The Law Handbook 2024

1098 Section 12: Government and the individual • philosophical beliefs; • membership of a professional or trade association; • membership of a trade union; • sexual orientation or practices; • criminal record; • health information, including an individual’s healthcare identifier and any other personal information collected for the purpose of providing a health service; • genetic information; • biometric information that is to be used for automated biometric verification or biometric identification; or • biometric templates. In general, sensitive information has a higher level of protection under the APPs than other personal information (see, for example, APPs 3, 6 and 7). Entities to which the Privacy Act applies The PA 1988 applies to federal government agencies (including federal ministers, the Australian Federal Police, federal courts, and a Norfolk Island agency). The PA 1988 also applies to most private sector organisations, including: • individuals who collect, use or disclose personal information in the course of running a business; • owners corporations; • partnerships, unincorporated associations and trusts; and • contracted service providers (federal contracts). Some of the APPs apply differently to Australian Government agencies and private sector organisations. The term ‘ APP entity ’ is used where the APPs apply to both private sector organisations and to government agencies. The APPs apply to acts and practices engaged in inside and outside Australia by organisations and small business operators that have an Australian link, as defined in the PA 1988. Exemptions from the Privacy Act Exemption for individuals acting in a non-business capacity The PA 1988 does not apply to personal information that individuals collect, hold, use or disclose for the purposes of their personal, family or household affairs. In other words, the PA 1988 does not apply to an individual’s handling of personal information unless it is done in the course of running a business. Small business exemption Most small business operators do not have to comply with the PA 1988. A small business is an organisation (including sole trader businesses) with an annual turnover of $3 million or less. Some small businesses are not exempt from the PA 1988, including those that: • provide a health service and hold any health information; • trade in personal information, either: – disclosing personal information for a benefit, service or advantage, or – providing a benefit, service or advantage to collect an individual’s personal information from anyone else (unless the individual consents, or the disclosure or collection is required or authorised by law); • are service providers contracted by the Commonwealth Government; • are a ‘reporting entity’ under the Anti-Money Laundering and Counter-terrorism Financing Act 2006 (Cth); or • have opted to be covered by the PA 1988. A list of small businesses and not-for-profit organisations that have opted to be covered by the PA 1988 is available at www.oaic.gov.au/privacy/ privacy-registers. Employee records exemption Acts and practices that directly relate to: • a current or former employment relationship; and • an employee record, are exempt from the PA 1988. An ‘employee record’ is a record of personal information that relates to the employment of a person, such as information about the employee’s: • health; • engagement, training, disciplining or resignation; • terms and conditions of employment; • personal and emergency contact details; • performance or conduct; and • taxation, banking or superannuation affairs.