Principle (APP) 3, which stipulates that information can only be collected if it is reasonably necessary for one or more of our functions or activities [9] . This is an objective test, and we must be able to justify the necessity of each piece of information. Furthermore, collection must occur by lawful and fair means, ensuring it is not misleading, deceptive, or unduly intrusive [9] .

When sensitive information is collected, we obtain your explicit consent, which must be adequately informed, voluntary, current, specific, and provided by an individual with the capacity to understand it [9] . There are very narrow exceptions to this consent requirement (e.g., when legally required), but these are unlikely to apply to routine property management activities [9] . You will be informed about the purpose of collection, how the information will be used and disclosed, and any consequences of not providing the information, in line with APP 5 [1] .

3. Purposes of Data Collection, Use, and Disclosure

This section outlines the legitimate primary and secondary purposes for which the residential property management app collects, uses, and discloses personal information. These practices strictly adhere to the Australian Privacy Principles (APPs) as set out in the Privacy Act 1988 (Cth), particularly APP 3 (Collection of Solicited Personal Information) and APP 6 (Use or Disclosure of Personal Information) [12]

1. Primary Purposes for Collection, Use, and Disclosure

Under APP 3, personal information is only collected if it is reasonably necessary for one or more of the app's functions or activities . The primary purposes for collecting, using, and disclosing personal information by the app are directly linked to its core function of managing residential tenancies. These include:

  • Tenancy Application and Assessment:To assess suitability and eligibility to rent
    • - Identity Information(Name, address, phone number, email, date of birth, formal identification): For identity verification [6] .
    • - Financial Information (Bank account details, credit information, salary, bank statements): To assess an applicant's ability to pay rent [6].
    • - Employment & Tenancy History(Occupation, employment status, salary, past tenancy references): To demonstrate suitability as a tenant and verify income [6]
    • - Legal Compliance:Fulfilling obligations under Australian law for the application process .
  • Management of Premises and Tenancy Agreement:To administer the residential agreement and manage the property throughout the tenancy [8]. This includes:
    • - Contact Information(Phone number, email address, postal address): For facilitating communication between tenants, property managers, and owners. .
    • - Property-Related Information (Photographs during inspections, current living arrangements): For managing the premises and assessing the care of the property [6].
    • - Legal Compliance:Fulfilling obligations under Australian law or court/tribunal orders relating to tenancy management .
  • Financial Transactions:Processing rent payments, bond payments, and other financial obligations [8].
  • Customer Support and Service Improvement:To respond to inquiries, provide support, and improve the functionality and user experience of the app. While not directly managing the property, certain Usage Data (e.g., app usage patterns) may be collected for internal analytics to achieve this [5] . This must be done transparently and ideally de-identified where possible.

Notification of Collection (APP 5):At the time of collection, the app must take reasonable steps to notify individuals about the purpose of collection, the app's identity, and other key details related to the handling of their personal information [12]

2. Secondary Purposes for Use and Disclosure (APP 6)

Personal information must generally not be used or disclosed for a purpose (secondary purpose) other than the primary purpose for which it was collected, unless an exception under APP 6 applies . The main exceptions are:

  • Consent: The individual has consented to the secondary use
  • Reasonably Expected and Related Purpose:The individual would reasonably expect the app to use or disclose the information for the secondary purpose, and:
    • If the information is not sensitive, the secondary purpose is related to the primary purpose of collection (e.g., using personal information for internal auditing, business planning, or de-identifying data for app improvement) [13] .
    • If the information is sensitive, the secondary purpose is directly related to the primary purpose of collection (e.g., using health information provided for an accessibility request to facilitate necessary property modifications) [13]
  • Required or Authorised by Law or Court/Tribunal Order:The use or disclosure is required or authorised by an Australian law or a court/tribunal order (e.g., responding to a warrant, statutory reporting requirements) .
  • Permitted General Situations:The use or disclosure is related to specific situations outlined in the Privacy Act, such as:
    • Lessen or prevent a serious threat to life, health, or safety [13]
    • Taking appropriate action regarding unlawful activity or serious misconduct [13].
    • Establishing, exercising, or defending a legal or equitable claim [13].
  • Enforcement Related Activities:The app reasonably believes the use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (e.g., police investigations) .

