Privacy In Australia

• Introduction
  • What does the Office of the Federal Privacy Commissioner do?
  • Privacy Protections for Australians
  • New private sector provisions
  • Health Privacy
  • Public Sector, Credit, Tax file numbers
  • Additional Federal Legislation
• Key Privacy Issues
  • Credit information
  • Private sector privacy overseas
  • Information Technology, the Internet, E-commerce and Electronic Service Delivery
• Developments in the States
  • New South Wales
  • Australian Capital Territory
  • South Australia
  • Northern Territory
  • Tasmania
  • Queensland
  • Victoria
  • Western Australia

Introduction

This paper briefly sets out the role of the Office of the Federal Privacy Commissioner, an overview of privacy regulation in Australia, and some of the important privacy issues in Australia.  You can find further details about these issues from our website www.privacy.gov.au. or copies are available through the Privacy Hotline at 1300 363 992.

Back to Top

What does the Office of the Federal Privacy Commissioner do?

The Office is a federal government agency established to support the federal Privacy Commissioner (the Commissioner) in promoting an Australian culture that respects privacy. The Office is located in Sydney and there is a small office in Canberra. The Commissioner and staff:

• advise individuals about their privacy rights
• give advice to Commonwealth and ACT agencies, credit providers, credit reporting agencies, private sector organisations and others about their obligations under the Privacy Act
• issue guidelines to aid and direct organisations in implementing privacy principles
• investigate complaints which fall within the Commissioner’s jurisdiction
• conduct audits of agencies and organisations that are subject to audits provisions of the Privacy Act 1988 (Cth) (the Privacy Act)
• consult widely to find out what peoples’ and organisations’ understandings, expectations and behaviours are in relation to privacy
• promote privacy in the wider community
• provide information about privacy and related legislation.

Back to Top

Privacy Protections for Australians

The Privacy Act 1998

• New private sector provisions

In December 2000, the Privacy Amendment (Private Sector) Act 2000 (the Amendment Act) was passed by federal Parliament. This amends the Privacy Act which, until now, has mainly covered public sector agencies. The Privacy Act will now apply to most private sector organisations as well. The new scheme will come into effect for most organisations covered by the Privacy Act on 21 December 2001. See Information Sheet 1-2001 Overview of the Private Sector Provision.

The National Privacy Principles (NPPs) in the Privacy Act set out how private sector organisations should collect, use, keep secure and disclose personal information. The principles give individuals a right to know what information an organisation holds about them and a right to correct that information if it is wrong. The Commissioner has written Guidelines to the National Privacy Principles to assist organisations to meet their obligations in the handling of personal information. A series of Information Sheets has also been developed and provides more detailed explanations and good practice or compliance tips on various aspects of the NPPs and the Private Sector provisions.

Back to Top

• Health Privacy

The Amendment Act extends the operation of the Privacy Act to cover the private health sector throughout Australia. This means that the Privacy Act now covers health records throughout Australia. The legislation, through its ten NPPs, promotes greater openness between health service providers and consumers regarding the handling of health information. This includes a general right of access for consumers to their own health records, and requires health service providers to have available documentation that clearly sets out their policies for the management of personal information.

The Commissioner has written guidelines to assist health service providers to meet their obligations. Refer to Guidelines on Privacy in the Private Health Sector and Information Sheet 9 2001 Handling Health Information for Research and Management.

Other features of the new private sector scheme include:

• Businesses may have and enforce their own codes (if the Commissioner has approved the code as having obligations that are at least the equivalent of those in the NPPs and the code meets other requirements). Refer to the Code Development Guidelines.
• Businesses that do not have their own code must comply with the NPPs set out in the Privacy Act.
• There are special provisions for sensitive and health information and direct marketing.
• The scheme will not apply to small businesses in some circumstances.
• The scheme will not apply to political parties, employee records held by current or former employers or to acts and practices of the media in the course of journalism. Refer to Information Sheet 12-2001 Coverage of and Exemptions from the Private Sector Provisions.

