Privacy
The main legislative scheme in Australia in regards to privacy is the Federal Privacy Act 1988 which covers, among others:
- private sector and non-profit organisations with an annual turnover of more than A$3 million
- all health service providers and Federal Government contractors regardless of their turnovers
- Federal Government agencies
- businesses with an annual turnover of A$3 million or less (small businesses) that:
- trade in personal information
- are related to a larger business
- are reporting entities within the meaning of the Federal Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (but only in relation to the activities carried on by the small business for the purpose of that Act or rules or regulations made under that Act, such as the reporting of suspicious transactions and cross-border movements of cash over A$10,000)
- small businesses that are not automatically covered by the Federal Privacy Act, but have opted-in to the Act.
The collection, use and disclosure of personal information by state and territory government agencies and contractors are regulated by relevant state and territory legislation. Health information is also regulated in some cases on a state and territory basis.
The Federal Privacy Act contains 13 Australian Privacy Principles (APPs) which set down broad principles on how organisations must deal with personal information. Organisations and agencies that are covered by the Federal Privacy Act are referred to as "APP entities".
The APPs are structured to reflect the lifecycle of personal information. They are grouped into five parts:
Part 1 sets out principles that require APP entities to consider personal information privacy, including ensuring that APP entities manage personal information in an open and transparent way (APPs 1 and 2).
Part 2 sets out principles that deal with the collection of personal information, including unsolicited personal information (APPs 3, 4 and 5).
Part 3 sets out principles about how APP entities deal with personal information. It includes principles about the use and disclosure of personal information and government related identifiers (APPs 6, 7, 8 and 9).
Part 4 sets out principles about the integrity of personal information. It includes principles about the quality and security of personal information (APPs 10 and 11).
Part 5 sets out principles that deal with requests for access to, and the correction of, personal information (APPs 12 and 13).
The rules for handling personal information under the APPs include:
- restrictions on the collection of personal information which is any information or opinion about an identified individual or an individual who is reasonably identifiable, such as a person's name or address
- restrictions on the collection of sensitive personal information (such as information related to a person’s racial or ethnic origin, or religious or philosophical beliefs)
- restrictions on the use and disclosure of personal information so collected, including restrictions on the use and disclosure of personal information for direct marketing
- restrictions on the disclosure of personal information to individuals and organisations outside of Australia
- requirements designed to ensure that personal information collected, used or disclosed is kept securely and is accurate, complete and up to date
- obligations on organisations to ensure that individuals are provided with access to their personal information and given the opportunity to correct that information
- restrictions on the use of government-issued identifiers (such as tax file numbers)
- obligations to ensure that individuals are able to access an organisation’s privacy policy.
A number of activities by organisations are exempt in certain circumstances from the obligations imposed under the Federal Privacy Act. These include the handling of current and former employee records by employers where the handling is directly related to the employment relationship; the handling of personal information by media organisations in the course of journalism; and the handling of personal information by contractors working for registered Australian political parties or political representatives.
Organisations may apply to the Office of the Australian Information Commissioner to be bound by a specific Privacy Code. If approved, the organisation will be required to comply with that Privacy Code instead of the Australian Privacy Principles. An example of an approved Privacy Code is the Privacy (Market and Social Research) Code.
From 2018 the Federal Privacy Act also includes a scheme for mandatory notification of certain eligible data breaches. An APP entity must notify the Office of the Australian Information Commissioner and any affected individual(s) where an unauthorised access, loss or disclosure of information would be likely to result in serious harm to the individual(s) to whom the information relates. Where an APP entity reasonably suspects that a data breach may have occurred, it must carry out an assessment as to whether a data breach has occurred within 30 days.
The Office of the Australian Information Commissioner has significant powers, which will generally be exercised by the Privacy Commissioner, including the ability to:
- accept enforceable undertakings
- seek civil penalties in the case of serious or repeated breaches of privacy
- conduct privacy assessments of APP entities.
The Information Commissioner also has the power to recognise external dispute resolution schemes to handle privacy-related complaints.