Overview of information privacy in Australia
In addition to the Privacy Act 1988 (Cth) (‘PA 1988’), other Commonwealth laws and guidelines deal with information privacy.
These laws include legislation relating to:
- tax file numbers;
- medical research;
- electronic health records;
- Pharmaceutical Benefits Scheme;
- spent criminal convictions;
- registered personal property security interests;
- the consumer data right (see ‘Consumer Data Right’, below).
Freedom of Information Act 1982 (Cth)
As stated under Australian Privacy Principle (APP) 12, federal public sector agencies provide access to personal information through the Freedom of Information Act 1982 (Cth) (‘FoI Act (Cth)’).
However, section 41 of the FOI Act (Cth) exempts agencies from providing access to personal information if the disclosure involves an unreasonable disclosure of personal information – subject to the exception that a person cannot be denied access to documents containing their own personal information.
A person dissatisfied by the decision of an agency or government minister regarding access to their personal information can apply to the Information Commissioner for a review. The request for review must be made within 60 days of being notified of the agency’s or minister’s decision.
Tax file numbers
Tax file numbers (TFNs) are unique numbers issued to individuals by the Australian Taxation Office (ATO).
The enhanced TFN scheme, introduced in 1988, allows the ATO to identify those who lodge income tax returns, and to match information provided in tax returns with other sources of information (e.g. records of interest).
Because of concerns about the earlier proposal of an Australia Card, a central feature of the TFN scheme is that supplying a personal TFN is voluntary.
However, in 1990 – through the Data-matching Program (Assistance and Tax) Act 1990 (Cth) (‘Data-matching Act’) and the Guidelines for the Conduct of Data-matching Programs (‘Data-matching guidelines’) – the government extended the scheme to make providing a TFN a condition of receiving assistance from a number of Australian Government agencies (e.g. Centrelink and the Department of Veterans’ Affairs).
The government also extended the scheme to allow TFNs to be used to compare income reported to the ATO with income reported to federal assistance agencies. This is subject to strict controls and safeguards, and the Information Commissioner monitors Australian Government agencies’ compliance with the Data-matching Act, the Data-matching guidelines, and the PA 1988.
A breach of the Data-matching Act or Data-matching guidelines is an interference with privacy under the PA 1988 (s 13). If a person’s privacy has been breached under section 13, they can complain to the Information Commissioner.
Certain uses of the TFN in relation to superannuation administration are now also authorised by law.
Tax File Number Rule 2015
On 20 February 2015, the then Privacy Commissioner made a Privacy (Tax File Number) Rule 2015 (‘TFNR 2015’), issued under section 17 of the PA 1988. The TFNR 2015 replaced and repealed the Tax File Number Guidelines 2011.
The TFNR 2015 applies to individuals’ TFN information. A breach of the TFNR 2015 is an interference with privacy under the PA 1988. An individual who believes that the rule has been breached can complain to the Information Commissioner.
Under the TFNR 2015, ‘TFN recipient’ has the same meaning as under section 11 of the PA 1988 and covers any person, agency, organisation or other entity in possession or control of a record that contains TFN information, whether lawfully or not.
Under the TFNR 2015, a TFN recipient must not record, collect, use or disclose TFN information unless permitted under taxation, superannuation or other laws. In addition to the TFNR 2015, TFN recipients must abide by the Taxation Administration Act 1953 (Cth).
Obligations of APP entities (who are TFN recipients) to comply with the rule are in addition to their responsibilities under the APPs.
Tax File Number disclosure
It is a criminal offence under taxation law to make an unauthorised request for, or to record, use or disclose, another person’s TFN.
All TFN recipients are bound by the Notifiable Data Breaches scheme. This includes Victorian public sector entities that collect TFNs.
Section 95 guidelines
The guidelines under section 95 of the PA 1988 (‘section 95 guidelines’) – issued by the Australian Government’s National Health and Medical Research Council (NHMRC) – apply to medical and epidemiological research that involves personal information held by an Australian Government agency where the agency intends to use or disclose personal information for the purposes of research in a way that may breach the APPs.
The section 95 guidelines are a framework under which Human Research Ethics Committees (HRECs) must assess, and decide whether to approve, research proposals before they proceed. Approval by a HREC does not oblige an Australian Government agency to release data. The latest version of the section 95 guidelines was issued by the NHMRC and tabled in federal parliament in November 2014.