Back to Top

• Public Sector, Credit, Tax file numbers

In addition to the new provisions covering private sector organisations, the Privacy Act 1988 provides protection to individuals in two areas:

The Information Privacy Principles, which are based on the OECD guidelines, set out strict safeguards for any personal information that is handled by federal government and ACT government agencies. These rules cover the collection, storage, use and disclosure of this information.

Also, the Act provides protection for individuals' tax file numbers (TFNs), preventing their use as an identifier, and giving individuals the right to withhold this information. Where a TFN is provided, its use is limited to tax related, assistance agency and superannuation purposes. Under the Act, the Commissioner issues and administers legally binding guidelines.

The Commissioner has specific statutory functions in relation to: complaint handling and investigation of breaches of the Act; auditing for compliance (in some circumstances); the provision of policy advice; and promotion of privacy principles to encourage adoption of privacy standards more broadly in the community.

Back to Top

Additional Federal Legislation

The Commissioner also performs functions under the following legislation www.privacy.gov.au/act/index.html:

• Part VIIC of the Crimes Act 1914, the Commonwealth ‘Spent Convictions Scheme’.  This law provides protection for individuals with old minor convictions in certain circumstances.  The Privacy Commissioner has the power to investigate breaches of the legislation, and is also required to provide advice to the Attorney‑General in relation to exemptions under the scheme;
• The Data-matching Program (Assistance and Tax) Act 1990, which regulates data matching between the Tax Office and four assistance agencies to detect overpayments and ineligibility for assistance.  Under the Act, the Commissioner is responsible for issuing guidelines for protecting privacy, investigating complaints and monitoring agency compliance;
• The National Health Act 1953, under which the Commissioner is required to issue guidelines covering the storage, use, disclosure and retention of individuals’ claims information under the Pharmaceutical Benefits Scheme and the Medicare program; and
• The Telecommunications Act 1997, under which the Commissioner has some monitoring and compliance functions.

Back to Top

Other Key Privacy Issues

Credit Information

The Privacy Act has applied to credit information in the private sector since 1990. Part IIIA of the Privacy Act places strict safeguards on the way the credit industry handles individuals' consumer credit information. These provisions recognise the sensitivity of credit worthiness information and the implications for individuals should it be mishandled. Strict penalties apply where these provisions are knowingly breached.

Back to Top

Private Sector Privacy Overseas

The move in Australia to give greater privacy protection to personal information in the private sector is part of a worldwide trend. The principles applying to the public sector in the Privacy Act 1988 and the NPPs in the Amendment Act are based on the Organisation for Economic Cooperation and Development's (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data developed in 1980. These guidelines govern the way personal information about individuals is collected, stored, used and disclosed. They also establish the right of individuals to gain access to, and have amended, information about them held by others.

Most European countries have passed laws for the public and private sectors based on the OECD principles. New Zealand, Hong Kong and Taiwan also have privacy laws that apply to both public and private sectors. For more information refer to international regulator sites.

The development of new technology and e-commerce has raised new issues about information privacy. Increasing use of the Internet and other technology means that personal information may be very easily collected and transferred around the world. Some countries have laws that prohibit businesses from transferring information to other countries that do not have equivalent protection for personal information. A number of countries, including Australia, are responding to this by developing their own private sector privacy regimes.

Back to Top

Information Technology, the Internet, E-commerce and Electronic Service Delivery

The continuing growth of the Internet has seen a corresponding growth in concern about online privacy. Surveys continue to show that users are concerned about the collection, security, use and disclosure of information about them on the Net.

Three major pieces of research were published by the Office in July 2001 on Australians and privacy. Sectors targeted were the community, business and government. The surveys showed that Australians regard privacy as a closely held and highly personal value. People look for signals that an organisation will manage their personal information well, for example, 59% said they would trust an organisation more if that organisation gave them control over how their information was to be used, 55% said that organisations with privacy policies would be more likely to gain their trust.

The Commissioner monitors technological and Internet related developments that may affect privacy. Of particular interest has been a number of proposed technological solutions to Internet privacy protection. The Office published guidelines for the protection of privacy of users of federal agency websites in May 1999 and these have been well received. The Office has also produced Guidelines on Workplace E-mail, Web Browsing and Privacy.

