The Privacy A written law made by parliament. Also called an ‘Act of parliament’, ‘statute’ or legislation. 1988 (Cth)(‘PA 1988’) sets minimum standards for how personal information (see the definition in ‘Personal information’, below) can be collected, used, held and disclosed. It gives individuals certain rights in respect of their personal information, including the right to access the information an entity holds about them, and the right to seek the correction of this information.
Two key features of the PA 1988 are:
- the 13 Australian Privacy Principles (APPs): these Able to be enforced by law. principles apply to the handling of personal information by the Australian Government (generally only federal agencies) and most Australian businesses and not-for-profit organisations (although most small businesses are exempt; see ‘Exemptions from the Privacy Act’, below);
- obligations on A debt that does not have to be paid until some future time. Being allowed to pay later, in the future, for something you are getting now. providers and credit-reporting bodies:credit providers and credit-reporting bodies engaged in a credit-reporting business (as defined in ss 6G, 6P PA 1988) must comply with the credit-reporting provisions in Part IIIA of the PA 1988 and with the legally binding Privacy (Credit Reporting) Code 2014 (Version 2) registered under the PA 1988 by the Information Commissioner.
Both the APPs and the obligations on credit providers and credit-reporting bodies are products of the March 2014 changes. The APPs replaced the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs). Previous obligations on credit providers and credit-reporting bodies were replaced with a new credit-
The APP guidelines are advisory guidelines that outline the requirements of the APPs and provide advice on how best to comply with them. The APP guidelines are available at www.oaic.gov.au/privacy.
Changes to the PA 1988
Major changes to the PA 1988 commenced on 12 March 2014. These changes, introduced by the Privacy A change made to a legal document or Act of parliament. (Enhancing Privacy Protection) Act 2012 (Cth), gave effect to more than half the recommendations in the Australian Law Reform Commission’s report on Australia’s privacy law, For your information: Australian privacy law and practice (ALRC report 108/2008).
Part VIIIA of the Privacy Act
On 14 May 2020, the PA 1988 was amended to add Part VIIIA to protect data in the COVIDSafe app and in the National COVIDSafe Data Store.
- prohibits anyone from being required to download or use the app;
- strictly limits the purposes for which data can be collected, used or disclosed:
- data can only be collected, used or disclosed by state or territory officials who are contact tracing individuals who have possibly been exposed to COVID-19,
- information collected cannot be accessed by police officers or used in An independent body that hears legal claims brought by parties and decides between them. Serious cases are heard by a judge and jury, or just a judge. Less-serious cases are heard by a magistrate. proceedings except in relation to a suspected crime as a result of a breach of Part VIIIA;
- protects information sent to a state or territory health department from the National COVIDSafe Data Store;
- requires data to be deleted when it’s no longer required.
For more information, see www.oaic.gov.au.
Under the PA 1988, ‘personal information’ is defined as information, or an opinion, about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not.
Whether an individual is ‘reasonably identifiable’ depends on the circumstances, including the nature of the information and any other available facts. The test of whether a person is reasonably identifiable is an objective test that considers the context in which the issue arises. An individual might not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly.
‘Individual’ means a natural person; this does not include a deceased person. However, information about a deceased person may include personal information about a living person.
The PA 1988 defines ‘sensitive information’ as:
Information or an opinion (that is also personal information) about an individual’s:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sexual orientation or practices;
- criminal record;
- health information, including an individual’s healthcare identifier and any other personal information collected for the purpose of providing a health Formal delivery of legal documents to a person to tell them there are court proceedings against them which they must defend, or to make sure a witness in a case knows when they have to go to court to give evidence.;
- genetic information;
- biometric information that is to be used for automated biometric verification or biometric identification; or
- biometric templates.
In general, sensitive information has a higher level of protection under the APPs than other personal information (see, for example, APPs 3, 6 and 7).
Entities to which the Privacy Act applies
The PA 1988 applies to federal government agencies (including federal ministers, the Australian Federal Police, a federal court, and a Norfolk Island agency) and to most private sector organisations, including:
- individuals who collect, use or disclose personal information in the course of running a business;
- owners corporations;
- partnerships, unincorporated associations and trusts; and
- contracted service providers (federal contracts).
