In addition to the Privacy A written law made by parliament. Also called an ‘Act of parliament’, ‘statute’ or legislation. 1988 (Cth) (‘PA 1988’), other Commonwealth laws and guidelines deal with information privacy. These laws include Statutory rules made by parliament or by bodies the parliament delegates power to, for example a local council or a registration authority. See delegated legislation; statute. relating to tax file numbers, medical research, electronic health records, Pharmaceutical Benefits Scheme and Medicare, spent criminal convictions, registered A legal charge over a chattel or other personal property that guarantees repayment of a debt. The charge stops the debtor selling the property until the debt is paid off, and debtor agrees to give up the property to cover repayments if the debtor fails to pay. Similar to a mortgage over real property (land or real estate). interests, telecommunications, and the Under the Australian Consumer Law, a person who buys goods or services for less than $40 000 or for personal or home use. data right (see ‘Consumer Data Right’, below).
The right of any person to access documents held by government agencies, except documents excluded by legislation. Act 1982 (Cth)
As stated under Australian Privacy Principle (APP) 12, federal public sector agencies provide access to personal information through the Freedom of Information Act 1982 (Cth) (‘FoI Act (Cth)’).
However, section 41 of the FOI Act (Cth) exempts agencies from providing access to personal information if the Providing information to another person or institution as required by a contract or other legal process. involves an unreasonable disclosure of personal information – subject to the exception that a person cannot be denied access to documents containing their own personal information.
A person dissatisfied by the decision of an agency or government minister regarding access to their personal information can apply to the Information Commissioner for a review. The request for review must be made within 60 days of being notified of the agency’s or minister’s decision.
Tax file numbers
Tax file numbers (TFNs) are unique numbers issued to individuals by the Australian Taxation Office (ATO). The enhanced TFN scheme, introduced in 1988, allows the ATO to identify those who lodge income tax returns, and to match information provided in tax returns with other sources of information (e.g. records of interest).
Because of concerns about the earlier proposal of an Australia Card, a central feature of the TFN scheme is that supplying a personal TFN is Done by your own free will. See also community treatment order (CTO)..
However, in 1990 – through the Data-matching Program (Assistance and Tax) Act 1990 (Cth) (‘Data-matching Act’) and the Guidelines for the Conduct of Data-matching Programs (‘Data-matching guidelines’) – the government extended the scheme to make providing a TFN a condition of receiving assistance from a number of Australian Government agencies (e.g. Centrelink and the Department of Veterans’ Affairs). The government also extended the scheme to allow TFNs to be used to compare income reported to the ATO with income reported to federal assistance agencies. This is subject to strict controls and safeguards, and the Information Commissioner monitors Australian Government agencies’ compliance with the Data-matching Act, the Data-matching guidelines, and the PA 1988.
A breach of the Data-matching Act or Data-matching guidelines is an interference with privacy under the PA 1988 (s 13). If a person’s privacy has been breached under section 13, they can complain to the Information Commissioner.
Certain uses of the TFN in relation to superannuation administration are now also authorised by law.
Tax File Number Rule 2015
On 20 February 2015, the then Privacy Commissioner made a Privacy (Tax File Number) Rule 2015 (‘TFNR 2015’), issued under section 17 of the PA 1988. The TFNR 2015 replaced and repealed the Tax File Number Guidelines 2011.
The TFNR 2015 applies to individuals’ TFN information. A breach of the TFNR 2015 is an interference with privacy under the PA 1988. An individual who believes that the rule has been breached can complain to the Information Commissioner.
Under the TFNR 2015, ‘TFN recipient’ has the same meaning as under section 11 of the PA 1988 and covers any person, agency, organisation or other entity in (1) Having control over property. Possession is not the same as ownership. For example, a bicycle you have borrowed from a friend is in your possession but you do not own it. (2) Having illegal drugs on your person or property. or control of a record that contains TFN information, whether lawfully or not.
Under the TFNR 2015, a TFN recipient must not record, collect, use or disclose TFN information unless permitted under taxation, superannuation or other laws. In addition to the TFNR 2015, TFN recipients must abide by the Taxation Administration Act 1953 (Cth).