A consultation paper, entitled, Privacy issues in the Use of Public Key Infrastructures for individuals and Possible Guidelines for Handling Privacy issues in the Use of PKI for Individuals by Commonwealth Agencies was issued in June 2001. The proposed guidelines are being assessed on the basis of the submissions received and it is anticipated that the final guidelines will be issued by the end of 2001.

Various government bodies have been involved in projects and activities designed to encourage the uptake of E-commerce and Electronic Service Delivery. The federal Government is committed to delivering all appropriate services electronically by 2001 and has passed enabling legislation, the Electronic Services Transactions Act 1999. Many of these projects have privacy implications that impact on the work of the Commissioner.

Back to Top

Developments in the States

The following information gives a brief overview of State privacy development. For more detail please refer to the appropriate agency.

New South Wales

The Privacy and Personal Information Protection Act was passed in 1998 and established the Office of the Privacy Commissioner in New South Wales.  The jurisdiction of the Act is generally limited to the public sector.  However, the Privacy Commissioner can also investigate and conciliate privacy breaches by organisations and individuals who are not public sector agencies.

Back to Top

Australian Capital Territory

The federal Privacy Act also applies to ACT government agencies.  Currently the Federal Privacy Commissioner administers the Act on behalf of the ACT government.  In addition, health records – whether held in the public or private sectors – are covered by the ACT Health Records (Privacy and Access) Act 1997.  The Health Records Act contains privacy principles based on the federal legislation but modified to suit the requirements of health records.  The ACT Community and Health Services Complaints Commissioner handles health record privacy complaints. From 21 December 2001, the Privacy Act will cover Health records in the ACT.

Back to Top

South Australia

The South Australian government has issued an administrative instruction requiring its government agencies to generally comply with the federal Information Privacy Principles. This jurisdiction does not intend to develop privacy legislation for either public or private sectors at this time. It is understood that South Australia will await the outcome of the federal private sector amendments.

Back to Top

Northern Territory

On 22 April 1999 the NT Chief Minister issued a Ministerial Statement to the NT Legislative Assembly on Access to Information and Privacy. In that Statement, he said that in view of the Commonwealth Government's decision to introduce light touch privacy legislation for the private sector he intended to introduce legislation to cover the NT public sector and thereby "complement the commonwealth legislation and create a seamless framework of privacy protection".

Back to Top

Tasmania

In 1997 Tasmania issued Information Privacy Principles based on federal legislation and recommended the principles to Tasmanian government agencies.  A copy of the principles is available at www.justice.tas.gov.au/legpol/privacy/index.htm.

Back to Top

Queensland

In December 2000 a new privacy regime was approved for the Queensland public sector, which will apply to all Queensland public sector entities including statutory government, owned corporations. The administratively based regime will involve the development of an Information Standard and privacy guidelines, based on the Information Privacy Principles that apply to the commonwealth government public sector, for approval by government.

Back to Top

Victoria

The Information Privacy Act 2000 covers all personal information except health information in the public sector. The Act adopts ten Information Privacy Principles which are based on the NPPs set out in the federal Amendment Act 2000. Some changes were made to these principles to adapt them to the state public sector context.

Victoria now also has a Health Records Act, which was passed on 3 April 2001 and will come into effect from 1 July 2002. It covers the handling of all personal information held by health service providers in the public and private sectors. This includes any information about a person's health or disability, information about the donation of body parts, organs or substances, and genetic information. It is based on the ACT Health Records (Access and Privacy) Act 1997 and contains a set of principles adapted from NPPs. For more information, refer to www.dhs.vic.gov.au/privacy/index.htm.

Back to Top

Western Australia

Western Australia does not currently have a privacy regime. Various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information legislation. For more information refer to www.ecc.online.wa.gov.au/matrix/priv-wa.htm.

Office of the Federal Privacy Commissioner
Updated October 2001

For further information please contact

Privacy Commissioner
GPO Box 5218
Sydney NSW 1042

Privacy Hotline: 1300 363 992
Telephone: (02) 9284 9800
Fax: (02) 9284 9666

E-mail: privacy@privacy.gov.au

Back to Top