Australian Privacy Act, 1988 - An Analysis

The handling of personal information in Australia is governed by legislation at both a federal and state/territory level.

At a federal level, the Privacy Act 1988 (Cth) (Privacy Act) governs the way in which business entities and federal government agencies must handle personal information, largely through the 13 Australian Privacy Principles (APPs) set out within the Privacy Act.

‘Personal information’ is defined by the Privacy Act as:

information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.

Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory government agencies. These Acts include:

• Information Privacy Act 2014 (Australian Capital Territory)

• Information Act 2002 (Northern Territory)

• Privacy and Personal Information Protection Act 1998 (New South Wales)

• Information Privacy Act 2009 (Queensland)

• Personal Information Protection Act 2004 (Tasmania), and

• Privacy and Data Protection Act 2014 (Victoria)

Additionally, there are other parts of State, Territory and federal legislation that relate to data protection. For example, the following all impact privacy and data protection for specific types of data or activities: the Telecommunications Act 1997 (Cth), the Criminal Code Act 1995 (Cth), the National Health Act 1953 (Cth), the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic) and the Workplace Surveillance Act 2005 (NSW).

Who must comply with the Privacy Act?

The Privacy Act imposes obligations on ‘APP entities’.

An APP entity is, generally speaking:

• an agency (which largely refers to a federal government entity and/or office holder) or

• an organisation (which includes an individual, body corporate, partnership, unincorporated association, or trust).

An APP entity does not include:

• a ‘small business operator’ (subject to the exceptions below), which is an operator of a business with an annual turnover of less than $3 million

• a registered political party or

• a state or territory authority.

However, a small business operator will be deemed to be an APP entity, and therefore required to comply with the Privacy Act if they:

• operate another business with a turnover of $3 million or more

• provide a health service or otherwise hold health information (other than in an employee record)

• disclose, or collect, personal information about another individual for a benefit, service or advantage

• are a contracted service provider for a Commonwealth contract or

• are a credit reporting body.

Obligations under the Privacy Act

The key features of the Privacy Act include:

• the 13 APPs which are the principles that govern the way in which personal information is to be collected, used, disclosed and stored. We have included a summary of the APPs in section 4 below. The full text of the APPs can be viewed on the Australian Information Commissioner’s website.

• the credit reporting provisions of the Privacy Act (further explained in section 10 below), which govern the way in which credit-related personal information is to be collected, used, disclosed and stored. These provisions will be particularly relevant to entities that are credit providers (or agents of credit providers), credit reporting bodies, or that otherwise handle or deal in credit-related personal information and

• the obligation to comply with an ‘APP code’, which is a written code of practice usually specific to a particular entity or industry. In particular, there is a Credit Reporting Code (CR Code) which imposes on entities handing credit information additional obligations to those set out in the credit reporting provisions of the Privacy Act.

Accordingly, APP entities must be aware of the full scope of the obligations imposed upon them according to the nature of their business activities.

The Australian Privacy Principles

• Open and transparent management of personal information

• Anonymity and pseudonymity

• Collection of solicited personal information

• Dealing with unsolicited personal information

• Notification of the collection of personal information

• Use or disclosure of personal information

• No Direct marketing without consent

• Cross-border disclosure of personal information

• Adoption, use or disclosure of government related identifiers

• Quality of personal information

• Security of personal information

• Access to personal information

• Correction of personal information

Sensitive information

The Privacy Act generally affords a higher level of protection to ‘sensitive information’ given the mishandling of it can generally have a more detrimental impact on the relevant individual.