3. Requirements for Obtaining Consent

When consent is required for the secondary use or disclosure of personal information, it must meet stringent criteria to be valid [13] :

  • Adequately Informed:The individual must understand what they are consenting to, including the purpose of the use or disclosure.
  • Voluntary: Consent must be given freely, without coercion, undue pressure, or misrepresentation.
  • Current and Specific:Consent should be recent and clearly define the particular use or disclosure it applies to.
  • Capacity to Understand and Communicate:The individual must have the cognitive ability to understand the implications of their consent and communicate it effectively.

4. Disclosure to Third Parties

Third Party CategoryPurpose of DisclosureLegal Basis (APP6)Key Considerations
Landlords/Property OwnersTo enable tenancy management (e.g., rent collection, property issue reporting, lease agreements, change of management/ownership) [8]Primary Purpose / Reasonably ExpectedFundamental for app function. Only necessary details shared.
Contractors/Maintenance WorkersTo facilitate property repairs and maintenance.Reasonably Expected / Related to Primary PurposeDisclosure of name, contact details, property address only as necessary [13]
Payment Processors/Financial InstitutionsTo process rent, bond, and other financial transactions.Primary Purpose / Implied ConsentEssential for financial operations. Covered by terms of service.
Government Bodies/Regulatory AuthoritiesTo comply with legal obligations, such as bond lodgement with Residential Tenancies Authority (RTA) [8] , or responding to legal orders.Required or Authorised by LawOnly disclosed if legally mandated.
Enforcement Bodies (e.g., Police)To assist with investigations of unlawful activity or serious misconduct (e.g., under warrant) [13] .Enforcement Related Activities / Required by LawDisclosure strictly within legal parameters.
Courts/Tribunals (e.g., VCAT)To comply with court or tribunal orders.Required or Authorised by LawDisclosure strictly within legal parameters.
Residential Tenancy Datalg OperatorsTo check tenancy history or list a tenant (if permitted by law and terms).Consent / Required by Law (with specific conditions)Requires tenant consent and strict adherence to datalg regulations [14]
IT Service Providers (e.g., cloud hosting, software vendors) To operate the app's infrastructure, provide software functionality, or securely store data.Related to Primary Purpose / Contractual NecessityApp remains responsible for data, ensuring providers comply with APPs [13] .

Cross-border Disclosure (APP 8): If personal information is disclosed to an overseas recipient (e.g., a cloud service provider located outside Australia), the app takes reasonable steps to ensure the overseas recipient does not breach the APPs, or the individual will be informed that APP 8 will not apply and their consent will be sought [12] . The app's privacy policy will specify the likely countries of overseas recipients [12].

Data Security (APP 11): All disclosures are made with robust security measures in place to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure [12].

Data Retention and Destruction (APP 11.2):Personal information is retained only for as long as it is needed for the purposes for which it was collected or as required by law [12]. For residential tenancies, personal information for managing premises must be securely destroyed within 7 years after the tenancy agreement ends. Information from unsuccessful applicants must typically be destroyed within 3 months, or sooner depending on state-specific regulations [8].

Data Security, Storage, and Data Breach Notification

The residential property management app is committed to protecting personal information through robust data security, storage, and data breach notification practices, primarily adhering to the federal Privacy Act 1988 (Cth) and incorporating relevant Victorian state guidelines.

Data Security (Australian Privacy Principle 11)

Australian Privacy Principle (APP) 11 mandates that entities must implement active measures to ensure the security of personal information they hold [15]