Obligations of APP entities (who are TFN recipients) to comply with the rule are in addition to their responsibilities under the APPs.
Detailed information about the Information Commissioner’s functions regarding the handling of TFNs is available at www.oaic.gov.au.
It is a criminal A criminal act prohibited by state or commonwealth criminal law. An offence is either a summary offence (minor) or an indictable offence (serious). under taxation law to make an unauthorised request for, or to record, use or disclose, another person’s TFN. All TFN recipients are bound by the Notifiable Data Breaches scheme. This includes Victorian public sector entities that collect TFNs.
Section 95 guidelines
The guidelines under section 95 of the PA 1988 (‘section 95 guidelines’) – issued by the Australian Government’s National Health and Medical Research Council (NHMRC) – apply to medical and epidemiological research that involves personal information held by an Australian Government agency where the agency intends to use or disclose personal information for the purposes of research in a way that may breach the APPs.
The section 95 guidelines are a framework under which Human Research Ethics Committees (HRECs) must assess, and decide whether to approve, research proposals before they proceed. Approval by a HREC does not oblige an Australian Government agency to A document signed by parties ending a court action. The party who began the action agrees to drop it, often in exchange for a payment by the other party. Also called terms of settlement. data. The latest version of the section 95 guidelines was issued by the NHMRC and tabled in federal parliament in November 2014.
Section 95A guidelines
The guidelines under section 95A of the PA 1988 (‘section 95A guidelines’) are conceptually similar to the section 95 guidelines and were issued by the NHMRC and approved by the Privacy Commissioner in March 2014. These guidelines apply to:
- the collection, use or disclosure of health information held by private sector organisations for the purposes of research;
- the compilation or analysis of statistics, relevant to public health or public safety; and
- the collection of health information held by organisations for the purpose of health service management,
where it is impracticable to seek the To agree to something being done, to approve an action or arrangement. See also informed consent. of relevant individuals.
The section 95A guidelines provide a framework for assessing the privacy aspects of research proposals. These guidelines can be used by HRECs, and those involved in conducting research, compiling statistics, or working in health Formal delivery of legal documents to a person to tell them there are court proceedings against them which they must defend, or to make sure a witness in a case knows when they have to go to court to give evidence. management. The privacy assessment needs to determine whether the public interest in those activities substantially outweighs the public interest in the protection of privacy afforded by the APPs.
Researchers must obtain approval from a HREC for research projects. The HREC assesses the privacy aspects, along with other factors, in deciding whether or not to approve the research proposal. Before applying for approval of a research proposal, researchers must assess its privacy impact and decide whether it is impracticable to seek consent for the use or disclosure of personal information.
Section 95AA guidelines
In March 2014, the Privacy Commissioner approved updated guidelines for the use or disclosure of a living individual’s genetic information by a private health service provider, to lessen or prevent a serious threat to a genetic relative’s life, health or safety. The guidelines, issued by the NHMRC, must be followed when seeking to use or disclose this information without the individual’s consent, in reliance on the exception in APP 6.2(d).
The ‘Use and disclosure of genetic information to a patient’s genetic relatives’ guidelines under the PA 1988 (s 95AA) are available at www.nhmrc.gov.au.
My Health Record
The ‘My Health Record’ system is the Australian Government’s electronic health system. The My Health Records Act 2012 (Cth) (‘MHR Act’) (formally known as the Personally Controlled Electronic Health Records Act 2012 (Cth)), together with My Health Records Regulation 2012 (Cth) and the My Health Records Rule 2016 (Cth) make-up the legislative framework for the My Health Record system.
The MHR Act places strict controls on the collection, use and disclosure of the health information in an individual’s ‘My Health Record’. A collection, use or disclosure that is not authorised by the legislation is both a contravention of the MHR Act and an interference with the individual’s privacy under the PA 1988. The MHR Act also imposes Required by law to be done; a law that must be strictly complied with. Under mandatory reporting, people in particular jobs to tell a government agency if they know an offence is being committed – for example, doctors and teachers must report child abuse. Mandatory sentencing requires judges to give an automatic jail term for certain offences. data breach notification obligations on the system operator, repository operators and portal operators.
