Data Protection

Australia regulates data privacy and protection through a mix of federal, state and territory laws. In February 2018, mandatory personal data breach notification laws were introduced in Australia as part of amendments to the Privacy Act 1988 (Cth), requiring organisations to notify eligible data breaches to both the impacted individuals and the Australian Information Commissioner.

Last updated: September 2018

Introduction

Australia regulates data privacy and protection through a mix of federal, state and territory laws. 

In February 2018, mandatory personal data breach notification laws were introduced in Australia as part of amendments to the Privacy Act 1988 (Cth), requiring organisations to notify eligible data breaches to both the impacted individuals and the Australian Information Commissioner. 

The introduction of mandatory personal data breach notifications reflects a growing global trend towards giving individuals more control and awareness over how organisations that access their personal data behave.

Privacy

The main legislative scheme in Australia in regards to privacy is the Federal Privacy Act 1988 which covers, among others:

  • private sector and non-profit organisations with an annual turnover of more than A$3 million
  • all health service providers and Federal Government contractors regardless of their turnovers
  • Federal Government agencies
  • businesses with an annual turnover of A$3 million or less (small businesses) that:
  • trade in personal information
  • are related to a larger business
  • are reporting entities within the meaning of the Federal Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (but only in relation to the activities carried on by the small business for the purpose of that Act or rules or regulations made under that Act, such as the reporting of suspicious transactions and cross-border movements of cash over A$10,000)
  • small businesses that are not automatically covered by the Federal Privacy Act, but have opted-in to the Act.

The collection, use and disclosure of personal information by state and territory government agencies and contractors are regulated by relevant state and territory legislation.  Health information is also regulated in some cases on a state and territory basis.

The Federal Privacy Act contains 13 Australian Privacy Principles (APPs) which set down broad principles on how organisations must deal with personal information.  Organisations and agencies that are covered by the Federal Privacy Act are referred to as "APP entities".

The APPs are structured to reflect the lifecycle of personal information. They are grouped into five parts:

Part 1 sets out principles that require APP entities to consider personal information privacy, including ensuring that APP entities manage personal information in an open and transparent way (APPs 1 and 2).

Part 2 sets out principles that deal with the collection of personal information, including unsolicited personal information (APPs 3, 4 and 5).

Part 3 sets out principles about how APP entities deal with personal information. It includes principles about the use and disclosure of personal information and government related identifiers (APPs 6, 7, 8 and 9).

Part 4 sets out principles about the integrity of personal information. It includes principles about the quality and security of personal information (APPs 10 and 11).

Part 5 sets out principles that deal with requests for access to, and the correction of, personal information (APPs 12 and 13).

The rules for handling personal information under the APPs include:

  • restrictions on the collection of personal information which is any information or opinion about an identified individual or an individual who is reasonably identifiable, such as a person's name or address
  • restrictions on the collection of sensitive personal information (such as information related to a person’s racial or ethnic origin, or religious or philosophical beliefs)
  • restrictions on the use and disclosure of personal information so collected, including restrictions on the use and disclosure of personal information for direct marketing
  • restrictions on the disclosure of personal information to individuals and organisations outside of Australia
  • requirements designed to ensure that personal information collected, used or disclosed is kept securely and is accurate, complete and up to date
  • obligations on organisations to ensure that individuals are provided with access to their personal information and given the opportunity to correct that information
  • restrictions on the use of government-issued identifiers (such as tax file numbers)
  • obligations to ensure that individuals are able to access an organisation’s privacy policy.

A number of activities by organisations are exempt in certain circumstances from the obligations imposed under the Federal Privacy Act.  These include the handling of current and former employee records by employers where the handling is directly related to the employment relationship; the handling of personal information by media organisations in the course of journalism; and the handling of personal information by contractors working for registered Australian political parties or political representatives.

Organisations may apply to the Office of the Australian Information Commissioner to be bound by a specific Privacy Code.  If approved, the organisation will be required to comply with that Privacy Code instead of the Australian Privacy Principles.  An example of an approved Privacy Code is the Privacy (Market and Social Research) Code.