Section 95A guidelines
The guidelines under section 95A of the PA 1988 (‘section 95A guidelines’) are conceptually similar to the section 95 guidelines and were issued by the NHMRC and approved by the Privacy Commissioner in March 2014.
These guidelines apply to:
- the collection, use or disclosure of health information held by private sector organisations for the purposes of research;
- the compilation or analysis of statistics, relevant to public health or public safety; and
- the collection of health information held by organisations for the purpose of health service management,
where it is impracticable to seek the consent of relevant individuals.
The section 95A guidelines provide a framework for assessing the privacy aspects of research proposals. These guidelines can be used by HRECs, and those involved in conducting research, compiling statistics, or working in health service management. The privacy assessment needs to determine whether the public interest in those activities substantially outweighs the public interest in the protection of privacy afforded by the APPs.
Researchers must obtain approval from a HREC for research projects. The HREC assesses the privacy aspects, along with other factors, in deciding whether or not to approve the research proposal. Before applying for approval of a research proposal, researchers must assess its privacy impact and decide whether it is impracticable to seek consent for the use or disclosure of personal information.
Section 95AA guidelines
In March 2014, the Privacy Commissioner approved updated guidelines for the use or disclosure of a living individual’s genetic information by a private health service provider, to lessen or prevent a serious threat to a genetic relative’s life, health or safety. The guidelines, issued by the NHMRC, must be followed when seeking to use or disclose this information without the individual’s consent, in reliance on the exception in APP 6.2(d).
The ‘Use and disclosure of genetic information to a patient’s genetic relatives’ guidelines under the PA 1988 (s 95AA) are available on the NHMRC’s website.
My Health Record
The ‘My Health Record’ system is the Australian Government’s electronic health system.
The My Health Records Act 2012 (Cth) (‘MHR Act’) (formally known as the Personally Controlled Electronic Health Records Act 2012 (Cth)), together with My Health Records Regulation 2012 (Cth) and the My Health Records Rule 2016 (Cth) make-up the legislative framework for the My Health Record system.
The MHR Act places strict controls on the collection, use and disclosure of the health information in an individual’s ‘My Health Record’. A collection, use or disclosure that is not authorised by the legislation is both a contravention of the MHR Act and an interference with the individual’s privacy under the PA 1988. The MHR Act also imposes mandatory data breach notification obligations on the system operator, repository operators and portal operators.
A ‘My Health Record’ allows an individual’s doctors and other healthcare providers to view the individual’s health information in accordance with access controls imposed by the individual.
Individual health records can be accessed at www.myhealthrecord.gov.au.
The system was previously opt in only. However, since 31 January 2019, every Australian who did not already have a ‘My Health Record’ is automatically registered, unless they opt out.
The Healthcare Identifiers Act 2010 (Cth) (‘HI Act’) and the Healthcare Identifiers Regulations 2010 (Cth) implement a national system for assigning unique identifiers to individuals.
Healthcare identifiers are assigned and administered through the Healthcare Identifiers Service.
Healthcare identifiers help healthcare providers to communicate information to each other about an individual, and to identify and access a patient’s records in the My Health Record system. Healthcare identifiers can only be accessed, used and disclosed for limited purposes. Any unauthorised use and disclosure is a breach of the PA 1988.
The Information Commissioner regulates the handling of personal information under the My Health Record system by individuals, Australian Government agencies, private sector organisations, and some state and territory agencies, instrumentalities and authorities (in particular circumstances). On 19 March 2016, the Information Commissioner issued the My Health Records (Information Commissioner Enforcement Powers) Guidelines, which outline the commissioner’s approach to exercising his investigation and enforcement powers with respect to the My Health Record system. More information is available at www.oaic.gov.au and at www.myhealthrecord.gov.au.
Pharmaceutical Benefits Scheme and Medicare
Section 135AA of the National Health Act 1953 (Cth) required the Australian Information Commissioner to issue legally binding guidelines for the handling of certain health information within the Pharmaceutical Benefits Scheme (PBS) and the Medicare Benefits Program (Medicare).
On 1 July 2008, the Privacy Guidelines for the PBS and Medicare came into effect. These guidelines were repealed and replaced by the National Health (Privacy) Rules 2018, which commenced on 1 April 2019.