Some of the APPs apply differently to Australian Government agencies and private sector organisations. The term ‘APP entity’ is used where the APPs apply to both private sector organisations and government agencies. The APPs apply to acts and practices engaged in inside and outside Australia by organisations and small business operators that have an Australian link, as defined in the PA 1988.
Exemptions from the Privacy Act
Exemption for individuals acting in a non-business The ability to understand and be held responsible by the law for your actions. It also refers to a person’s ability to understand and agree to something, such as to undergo medical treatment. Full legal capacity is reached at 18 years of age, when a child becomes an adult.
The PA 1988 does not apply to personal information that individuals collect, hold, use or disclose for the purposes of their personal, family or household affairs. In other words, the PA 1988 does not apply to an individual’s handling of personal information unless it is done in the course of running a business.
Small business exemption
Most small business operators do not have to comply with the PA 1988. A small business is an organisation (including sole trader businesses) with an annual turnover of $3 million or less.
Some small businesses are not exempt from the PA 1988, including those that:
- provide a health service and hold any health information;
- trade in personal information, either:
- disclosing personal information for a benefit, service or advantage, or
- providing a benefit, service or advantage to collect an individual’s personal information from anyone else (unless the individual consents, or the Providing information to another person or institution as required by a contract or other legal process. or collection is required or authorised by law);
- are service providers contracted by the Commonwealth Government; or
- are a ‘reporting entity’ under the Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth);
- have opted in to the PA 1988.
A list of small businesses and not-for-profits that have opted to be covered by the PA 1988 is available at www.oaic.gov.au/privacy/privacy-registers.
Employee records exemption
Acts and practices that directly relate to:
- a current or former employment relationship; and
- an employee record,
are exempt from the PA 1988. An ‘employee record’ is a register of personal information relating to the employment of a person, such as information about the employee’s:
- engagement, training, disciplining or resignation;
- terms and conditions of employment;
- personal and emergency contact details;
- performance or conduct;
- taxation, banking or superannuation affairs.
Note that the exemption does not apply to information about people who are applying for employment.
Journalistic activities and practices of media organisations are exempt from the PA 1988. A ‘media organisation’ is an organisation whose activities consist of the collection, preparation and dissemination of news, current affairs, information or documentaries. The media organisation must be publicly committed to observing published industry standards that deal with privacy. Examples of such published industry standards include industry codes regulated by the Australian Communications and Media Authority and the Australian Press Council.
The political activities of registered political parties, members of parliament, and local government councillors are exempt from the PA 1988. For the purposes of the exemption, the political activities must have some connection with an election under electoral law, a referendum or some other aspect of the political process. The political activities of contractors and volunteers of registered political parties are also exempt.
Permitted general situation exception
Some APPs do not apply if a ‘permitted general situation’ exists. This exception applies to the collection of sensitive information (APP 3), the use and disclosure of personal information (APP 6, APP 8), and the use and disclosure of a government-related identifier (APP 9). The seven permitted general situations are:
- lessening or preventing a serious threat to the life, health or safety of an individual – or to public health or safety – but only if it is unreasonable or impracticable to obtain To agree to something being done, to approve an action or arrangement. See also informed consent.;
- taking action in relation to suspected unlawful activity or serious misconduct;
- locating a person reported as missing;
- asserting a legal or equitable claim;
- conducting an A way of resolving a dispute outside the court system. There are different kinds of alternative dispute resolution, including arbitration, negotiation and mediation.;
- performing diplomatic or consular functions (only applies to agencies);
- conducting specified Australian (1) A defendant’s response to the legal claims made against them in court by a prosecutor or plaintiff. (2) A lawful excuse for conduct: for example, causing minor injuries to someone while saving them from certain death. (3) ‘The defence’ is also a way of referring to the defendant and their legal team. Force activities.
State of emergency or state of disaster exemption
If the Prime Minister, or another government minister, declares a state of emergency or a state of disaster, then under Part VIA of the PA 1988, an entity may collect, use and disclose personal information about an individual if the entity reasonably believes the individual is involved in the emergency or disaster and the collection, use and disclosure of personal information is for a permitted purpose in relation to the emergency or disaster.