  • 1. Core ObligationsThe app will take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure [15] .
  • 2. Defining "Reasonable Steps" What constitutes "reasonable steps" depends on the specific circumstances [15] . Amendments to the Privacy Act clarify that these reasonable steps include both technical and organizational measures . Factors influencing what steps are considered reasonable include the nature of the entity, the amount and sensitivity of the personal information held, the possible adverse consequences of a breach, and the practical implications of implementing security measures [15] .
  • 3. Key Strategies and Best PracticesTo meet its obligations under APP 11, the app will adopt the following strategies and best practices:
    • Governance, Culture, and Training
      • - Foster a privacy and security-aware culture through appropriate training, resourcing, and management focus [15]
      • - Establish clear procedures for oversight, accountability, and decision-making regarding personal information security [15]
      • - Ensure all staff are trained to recognise and respond to data breaches, including topics like avoiding phishing and secure handling of information [15]
      • - Regularly review and revoke access for staff who change positions or leave the organisation [15] .
    • Internal Practices, Procedures, and Systems
      • -Implement "Privacy by Design" by embedding privacy protections into information handling practices from the outset [15] .
      • -Conduct Privacy Impact Assessments (PIAs) and Information Security Risk Assessments to identify and mitigate risks [15]
      • - Maintain a register of personal data and its location to ensure comprehensive security measures .
    • ICT Security and Access Controls
      • -Control access to personal data, ensuring employees only have access necessary for their job roles, adhering to the principle of "least privilege" [16].
      • -Implement full disk and file-lgd encryption for devices and data in transit [16].
      • - Maintain robust backup procedures that are secure, resilient, regularly tested, and segregated from live systems to protect against loss, damage, or ransomware [16]
      • - Implement logging and monitoring to detect unauthorized access [16].
      • - Manage Bring Your Own Device (BYOD) policies securely with a clear strategy or risk management plan [16]
    • Third-Party Providers
      • - When outsourcing personal information handling, such as to cloud service providers, the app remains responsible for the information and subject to APP 11 [15].
      • - Adequate contractual measures, including due diligence and monitoring clauses, will be in place to protect personal information held by third parties .
    • Physical Security
      • - Protect against physical access to data, including secure storage of any physical records [15].

Data Retention and Destruction

APP 11.2 requires entities to take reasonable steps to destroy or de-identify personal information once it is no longer needed for any purpose for which it may be used or disclosed under the APPs . This obligation does not apply if the information is a 'Commonwealth record' or if retention is required by law or court/tribunal order [15] . Destroying or de- identifying unneeded personal information is an important risk mitigation strategy [15] .

1. Best Practices for Retention Policies

  • Develop clear, internal policies and procedures for retention and disposal, including minimum and maximum retention periods [17].
  • Periodically review information holdings to determine if the original purpose for collection has been fulfilled [17].
  • Create an inventory of personal information, its purpose, and retention duration [17] .
  • Only collect data that is necessary for operations, avoiding the collection of "just in case" data [16] .
  • Delete unused personal data and minimize unnecessary duplication [16] .

2. Secure Disposal Methods The goal of disposal is to irreversibly destroy media storing personal information, including associated copies and backup files, so it cannot be reconstructed or recovered [17]

  • Hard copy:Complete destruction methods like disintegration, incineration, pulverizing, shredding, and melting [17].
  • Electronic copy:Methods include physical destruction, overwriting data with non-sensitive data, and degaussing for magnetic media [17] . The choice of method will consider the sensitivity of the information and whether the media remains under the app's control [17] .

3. Managing Third-Party DisposalIf a third-party contractor is used for disposal, the app remains responsible for the information [17] . Contracts will ensure the contractor has verifiable credentials, guarantees secure transfer and destruction, and includes privacy protection and monitoring/auditing clauses [17].

Notifiable Data Breaches (NDB) Scheme

The NDB scheme, part of the Privacy Act 1988 (Cth), applies to entities with existing personal information security obligations under the Privacy Act, including private sector organizations with an annual turnover over AU$3 million .

1. Defining an "Eligible Data Breach"An eligible data breach occurs when three criteria are met :

  • There is unauthorised access to, or unauthorised disclosure of, personal information, or a loss of personal information, that the app holds [18] . This includes situations where someone not permitted accesses personal information (unauthorised access), information is made visible to others without permission (unauthorised disclosure), or accidental loss occurs where it is likely to result in unauthorised access or disclosure [18] .
  • This is likely to result in serious harm to one or more individuals to whom the information relates; "likely" means the risk is "more probable than not" .
  • The app has not been able to prevent the likely risk of serious harm with remedial action [18]

2. Assessing "Serious Harm""Serious harm" is not explicitly defined but may include serious physical, psychological, emotional, financial, or reputational harm [18] . The assessment will consider:

  • Type of information: Sensitivity (e.g., health information), documents used for identity fraud (e.g., Medicare, driver's license), financial information, or a combination that reveals more about an individual [18] .
  • Circumstances of the breach: Whose information was involved (e.g., vulnerable individuals), the number of individuals affected, how long information was accessible, whether security measures (like encryption) were overcome, and who gained unauthorised access [18]
  • Nature of the harm: Potential for identity theft, financial loss, threats to physical safety, loss of opportunities, humiliation, damage to reputation, bullying, or marginalisation [18] .