A ‘My Health Record’ allows an individual’s doctors and other healthcare providers to view the individual’s health information in accordance with access controls imposed by the individual.
Individual health records can be accessed at www.myhealthrecord.gov.au.
The system was previously opt in only. However, since 1 January 2019, every Australian who did not already have a ‘My Health Record’ is automatically registered, unless they opt out.
The Healthcare Identifiers Act 2010 (Cth) (‘HI Act’) and the Healthcare Identifiers Regulations 2010 (Cth) implement a national system for assigning unique identifiers to individuals.
Healthcare identifiers are assigned and administered through the Healthcare Identifiers Service (see ‘Contacts’ at the end of this chapter).
Healthcare identifiers help healthcare providers to communicate information to each other about an individual, and to identify and access a patient’s records in the My Health Record system. Healthcare identifiers can only be accessed, used and disclosed for limited purposes. Any unauthorised use and disclosure is a breach of the PA 1988.
The Information Commissioner regulates the handling of personal information under the My Health Record system by individuals, Australian Government agencies, private sector organisations, and some state and territory agencies, instrumentalities and authorities (in particular circumstances). On 19 March 2016, the Information Commissioner issued the My Health Records (Information Commissioner Enforcement Powers) Guidelines, which outline the commissioner’s approach to exercising his investigation and enforcement powers with respect to the My Health Record system. More information is available at www.oaic.gov.au and at https://myhealthrecord.gov.au.
Pharmaceutical Benefits Scheme and Medicare
Section 135AA of the National Health Act 1953 (Cth) required the Australian Information Commissioner to issue Able to be enforced by law. guidelines for the handling of certain health information within the Pharmaceutical Benefits Scheme (PBS) and the Medicare Benefits Program (Medicare).
On 1 July 2008, the Privacy Guidelines for the PBS and Medicare came into effect. These guidelines were repealed and replaced by the National Health (Privacy) Rules 2018, which commenced on 1 April 2019. These rules regulate the way Australian Government agencies link and store claims information under the PBS and Medicare. In particular, the rules prohibit agencies from storing information obtained from these programs on the same database.
Spent criminal convictions
Under Part VIIC of the Crimes Act 1914 (Cth) (‘Crimes Act (Cth)’), a person is able to not disclose some old criminal convictions in certain circumstances and is protected against unauthorised use and disclosure of this information. This is known as the Commonwealth Spent Convictions Scheme.
For the purposes of the scheme, a person is said to have been convicted of an offence if:
- they have been convicted of the offence; or
- they have been found guilty of the offence but discharged without conviction; or
- they have been found not guilty of an offence, but a An independent body that hears legal claims brought by parties and decides between them. Serious cases are heard by a judge and jury, or just a judge. Less-serious cases are heard by a magistrate. has taken the offence into account when sentencing them for another offence.
A ‘spent’ conviction is a conviction that satisfies the following conditions:
- it is 10 years since the date of conviction (or five years for juvenile offenders);
- the sentence imposed was a fine, (1) An undertaking by someone to do or not do something, especially a good behaviour bond, which can be part of a sentence given by a court. (2) A tenant’s payment of money to a landlord at the start of a tenancy. The bond is held in case there is any damage to the property or the tenant fails to pay rent., community service order, or term of imprisonment not greater than 30 months;
- the individual has not been convicted of a further offence committed during the 10 (or five) years waiting period;
- an exclusion does not apply (see ‘Exclusions under the scheme’, below).
For the purposes of the scheme, a ‘spent’ conviction also includes:
- a conviction for which a person has been granted a pardon because they were wrongly convicted; or
- a conviction that has been quashed by a court.
The scheme covers all offences that meet the criteria for a A criminal conviction which is removed from a person’s criminal record if they do not reoffend during a certain period. above, including foreign convictions. However, the protections under the scheme are limited by whether the conviction was for a Commonwealth offence (including an Australian external territory or Jervis Bay Territory), a state offence (including the ACT and Northern Territory) or a foreign offence, and where the recipient of the information is located.