These rules regulate the way Australian Government agencies link and store claims information under the PBS and Medicare. In particular, the rules prohibit agencies from storing information obtained from these programs on the same database.
Spent criminal convictions
Under Part VIIC of the Crimes Act 1914 (Cth) (‘Crimes Act (Cth)’), a person is able to not disclose some old criminal convictions in certain circumstances and is protected against unauthorised use and disclosure of this information. This is known as the Commonwealth Spent Convictions Scheme.
For the purposes of the scheme, a person is said to have been convicted of an offence if:
- they have been convicted of the offence; or
- they have been found guilty of the offence but discharged without conviction; or
- they have been found not guilty of an offence, but a court has taken the offence into account when sentencing them for another offence.
A ‘spent’ conviction is a conviction that satisfies the following conditions:
- it is 10 years since the date of conviction (or five years for juvenile offenders);
- the sentence imposed was a fine, bond, community service order, or term of imprisonment not greater than 30 months;
- the individual has not been convicted of a further offence committed during the 10 (or five) years waiting period;
- an exclusion does not apply (see ‘Exclusions under the scheme’, below).
For the purposes of the scheme, a ‘spent’ conviction also includes:
- a conviction for which a person has been granted a pardon because they were wrongly convicted; or
- a conviction that has been quashed by a court.
The scheme covers all offences that meet the criteria for a spent conviction above, including foreign convictions. However, the protections under the scheme are limited by whether the conviction was for a Commonwealth offence (including an Australian external territory or Jervis Bay Territory), a state offence (including the ACT and Northern Territory) or a foreign offence, and where the recipient of the information is located.
Protections under the scheme
The Commonwealth Spent Convictions Scheme offers the following protections:
- an individual does not have to disclose a spent conviction;
- an individual can claim on oath that they were not convicted of an offence; and
- any other person who knows, or ought to reasonably know, about the spent conviction is prohibited from taking the conviction into account or disclosing the conviction.
The right of non-disclosure is limited, depending on the type of conviction, who the recipient of the information is and where they are located.
If the spent conviction is for a Commonwealth offence, an individual does not have to disclose it to any person wherever they are located in Australia or to any Commonwealth or state authority located in a foreign country.
If the spent conviction is for a state or foreign offence, an individual does not have to disclose it to any person located in an Australian external territory or Jervis Bay Territory. A person does not have to disclose the spent conviction to any Commonwealth authority located in a state, territory or overseas.
Complaints of breaches of the Commonwealth Spent Convictions Scheme may be made to the Australian Information Commissioner.
Exclusions under the scheme
Exclusions under the Commonwealth Spent Convictions Scheme are limited to specific organisations that need to know about particular offences for special purposes. For example, if a person is applying for a position involving the care and control of children, the potential employer can find out about any sex offence convictions, or convictions for offences where the victim was a child. If an agency is excluded, it should explain this fact, and what it means for the person concerned. Details of exclusions are available at www.oaic.gov.au.
State and territory spent convictions schemes
Some states and territories have their own spent convictions schemes for state offences. This now includes Victoria since the enactment of the Spent Convictions Act 2021 (Vic).
A specific scheme providing for the expungement of historical homosexual offences that are not criminal offences today has operated in Victoria since September 2015 (see www.justice.vic.gov.au/expungement-scheme).
For further information about spent convictions, see www.oaic.gov.au/privacy/your-privacy-rights/criminal-records/.
Personal property securities
The Personal Property Securities Act 2009 (Cth) (‘PPS Act’) established a national register for personal property and security interests. The PPS Act and PPS register commenced operation in May 2011 (for more information, visit www.ppsr.gov.au).
‘Personal property’ means property other than land, buildings or fixtures that form a part of land. It can include tangibles (e.g. cars, crops and machinery) and intangibles (e.g. contract rights and intellectual property).
A personal property security is created when a ‘secured party’ takes an interest in personal property as security for a loan or other obligation or enters into a transaction that involves the supply of secured finance. A ‘secured party’ is a person or entity that has a security interest in the collateral of someone else (the grantor). ‘Collateral’ is personal property (consumer or commercial) with a security interest attached.
Registrations on the PPS register can include:
- data about the grantor’s property or collateral;
- a person’s name and date of birth;
- data about the secured party (e.g.their address), although the secured party’s details are not searchable.
Grantors must be notified when a secured party makes aregistration against them.