3. Remedial Action""If the app takes remedial action that successfully prevents the data breach from being likely to result in serious harm, it is not an eligible data breach, and notification is not required [18] .

4. Notification Requirements and Timelines

  • Assessment: If an eligible data breach is suspected, the app will carry out a "reasonable and expeditious assessment" within 30 days to determine if an eligible data breach has occurred .
  • Notification: If an eligible data breach is confirmed, the app must notify affected individuals and the Australian Information Commissioner (OAIC) as soon as practicable . There are proposed changes that would require notification to the OAIC within 72 hours of becoming aware of the breach [19].

5. Responsibilities to Individuals and OAIC

  • To the OAIC: The app will prepare and provide a statement containing its identity and contact details, a description of the breach, the kinds of information concerned, and recommendations for individuals [19].
  • To Individuals: The app will take reasonable steps to notify each affected individual directly or, if impracticable, publish the statement on its website and publicize its contents [19]. The notification will include sufficient detail for individuals to understand the breach, potential impacts, and steps they can take to reduce harm [20].
  • Other Parties: The app may also notify other relevant parties such as Federal Police, insurers, and credit card companies, as suggested by OAIC guidance [19].

6. Handling Jointly Held Information If personal information is held jointly by multiple entities (e.g., outsourcing arrangements), an eligible data breach affects all holding entities. While all are responsible for compliance, typically one entity completes the assessment and notification, usually the one with the most direct relationship with affected individuals [18] .

7. Exemptions Exceptions to notification apply in specific situations, such as when another APP entity has already notified, law enforcement activities would be prejudiced, notification is inconsistent with Commonwealth secrecy, or the OAIC grants an exception .

Victorian State Laws and Guidelines

While the app, as a private sector entity, is generally not covered by the Privacy and Data Protection Act 2014 (Vic) (PDP Act) [20] , there are specific state laws and guidelines that are relevant.

Health Records Act 2001 (Vic)

If the app collects any information that could be classified as "health information," it would be subject to the Health Records Act 2001 (Vic) and its Health Privacy Principles (HPPs), regardless of the business's size [21] . "Health information" includes details about an individual's physical or mental health, disability, health services provided, or genetic information predictive of health, as well as other personal information collected during health service provision (e.g., patient name, address, billing info) . For instance, if information regarding a tenant's disability for accessibility requests is collected, this Act would apply [21] .

OVIC Data Breach Management Guidance

The Office of the Victorian Information Commissioner (OVIC) provides data breach management guidance that, while primarily for public sector entities, serves as a best practice framework for private sector organizations to adopt [20] . This guidance recommends a four-step response process:

StepDescription
1Contain

Immediately limit the extent of the breach (e.g., stopping unauthorized access, recovering records) [20].

2Assess

Investigate the circumstances and risks of harm to affected individuals (considering nature, sensitivity, and volume of information; cause and extent of breach; nature of potential harm) [20].

3Notify

Notify affected individuals if there is a foreseeable risk of harm, and notify OVIC (if applicable, e.g., for TFN data or as best practice). Notification should be as soon as reasonably possible, detailed, and clear [20].

4Review

Conduct a post-incident review to identify root causes, implement corrective measures, and improve policies and procedures to prevent future incidents [20].

User Rights, Access, and Correction

This section outlines your fundamental rights concerning your personal information held by our residential property management app, as mandated by the Australian Privacy Act 1988 (Cth) and relevant Victorian state privacy provisions. We are committed to empowering you with control over your data by providing clear mechanisms to exercise these rights.

1. Right to Anonymity and Pseudonymity (APP 2)

As an individual, you generally have the option to interact with our app anonymously or pseudonymously [22]

  • Anonymity means you do not provide any personal information or identifiers, preventing the app from identifying you [22]
  • Pseudonymity allows you to use a name or descriptor different from your actual name [22].

However, this option may not apply if our app is required or authorized by Australian law or a court/tribunal order to deal with identified individuals, or if it is impracticable for the app to deal with you without identification [22] . Our app will inform you of circumstances where anonymity or pseudonymity is not possible and any consequences, such as limited service provision [22] . Where identification is necessary, we will only collect personal information essential for the interaction [22] .