Protections under the scheme
The Commonwealth Spent Convictions Scheme offers the following protections:
- an individual does not have to disclose a spent conviction;
- an individual can claim on A person’s promise when they swear to tell the truth in court, or when signing an affidavit. A person taking an oath places one hand on the Bible or other holy book to demonstrate how seriously they take their promise. See also affirmation. that they were not convicted of an offence; and
- any other person who knows, or ought to reasonably know, about the spent conviction is prohibited from taking the conviction into account or disclosing the conviction.
The right of non-disclosure is limited, depending on the type of conviction, who the recipient of the information is and where they are located.
If the spent conviction is for a Commonwealth offence, an individual does not have to disclose it to any person wherever they are located in Australia or to any Commonwealth or state authority located in a foreign country.
If the spent conviction is for a state or foreign offence, an individual does not have to disclose it to any person located in an Australian external territory or Jervis Bay Territory. A person does not have to disclose the spent conviction to any Commonwealth authority located in a state, territory or overseas.
Complaints of breaches of the Commonwealth Spent Convictions Scheme may be made to the Australian Information Commissioner (see ‘Contacts’ at the end of this chapter).
Exclusions under the scheme
Exclusions under the Commonwealth Spent Convictions Scheme are limited to specific organisations that need to know about particular offences for special purposes. For example, if a person is applying for a position involving the care and control of children, the potential employer can find out about any sex offence convictions, or convictions for offences where the victim was a child. If an agency is excluded, it should explain this fact, and what it means for the person concerned. Details of exclusions are available at www.oaic.gov.au. Some states and territories have their own spent convictions schemes (not Victoria) for state offences. For further information about spent convictions, see ‘Spent convictions’ in Chapter 3.9: Understanding criminal records. Also see the privacy fact sheet 41 at www.oaic.gov.au.
Personal property securities
The Any property that is not freehold land (real property). Securities Act 2009 (Cth) (‘PPS Act’) established a national register for personal property and Money or property promised to be handed over as a guarantee for repayment of a loan, or as a guarantee that a defendant will meet their bail conditions. interests. The PPS Act and PPS register commenced operation in May 2011 (for more information, visit www.ppsr.gov.au).
‘Personal property’ means property other than land, buildings or fixtures that form a part of land. It can include tangibles (e.g. cars, crops and machinery) and intangibles (e.g. An agreement that the law will enforce. rights and intellectual property).
A personal property security is created when a ‘secured party’ takes an interest in personal property as security for a loan or other obligation or enters into a transaction that involves the supply of secured finance. A ‘secured party’ is a person or entity that has a An interest in or power over property to secure payment of a debt or obligation, generally in the form of a mortgage, charge or lien. in the collateral of someone else (the grantor). ‘Collateral’ is personal property (consumer or commercial) with a security interest attached.
Registrations on the PPS register can include:
- data about the grantor’s property or collateral;
- a person’s name and date of birth;
- data about the secured A person or organisation directly involved in a court case. Parties include the plaintiff or applicant, the defendant, and any third party added to the action, but not independent witnesses. (e.g.their address), although the secured party’s details are not searchable.
Grantors must be notified when a secured party makes aregistration against them.
The PPS Act protects grantors, secured parties and others from misuse of the register (e.g. illegitimate searches and registrations), with civil penalties to protect people’s privacy. A breach of certain limitations is also an interference with privacy under the PA 1988. A breach may also give rise to A court order for money to be paid to someone to compensate them for a loss suffered as a result of a civil wrong or breach of contract. For example, a person who caused a serious permanent injury to another person can be ordered by the court to pay damages that compensate the injured person for their loss of income from being unable to work. See also aggravated damages; compensatory damages; general damages; liquidated damages; nominal damages; special damages..
The telecommunications sector is regulated by the PA 1988, the Telecommunications Act 1997 (Cth) (‘Telecommunications Act’) and the Telecommunications (Interception and Access) Act 1979 (Cth) (‘TIA Act’). These Acts set out specific obligations, which include prohibiting a telecommunications provider from disclosing personal information (subject to limited exemptions). These obligations are in addition to telecommunications providers’ obligations to comply with the APPs (see ‘Summary of the Australian Privacy Principles’, above).
