The European Union (EU) General Data Protection Regulation (GDPR) came into effect in 2018. The GDPR brings consistency to data privacy across the EU while providing improved privacy protections for individuals.

The GDPR primarily relates to personal information gathered voluntarily. Therefore, it is unlikely to affect most of the information gathered by state government agencies in the performance of their statutory functions.

The definition of ‘personal data’ in the GDPR is similar in scope to ‘personal information’ under the Information Privacy Principles Instruction (IPPI).

Impacts on South Australian government agencies

The GDPR, although an EU regulation, applies to any organisation (including state government agencies) offering goods or services to individuals living in the EU. It also applies to any organisation monitoring the behaviour of individuals living in the EU.

This extra-territorial scope of the GDPR is designed to make organisations accountable when they are processing personal data of individuals in the EU.

Having a website which is accessible by individuals in the EU will not bring an agency under the scope of the GDPR. However, should sales be offered in Euros, or should the website specifically target EU citizens then this may indicate an intention to offer goods or services to people in the EU.

Agencies should assess the scope of their services and data monitoring activities to determine if the GDPR applies.

If you think the GDPR may apply, we strongly encourage you to seek legal advice.

GDPR principles

The GDPR includes six principles relating to personal data. These principles (see Article 5 ‘Principles relating to processing of personal data’) state data must be:

1. Processed lawfully, fairly and in a transparent manner in relation to a natural person (referred to as a data subject in the Regulations) (‘lawfulness, fairness and transparency’ principle).
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’ principle).
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’ principle).
4. Accurate and, where necessary, kept up to date (‘accuracy’ principle).
5. Kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data was collected (‘storage limitation’ principle).
6. Processed in a manner that ensures appropriate security of the personal data (‘integrity and confidentiality’ principle).

Whilst the language used in the GDPR is different, these principles are consistent with the management of personal information under the IPPI.

See the UK’s Information Commissioners Office Guide to the GDPR for more information on privacy rights under the GDPR.