2. Right to Access Your Personal Information (APP 12)

You have the right to request access to the personal information our app holds about you . Our app "holds" personal information if it has possession or control of a record containing it, even if it's outsourced to a third party [23] .

Exercising your right to access:

  • Requesting Access: While APP 12 does not impose formal requirements on how to make a request, our privacy policy will clearly state recommended procedures, such as an online portal or contact details [23] . We cannot require you to follow a specific procedure or use a designated form [23] .
  • Identity Verification: To protect your privacy, we must be satisfied that the request is made by you or an authorized person [23] . We will employ appropriate identity verification steps, using the minimum necessary personal information [23] .
  • Response Timeframe: We will respond to your request within a reasonable period, typically not exceeding 30 calendar days, by either providing access or notifying you of refusal [23] .
  • Manner of Access: We will endeavor to provide access in the manner you request, if it is reasonable and practicable [23] . If not, or if access is refused, we will take reasonable steps to give access in an alternative way that meets both our needs and yours, preferably within 30 days [23] . This may involve an agreed-upon intermediary [23] .
  • Access Charges: We will not charge for making an access request [23] . However, a reasonable charge may apply for giving access, which will not be excessive or used to discourage requests [23] . We will advise you of potential charges and discuss ways to minimize costs [23] .
  • Grounds for Refusal: We may refuse access on specific legal grounds, such as if providing access poses a serious threat to life or privacy of others, the request is frivolous, or it would be unlawful [23] . Before refusing, we will consider if redacting certain information would enable partial access [23] . If access is refused or not provided in your requested manner, we will give you a written notice outlining the reasons, mechanisms for complaint, and any other available remedies [23]

3. Right to Correction of Personal Information (APP 13)

You have the right to request that our app correct personal information we hold about you that is inaccurate, out-of- date, incomplete, irrelevant, or misleading . We are obligated to take reasonable steps to correct your information upon request or when we discover inaccuracies ourselves [24].

Exercising your right to correction:

  • Requesting Correction: Our app will provide clear means for you to submit correction requests, similar to access requests.
  • Response Timeframe: We will acknowledge your request and take reasonable steps to correct your information within a reasonable period, generally within 30 calendar days [23] .
  • Refusal to Correct: If we refuse to correct your personal information, we will explain the reasons for refusal and allow you to request that we associate a statement with the information noting your disagreement with its accuracy [24] .

4. Mechanisms for Exercising Your Rights

We are committed to providing practical and user-friendly mechanisms to facilitate your rights:

  • Comprehensive Privacy Policy: This privacy policy clearly details how you can access and correct your personal information, covering collection purposes, types of information gathered, disclosure practices, and security measures . It will be regularly updated.
  • User Interface/Online Portal: Our app will feature a dedicated online portal or a clear section within the app for you to manage your personal information and to submit access and correction requests directly [23] .
  • Contact Information: We will provide clear contact details, such as an email address, for our designated privacy officer or contact person for all privacy-related inquiries and requests [23] .
  • Secure Identity Verification: We integrate secure identity verification processes to ensure that only you or an authorized representative can access or modify your personal information [23] .
  • Internal Procedures: We have established clear internal procedures for our staff to handle all privacy requests correctly, efficiently, and within the required timeframes, including locating relevant information, providing it in an accessible format, and amending records [24] .
  • Record Keeping: We maintain thorough records of all access and correction requests and actions taken to demonstrate our compliance with privacy obligations [24] .

5. Victorian State Provisions

While the federal Privacy Act 1988 (Cth) and its Australian Privacy Principles (APPs) primarily govern our private sector app, we acknowledge the Privacy and Data Protection Act 2014 (Vic) (PDP Act) and the Health Records Act 2001 (Vic) (HR Act) [2] . These Victorian acts mainly apply to Victorian public sector organizations or to entities handling health information . In the event our app were to become a contracted service provider to a Victorian public sector organization or handle health information, the relevant Victorian acts would impose additional obligations . Under the PDP Act, individuals also have rights to anonymity where possible, knowing why information is collected, secure handling, and generally accessing and amending personal information, often via the Freedom of Information Act 1982 (Vic) [4] . We continually monitor the applicability of these state laws to ensure comprehensive compliance.