The Telecommunications Act provides for the registration of telecommunications codes under a self-regulatory framework. These codes are developed by the industry through the Communications Alliance and may be registered with the Australian Communications and Media Authority (ACMA). ACMA must consult the OAIC on the codes when it deals with privacy matters.
There are several privacy obligations in telecommunications codes registered by ACMA; including calling number display (C522:2007), handling of life-threatening and unwelcome calls (C525:2006), and integrated public number database (C555:2007).
For more information about Telecommunications Act codes and standards, and the register of codes and standards currently in force, visit ACMA’s website (www.acma.gov.au). The Australian Information Commissioner can monitor compliance with the record-keeping requirements contained in Part 13 of the Telecommunications Act, which requires telecommunications providers to keep records of certain disclosures of personal information.
The TIA Act permits telecommunications providers to disclose personal information to the Australian Security Intelligence Organisation (ASIO) or to the Federal Police. The TIA Act prohibits the unauthorised access and interception of communications, subject to various exceptions, unless a A document issued by a court directing an officer to take certain action. May be a warrant of apprehension, directing that a person be arrested and brought before a court; a warrant of commitment, directing that a person be arrested and imprisoned; a warrant of distress, directing that a person’s goods be seized to satisfy a debt; or a warrant of seizure and sale of real estate. is obtained. Those issuing warrants must consider, among other things, the privacy of the people affected by the access and interception.
Since 13 October 2015, telecommunications providers have been required to collect and retain certain types of telecommunications data (metadata) for a minimum period of two years. All service providers that collect and retain data under this provision are required to comply with the PA 1988 in relation to that data.
Do not call register
A national ‘do not call register’ began operating in May 2007 in accordance with the Do Not Call Register Act 2006 (Cth). The register is administered by ACMA. The Act allows people to register (without (1) A statement giving the details of a crime an accused person is claimed to have committed. (2) A personal property security. (3) A judge’s directions to a jury at the end of a case.) their home phone, domestic mobile and fax numbers in order to opt out of a wide range of unsolicited telemarketing calls. Government bodies and emergency services numbers may also register.
The Do Not Call Register Legislation A change made to a legal document or Act of parliament. Act 2010 (Cth) has enabled all Australian telephone and fax numbers to be registered, allowing organisations (including businesses) and individuals to access the protections of the register.
Businesses can still contact other businesses with whom they have a relationship under the inferred consent provisions. Businesses that have given express consent to receive calls or faxes may also continue to be contacted. However, ‘cold calls’ and marketing faxes to businesses that do not fall under the express or inferred consent provisions are prohibited for numbers on the register.
As a part of the registration process, new registrants are provided with the option to nominate to receive calls or faxes relating to a list of industry classifications. The legislation makes it illegal for any non-exempt telemarketer in Australia and overseas to contact a number on the register without consent.
There are exemptions for government bodies, educational or religious organisations, registered political parties, independent members of parliament, electoral candidates and charities. Market and social researchers may call to conduct standard opinion polling and questionnaire research, subject to a national industry standard. Businesses that have an existing relationship with a person may also call numbers on the do not call register.
Enquiries and complaints relating to the do not call register can be made by calling 1300 792 958.
Consumer Data Right
The Consumer Data Right (CDR) is intended to give consumers greater control over their data. The CDR also gives consumers the ability to direct a data holder to provide their CDR data to an accredited data recipient in a CDR-compliant format. The CDR was enacted by the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth), which inserted a new Part IVD into the Competition and Consumer Act 2010 (Cth).
The CDR scheme was introduced in the banking sector on 1 July 2020, and A document that sets out what a person wants to happen to their money and other property after they die. be rolled out to other sectors. The Competition & Consumer (Consumer Data Right) Rules 2020 (‘CDR Rules’) provide the framework for how the CDR operates in the banking sector. The CDR Rules set out details about how the CDR legislation applies, including in relation to consent and privacy safeguards.
The CDR is co-regulated by the Australian Information Commissioner and the Australian Competition and Consumer Commission. For more information about the CDR, see www.oaic.gov.au/consumer-data-right, and www.cdr.gov.au.