The handling of personal information in Australia is governed by legislation at both a federal and state/territory level.
At a federal level, the Privacy Act 1988 (Cth) (Privacy Act) governs the way in which business entities and federal government agencies must handle personal information, largely through the 13 Australian Privacy Principles (APPs) set out within the Privacy Act.
‘Personal information’ is defined by the Privacy Act as:
information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory government agencies. These Acts include:
Information Privacy Act 2014 (Australian Capital Territory)
Information Act 2002 (Northern Territory)
Privacy and Personal Information Protection Act 1998 (New South Wales)
Information Privacy Act 2009 (Queensland)
Personal Information Protection Act 2004 (Tasmania), and
Privacy and Data Protection Act 2014 (Victoria)
Additionally, there are other parts of State, Territory and federal legislation that relate to data protection. For example, the following all impact privacy and data protection for specific types of data or activities: the Telecommunications Act 1997 (Cth), the Criminal Code Act 1995 (Cth), the National Health Act 1953 (Cth), the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic) and the Workplace Surveillance Act 2005 (NSW).
Who must comply with the Privacy Act?
The Privacy Act imposes obligations on ‘APP entities’.
An APP entity is, generally speaking:
an agency (which largely refers to a federal government entity and/or office holder) or
an organisation (which includes an individual, body corporate, partnership, unincorporated association, or trust).
An APP entity does not include:
a ‘small business operator’ (subject to the exceptions below), which is an operator of a business with an annual turnover of less than $3 million
a registered political party or
a state or territory authority.
However, a small business operator will be deemed to be an APP entity, and therefore required to comply with the Privacy Act if they:
operate another business with a turnover of $3 million or more
provide a health service or otherwise hold health information (other than in an employee record)
disclose, or collect, personal information about another individual for a benefit, service or advantage
are a contracted service provider for a Commonwealth contract or
are a credit reporting body.
Obligations under the Privacy Act
The key features of the Privacy Act include:
the 13 APPs which are the principles that govern the way in which personal information is to be collected, used, disclosed and stored. We have included a summary of the APPs in section 4 below. The full text of the APPs can be viewed on the Australian Information Commissioner’s website.
the credit reporting provisions of the Privacy Act (further explained in section 10 below), which govern the way in which credit-related personal information is to be collected, used, disclosed and stored. These provisions will be particularly relevant to entities that are credit providers (or agents of credit providers), credit reporting bodies, or that otherwise handle or deal in credit-related personal information and
the obligation to comply with an ‘APP code’, which is a written code of practice usually specific to a particular entity or industry. In particular, there is a Credit Reporting Code (CR Code) which imposes on entities handing credit information additional obligations to those set out in the credit reporting provisions of the Privacy Act.
Accordingly, APP entities must be aware of the full scope of the obligations imposed upon them according to the nature of their business activities.
The Australian Privacy Principles
Open and transparent management of personal information
Anonymity and pseudonymity
Collection of solicited personal information
Dealing with unsolicited personal information
Notification of the collection of personal information
Use or disclosure of personal information
No Direct marketing without consent
Cross-border disclosure of personal information
Adoption, use or disclosure of government related identifiers
Quality of personal information
Security of personal information
Access to personal information
Correction of personal information
Sensitive information
The Privacy Act generally affords a higher level of protection to ‘sensitive information’ given the mishandling of it can generally have a more detrimental impact on the relevant individual.
‘Sensitive information’ is defined under the Privacy Act and includes information about an individual’s racial or ethnic origin, political opinions, professional or political or religious affiliations or memberships, sexual orientation or practices, criminal record, health, genetics and/or biometrics.
Extra-territorial application of the Privacy Act
An entity operating outside Australia will still have obligations under the Privacy Act if the entity has ‘an Australian link’. An entity will have an Australian link for the purposes of the Privacy Act if, generally speaking, the entity was formed in Australia, has its central management and control in Australia, or is otherwise carrying on a business and collects or holds personal information in Australia.
This expands the reach of the Privacy Act to overseas entities, or Australian subsidiaries of overseas entities, who are engaging in business-related acts within Australia, even if the business is otherwise predominantly conducted outside of Australia.
The Australian Information Commissioner has also pointed to specific indicators that an entity is carrying on a business within Australia, including where an entity has an agent or agents within Australia, websites offering goods or services to Australia, purchase orders being actioned within Australia, or personal information being collected from a person who is physically in Australia.
Penalties for breaching the Privacy Act
If an APP entity is found to have engaged in a serious, or repeated, interference with an individual’s privacy, the APP entity may face penalties of up to:
$1.8 million for corporate bodies and/or
$360,000 for non-corporate bodies (including government departments/agencies, sole-traders, partnerships, trusts, unincorporated associations).
An APP entity will interfere with an individual’s privacy if (among other things) it:
breaches an APP
breaches an APP code that is binding on the relevant entity (noting that the Australian Information Commission may impose an APP code on a particular organisation or industry)
breaches the credit reporting provisions of the Privacy Act
breaches the CR Code
breaches a provision of a Commonwealth contract for which it is to provide services and/or
handles a tax file number contrary to the Tax File Rule (which has been issued by the Australian Information Commissioner pursuant to the Privacy Act).
Mandatory breach notifications
On or before 22 February 2018, APP entities will also be required to notify the Australian Information Commissioner, and affected individuals, if the APP entity experiences a data breach that is likely to cause an individual serious harm. This obligation is designed to enable affected individuals to take steps to protect themselves.
Handling health information
The Privacy Act includes health information within its definition of ‘sensitive information’. Health information is therefore afforded a higher standard of protection.
Additionally, both private and public sector entities need to be aware of obligations that may arise under state-based legislation, including:
Health Records and Information Privacy Act 2002 (NSW)
Health Records Act 2001 (Vic) and
Health Records (Privacy and Access) Act 1997 (ACT).
These laws also impose obligations on employers in Victoria and the ACT when handling health information about their employees. While health records law in NSW contains an employee records exemption for private sector employers, such employers may nevertheless be bound by the NSW legislation if the health information is unrelated to their employment.
Health and other sensitive information will also be subject to common law principles of confidentiality.
Surveillance
The use of surveillance and/or listening devices is governed by both state/territory and federal legislation. Obligations in relation to surveillance will depend on the type of device (e.g. computer and/or video surveillance, geographical tracking and/or the use of listening devices), the nature and purpose of the surveillance, the specific activity being observed/recorded including whether it is occurring in the workplace or not and, in some cases, whether it occurs in the private or public sector.
While each jurisdiction differs, generally speaking, the use of surveillance and/or listening often requires consent and/or notification. However, exceptions may apply, including where the use of such a device is necessary to protect a party’s lawful interests, for an enforcement-related purpose, and/or is in the public interest. Specific obligations may also be impacted by whether the person using the surveillance or listening device is a party to the activity/conversation and whether the activity/conversation is private or in a private space.
The Future of Privacy Act
The Privacy Act 1988 has been up for amendment.A first reading of the bill amending the Privacy Act 1988 to increase maximum penalties for “serious or repeated interferences with privacy” was held before Parliament. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 would increase penalties to AU$2.5 million for individuals and AU$50 million for corporations. Australia Attorney-General Mark Dreyfus said the bill also grants the Office of the Australian Information Commissioner “a suite of improved and new powers to resolve privacy breaches efficiently and effectively.” The bill has been moved to a second reading.