The PPS Act protects grantors, secured parties and others from misuse of the register (e.g. illegitimate searches and registrations), with civil penalties to protect people’s privacy. A breach of certain limitations is also an interference with privacy under the PA 1988. A breach may also give rise to damages.
The telecommunications sector is regulated by the PA 1988, the Telecommunications Act 1997 (Cth) (‘Telecommunications Act’) and the Telecommunications (Interception and Access) Act 1979 (Cth) (‘TIA Act’). These Acts set out specific obligations, which include prohibiting a telecommunications provider from disclosing personal information (subject to limited exemptions). These obligations are in addition to telecommunications providers’ obligations to comply with the APPs (see ‘Summary of the Australian Privacy Principles’).
The Telecommunications Act provides for the registration of telecommunications codes under a self-regulatory framework. These codes are developed by the industry through the Communications Alliance and may be registered with the Australian Communications and Media Authority (ACMA). ACMA must consult the OAIC on the codes when it deals with privacy matters.
There are several privacy obligations in telecommunications codes registered by ACMA; including calling number display (C522:2007), handling of life-threatening and unwelcome calls (C525:2006), and integrated public number database (C555:2007).
For more information about Telecommunications Act codes and standards, and the register of codes and standards currently in force, visit ACMA’s website. The Australian Information Commissioner can monitor compliance with the record-keeping requirements contained in Part 13 of the Telecommunications Act, which requires telecommunications providers to keep records of certain disclosures of personal information.
The TIA Act permits telecommunications providers to disclose personal information to the Australian Security Intelligence Organisation (ASIO) or to the Federal Police. The TIA Act prohibits the unauthorised access and interception of communications, subject to various exceptions, unless a warrant is obtained. Those issuing warrants must consider, among other things, the privacy of the people affected by the access and interception.
Since 13 October 2015, telecommunications providers have been required to collect and retain certain types of telecommunications data (metadata) for a minimum period of two years. All service providers that collect and retain data under this provision are required to comply with the PA 1988 in relation to that data.
Do not call register
A national ‘do not call register’ began operating in May 2007 in accordance with the Do Not Call Register Act 2006 (Cth). The register is administered by ACMA. The Act allows people to register (without charge) their home phone, domestic mobile and fax number to opt out of a wide range of unsolicited telemarketing calls. Government bodies and emergency services numbers may also register.
The Do Not Call Register Legislation Amendment Act 2010 (Cth) has enabled all Australian telephone and fax numbers to be registered, allowing organisations (including businesses) and individuals to access the protections of the register.
Businesses can still contact other businesses with whom they have a relationship under the inferred consent provisions. Businesses that have given express consent to receive calls or faxes may also continue to be contacted. However, ‘cold calls’ and marketing faxes to businesses that do not fall under the express or inferred consent provisions are prohibited for numbers on the register.
As a part of the registration process, new registrants are provided with the option to nominate to receive calls or faxes relating to a list of industry classifications. The legislation makes it illegal for any non-exempt telemarketer in Australia and overseas to contact a number on the register without consent.
There are exemptions for government bodies, educational or religious organisations, registered political parties, independent members of parliament, electoral candidates and charities. Market and social researchers may call to conduct standard opinion polling and questionnaire research, subject to a national industry standard. Businesses that have an existing relationship with a person may also call numbers on the do not call register.
Enquiries and complaints relating to the do not call register can be made by calling the ACMA on 1300 792 958.
Consumer Data Right
The Consumer Data Right (CDR) is intended to give consumers greater control over their data.
The CDR also gives consumers the ability to direct a data holder to provide their CDR data to an accredited data recipient in a CDR-compliant format. The CDR was enacted by the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth), which inserted a new Part IVD into the Competition and Consumer Act 2010 (Cth).
The CDR scheme was introduced in the banking sector on 1 July 2020, and will be rolled out to other sectors. The energy sector is expected to be bound some time in 2022, followed by the telecommunications sector. The Competition and Consumer (Consumer Data Right) Rules 2020 (‘CDR Rules’) provide the framework for how the CDR operates in the banking sector. The CDR Rules set out details about how the CDR legislation applies, including in relation to consent and privacy safeguards.
The CDR is co-regulated by the Australian Information Commissioner and the Australian Competition and Consumer Commission. For more information about the CDR, see www.oaic.gov.au/consumer-data-right and www.cdr.gov.au.