The Law Handbook 2024

Chapter 12.2: Privacy and your rights 1097 • obligations on credit providers and credit- reporting bodies : credit providers and credit- reporting bodies engaged in a credit-reporting business (as defined in ss 6G, 6P PA 1988) must comply with the credit-reporting provisions in Part IIIA of the PA 1988 and with the legally binding Privacy (Credit Reporting) Code 2014 (‘ CR Code 2014 ’). Both the APPs and the obligations on credit providers and credit-reporting bodies are products of significant changes made to the PA 1988 in March 2014. The APPs replaced the former Information Privacy Principles ( IPPs ) and the National Privacy Principles ( NPPs ). Previous obligations on credit providers and credit-reporting bodies were replaced with a new credit-reporting regime. APP guidelines The APP guidelines are advisory guidelines that outline the requirements of the APPs and provide advice on how best to comply with them. The APP guidelines are an invaluable resource for assessing privacy rights in individual circumstances. They are available at www.oaic.gov.au/privacy . Part VIIIA of the Privacy Act On 14 May 2020, the PA 1988 was amended to add Part VIIIA to protect data in the COVIDSafe app and in the National COVIDSafe Data Store. Part VIIIA of the PA 1988: • prohibits anyone from being required to download or use the COVIDSafe app; • strictly limits the purposes for which data can be collected, used or disclosed: – data can only be collected, used or disclosed by state or territory officials who are contact tracing individuals who have possibly been exposed to COVID-19, and – information collected cannot be accessed by police officers or used in court proceedings except in relation to a suspected crime as a result of a breach of Part VIIIA; • protects information sent to a state or territory health department from the National COVID Safe Data Store; and • requires data to be deleted when not required. To assist regulated entities during the COVID-19 pandemic, the Office of the Australian Information Commissioner ( OAIC ) published a guide titled ‘Coronavirus (COVID-19): Understanding your privacy obligations to your staff’ (1 June 2021). For more information, see www.oaic.gov.au/privacy . Some functions and powers brought in to assist management of the pandemic have since come to an end. One example is the Occupational Health and Safety Amendment (COVID-19 Vaccination Information) Regulations 2022 (Vic). Businesses that had relied upon the regulations (or a pandemic order predating the regulations) to collect, record, hold or use vaccination information from ‘specified persons’ were required to destroy all such data by 11 August 2023. These rules acknowledge that when a pandemic ceases to impose public health risks to the community, any special measures which limit individual rights should be scaled back accordingly. Personal information Under the PA 1988, ‘personal information’ is defined as information, or an opinion, about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not. Whether an individual is ‘reasonably identifiable’ depends on the circumstances, including the nature of the information and any other available facts. The test of whether a person is reasonably identifiable is an objective test that considers the context in which the issue arises. An individual might not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly. ‘Individual’ means a natural person; this does not include a deceased person. However, information about a deceased person may include personal information about a living person in some contexts. Sensitive information The PA 1988 defines ‘sensitive information’ as: Information or an opinion (that is also personal information) about an individual’s: • racial or ethnic origin; • political opinions; • membership of a political association; • religious beliefs or affiliations;