From 2018 the Federal Privacy Act also includes a scheme for mandatory notification of certain eligible data breaches.  An APP entity must notify the Office of the Australian Information Commissioner and any affected individual(s) where an unauthorised access, loss or disclosure of information would be likely to result in serious harm to the individual(s) to whom the information relates.  Where an APP entity reasonably suspects that a data breach may have occurred, it must carry out an assessment as to whether a data breach has occurred within 30 days.

The Office of the Australian Information Commissioner has significant powers, which will generally be exercised by the Privacy Commissioner, including the ability to:

  • accept enforceable undertakings
  • seek civil penalties in the case of serious or repeated breaches of privacy
  • conduct privacy assessments of APP entities.

The Information Commissioner also has the power to recognise external dispute resolution schemes to handle privacy-related complaints.

Communications interception

The interception of telecommunications (including email, Short Message Services (SMS), Multimedia Message Services (MMS) and instant messages) is regulated by the Federal Telecommunications Act 1997 and the Telecommunications (Interception and Access) Act 1979.

Under those Acts, telecommunication carriers (owners and operators of telecommunications networks) and carriage service providers (those who provide services over those networks, such as internet service providers) must ensure that their systems permit interception pursuant to a warrant.

The Telecommunications Act prohibits carriers and carriage service providers from disclosing or using certain information, including information relating to the substance of a communication carried over their networks.  Carriers and carriage service providers have an obligation under the Telecommunications Act to provide assistance to law enforcement authorities and to do their best to prevent their networks and facilities from being used to commit criminal offences. 

The Telecommunications (Interception and Access) Act prohibits the interception of communications over a telecommunications system (such as by listening to or recording a telephone conversation) without the knowledge of the person making the communication.  There are few exceptions, including interception carried out under a warrant obtained by law enforcement and or intelligence authorities.

The Telecommunications (Interception and Access) Act also permits the disclosure of certain telecommunications data to specified law enforcement or intelligence authorities.

It further requires carriage service providers to preserve stored communications at the request of certain "enforcement" or "interception" agencies, including the Australian Federal Police and state police, in advance of a warrant being issued to permit access to the information being preserved.  The Australian Federal Police can also issue a foreign preservation notice if a request has been made by a foreign country in accordance with the Telecommunications (Interception and Access) Act.

In 2015, the Telecommunications (Interception and Access) Act was amended to require telecommunications service providers to retain prescribed telecommunications metadata (being information about a communication, as distinct from its content) for a period of two years. The amendments were made to facilitate use of the metadata for particular law enforcement and national security purposes.

State and territory listening devices legislation prohibits the recording of private conversations by third parties without the consent of the parties to that conversation or without an appropriate warrant.  In some states and territories this prohibition also extends to recording by parties to the conversation.

Spam

The Federal Spam Act 2003 prohibits the sending of unsolicited commercial electronic messages such as emails, SMS, MMS and instant messages which have an “Australian link”.  The meaning of "Australian link" is very broad and includes those messages sent:

  • from within Australia
  • by an individual or organisation whose central management and control is in Australia (whether or not the message is actually sent from Australia)
  • where the computer, server or device that is used to access the message is located in Australia
  • where the account holder or organisation receiving the message is present in Australia.

The Spam Act does not cover messages sent by way of voice call or fax.

Whether or not a message is "commercial" depends on the content of the message; the way in which the message is presented; and the content that can be located using any links, telephone numbers or contact information contained in the message.

Commercial electronic messages can only be sent with the recipient’s consent, which may be express or implied; must include information which accurately identifies the sender; and must contain a functional unsubscribe facility. 

Information which accurately identifies the sender must include how the sender can be contacted and must be valid for 30 days after the message is sent.  An unsubscribe facility must permit the recipient to opt out of emails from that sender in future and must be presented in a clear and conspicuous manner.

 
The Spam Act also prohibits individuals and organisations that carry on business in Australia from supplying, acquiring or using address-harvesting software and harvested address lists.

Government agencies, registered Australian political parties, charities, religious organisations and educational institutions are exempt from some provisions of the Spam Act in certain circumstances.

There are significant financial penalties for breach of the Spam Act, including fines of up to A$2.1 million a day.