**NOTE: updated with minor amendments 27 November 2007.

New private sector provisions in the Privacy Act 1988 (Cth) (the Privacy Act) regulate the way many private sector organisations collect, use, keep secure and disclose personal information. For the first time, they give individuals the right to know what information an organisation holds about them and a right to correct that information if it is wrong.

Purpose of the private sector provisions

The private sector provisions aim to give people greater control over the way information about them is handled in the private sector by requiring organisations to comply with ten National Privacy Principles (NPPs).

An organisation must take reasonable steps to make individuals aware that it is collecting personal information about them, the purposes for which it is collecting the information, and who it might pass the information on to. There are some restrictions on what an organisation can do with the personal information it collects and when it can disclose personal information or transfer it overseas.

Except for some special circumstances, individuals have a right to get access to personal information an organisation holds about them and to have the information corrected or annotated if the information is incorrect, out-of-date or incomplete. Individuals can also make a complaint if they think information about them is not being handled properly.

Coverage of the private sector provisions

The new private sector provisions apply to organisations (including not-for-profit organisations) with an annual turnover of more than $3 million. The provisions also apply to all health service providers regardless of turnover.

Businesses with an annual turnover of $3 million or less are exempt from the new laws unless one of the following statements is true for the business:

• it is a health service provider;
• it is related to another business (for example it is a holding company or a subsidiary) that has an annual turnover of more than $3 million;
• it provides a health service and holds health records other than employee records;
• it discloses personal information for a benefit, service or advantage;
• it provides someone else with a benefit, service or advantage to collect personal information;
• it is a contracted service provider for a Commonwealth contract; or
• it is a reporting entity for the purpose of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act);
• it operates a residential tenancy database.

The Privacy Act also exempts from its coverage:

• State and Territory authorities, for example, Ministers, departments, courts and local government councils;
• political parties, and acts of political representatives in relation to electoral matters;
• acts or practices in relation to employee records of an individual if the act or practice directly relates to a current or former employment relationship between the employer and the individual; and
• acts or practices of media organisations in the practice of journalism.

Refer to Information Sheet 12 - 2001 Coverage of and Exemptions from the Private Sector Provisions for more details.

The Privacy Act already regulates the way credit providers and credit reporting agencies handle consumer credit information. Provisions in the Privacy Act also regulate private sector organisations in possession or control of tax file number information. These requirements continue to apply in addition to the new provisions.

The National Privacy Principles

Schedule 3 of the Privacy Act sets out the ten NPPs, which legally bind organisations in the way they must handle personal information. The NPPs cover collection (NPP 1), use and disclosure (NPP 2), data quality (NPP 3), data security (NPP 4) openness (NPP 5), access and correction (NPP 6), identifiers (NPP 7), anonymity (NPP 8), transborder data flows (NPP 9) and sensitive information (NPP 10).

More detailed information on the NPPs and their application is available in the Guidelines to the National Privacy Principles and other information sheets.

Privacy codes

The Privacy Act gives organisations the option of adopting a privacy code. Once approved by the Privacy Commissioner (the Commissioner), a privacy code effectively replaces the NPPs for those organisations bound by it. It is possible for codes to establish complaint handling procedures and to appoint an independent adjudicator to handle complaints. Alternatively, the Commissioner will determine complaints in relation to breaches of the code. The Commissioner can revoke a privacy code at any time.

More information on privacy codes is available in the Code Development Guidelinesand theInformation Sheet 11 - 2001 Privacy Codes.

The Commissioner's powers

The Commissioner has the power to:

• investigate a complaint an individual has made to the Commissioner;
• investigate a complaint that a code adjudicator has referred to the Commissioner;
• investigate all complaints made about a federal government contractor;
• investigate, on the Commissioner's initiative, an act or practice that may be a breach of privacy (even if no complaint has been made);
• seek an order (injunction) from the court to stop conduct that does or would breach the Privacy Act; and
• review the decision of a code adjudicator at the request of the individual.