Public interest determinations
Under Part VI of the PA 1988, the Information Commissioner can make a public interest A finalisation, especially a decision made by a court or tribunal to finalise (determine) a case. where the commissioner is satisfied that an act or practice breaches one or more of the APPs or the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) (‘APP Code’) and that the public interest in doing that act or practice outweighs the public interest in complying with the APPs or APP Code.
Where an application for a public interest determination raises issues that require an urgent decision, the commissioner can make a temporary public interest determination until the application has been decided.
Enforcing the Privacy Act
Where an entity breaches an APP, this is ‘an interference with the privacy of an individual’ under section 13(1) of the PA 1988. Part V of the PA 1988 gives the Information Commissioner the power to investigate possible interferences with privacy, on the commissioner’s own initiative or in response to a complaint.
The commissioner can seek certain remedies for breaches of the APPs, including enforceable undertakings, injunctions and civil penalty orders.
If an entity engages in serious or repeated breaches of the APPs or a registered Privacy Code, the commissioner may apply to the Federal Court or the Federal Circuit Court for an order that the entity pay a civil penalty of up to $1.7 million (for corporations) or up to $340 000 (for individuals).
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) requires APP entities to notify the Information Commissioner, and the individuals affected, of any data breach that is likely to result in serious harm to any individuals whose personal information is involved. The notification to individuals must include recommendations about steps individuals should take to respond to the breach. Failure to notify the Information Commissioner of a data breach is Treated by the law as if something is the case, even if that is not the reality. For example, children may be deemed to have the same home as their parents, whether they actually live there or not. Or a person may be deemed to have given their consent to something if they hear about it and do not object. Compare rebuttable. to be an interference with privacy and triggers the Information Commissioner’s existing enforcement powers. The scheme commenced on 22 February 2018.
Recognised external dispute resolution schemes
Under section 35A of the PA 1988, the Information Commissioner can ‘recognise’ external dispute resolution (EDR) schemes to handle particular privacy related complaints. The Information Commissioner has issued guidelines for recognising EDRs. For a list of EDR schemes recognised by the Information Commissioner, see ‘Contacts’ at the end of this chapter. See also ‘Privacy and credit reporting’ and ‘Making a complaint’, below.
The Information Commissioner has the power to approve and register enforceable codes for certain entities (e.g. entities in a particular industry). The commissioner has issued guidelines for developing privacy codes (available at www.oaic.gov.au).
The Privacy (Credit Reporting) Code 2014 (Version 2.1) (‘2014 code’) commenced on 14 February 2020) (see ‘Privacy and credit reporting’, below). The Privacy (Credit Reporting) Code 2014 (Version 2) was repealed on commencement of Version 2.1 of the 2014 Code.
The Privacy (Market and Social Research) Code 2014 was registered on 28 November 2014.
The Privacy (Australian Government Agencies – Governance) APP Code (‘2017 code’) was registered on 27 October 2017 and commenced 1 July 2018. The 2017 code sets out specific requirements and steps that agencies must take as part of complying with APP 1.2. APP 1.2 requires an APP entity to take reasonable steps to implement practices, procedures and systems that A document that sets out what a person wants to happen to their money and other property after they die. ensure the entity complies with the APPs, and any binding registered APP code, and is able to deal with related enquiries and complaints.
Office of the Australian Information Commissioner
The Office of the Australian Information Commissioner (OAIC) is the independent Found in a statute of delegated legislation. For example, a statutory authority or body is aperson or organisation that has special powers given by parliament to do work for the public benefit. agency that was created by the Australian Information Commissioner Act 2010 (Cth) (‘AICA 2010’) to administer the PA 1988 and the The right of any person to access documents held by government agencies, except documents excluded by legislation. Act 1982 (Cth) (‘FoI Act (Cth)’). The AICA 2010 (s 6) created three information officers: the Information Commissioner, the Freedom of Information Commissioner, and the Privacy Commissioner.
The Privacy Commissioner has the privacy functions, but certain actions can only be undertaken with the Information Commissioner’s approval. The Information Commissioner has all the functions under the PA 1988 and the FoI Act (Cth).
The Information Commissioner can delegate all his or her functions under the PA 1988, apart from the power to issue rules under section 17 and making a determination for the purposes of section 52 (s 25 AICA 2010).