THE OFFICE OF THE FEDERAL PRIVACY COMMISSIONER
Privacy Commission Logo
Spacer GifHOME > Privacy in Australia Spacer Gif Spacer Gif Spacer Gif Spacer Gif
Spacer Gif
Spacer Gif Publications
Spacer Gif Bullet Archives
Spacer Gif SPECIFIC PRIVACY
INFORMATION FOR:
Spacer Gif > Government
Spacer Gif > Business
Spacer Gif > Health
Spacer Gif > Community
Spacer Gif > Your Privacy Rights
Horizontal Rule
Spacer Gif > Federal Privacy Law
Spacer Gif > IT and Internet Issues
Spacer Gif > News
Spacer Gif > Publications
Spacer Gif > Public Consultation
Spacer Gif > Privacy Service  Providers
Spacer Gif > FAQs
Spacer Gif > Privacy Links
Spacer Gif > Glossary of Terms

Spacer Gif

Privacy in Australia

View printable version of this page

INTRODUCTION

This paper briefly sets out:

  • the role of the Office of the Federal Privacy Commissioner;
  • how the Privacy Act 1998(Cth) (the Privacy Act) protects the personal information of all Australians;
  • an overview of privacy regulation or development in other States and Territories; and
  • some of the key privacy issues in Australia.

You can find further details about these issues from our website www.privacy.gov.au or copies are available through the Privacy Hotline at 1300 363 992.

For a snapshot of how the Privacy Act protects your personal information go to My Privacy-My Choice

This document notes some of the major pieces of legislation protecting at federal and state level but is not intended to provide an exhaustive list. For example, it does not go into any detail about the Trade Practices and state Fair Trading laws, nor State listening devices laws, all of which can also provide privacy protection.

What does the Office of the Federal Privacy Commissioner do?

The Office is a federal government agency established to support the federal Privacy Commissioner (the Privacy Commissioner) in promoting an Australian culture that respects privacy. The Office is located in Sydney and there is a small office in Canberra. The Privacy Commissioner and staff:

  • promote an Australian culture that respects privacy
  • advise individuals about their privacy rights
  • give advice to Commonwealth and ACT agencies, private sector organisations credit providers, credit reporting agencies, and others about their obligations under the Privacy Act
  • issue guidelines to aid and direct organisations and agencies in implementing privacy principles
  • investigate complaints which fall within the Privacy Commissioner's jurisdiction
  • conduct audits of agencies and organisations that are subject to audit provisions of the Privacy Act.
  • consult widely to find out what peoples' and organisations' understandings, expectations and behaviours are in relation to privacy
  • provide information about privacy and related legislation.

PRIVACY PROTECTIONS FOR AUSTRALIANS

The Privacy Act

  • private sector provisions

In December 2000, the Privacy Amendment (Private Sector) Act 2000 amended the Privacy Act which previously, mainly covered Commonwealth and ACT Government public sector agencies. Information Sheet 1-2001 Overview of the Private Sector Provisions gives more information.

The Privacy Act now applies to many private sector organisations. The new scheme came into effect, for most organisations covered by the Privacy Act, on 21 December 2001. Information Sheet 2-2001 Coverage of and Exemptions from the Private Sector Provisions gives more information.

The National Privacy Principles (the NPPs) in the Privacy Act set out how private sector organisations should collect, use, keep secure and disclose personal information. The principles give individuals a right to know what information an organisation holds about them and a right to correct that information if it is wrong. The Privacy Commissioner has written Guidelines to the National Privacy Principles to assist organisations to meet their obligations in the handling of personal information. A series of Information Sheets has also been developed and provides more detailed explanations and good practice or compliance tips on various aspects of the NPPs and the Private Sector provisions.

Other features of the new private sector legislation include:

  • Special provisions in the NPPs for sensitive and health information and direct marketing.
  • Exemptions under the Privacy Act for some sectors.

The legislation will not apply to small businesses in some circumstances. Small businesses which will be covered have until 21 December 2002 to comply with the Privacy Act. Small business operators should refer to Information Sheet 2-2001 for advice on how to get an organisation ready to comply with privacy obligations. Other Information Sheets may also be of assistance.

The legislation does not apply to:

  • political parties;
  • employee records held by current or former employers; or to
  • acts and practices of the media in the course of journalism.

For more information on exemptions and coverage go to Information Sheet 12-2001 Coverage of and Exemptions from the Private Sector Provisions

  • health information

The Privacy Act also covers health records throughout the private sector in Australia. The legislation, through its ten NPPs, promotes greater openness between health service providers and consumers regarding the handling of health information. This includes a general right of access for consumers to their own health records, and requires health service providers to have available documentation that clearly sets out their policies for the management of personal information. The Privacy Act provides special protection for health information.

The Privacy Commissioner has written Guidelines to assist health service providers to meet their obligations and provided other health privacy information including A Short Guide for the Private Health Sector and FAQs.

  • codes

Private sector organisations may have and enforce their own codes if the Privacy Commissioner has approved the code as having obligations that are at least the equivalent of those in the NPPs and the code meets other requirements. Refer to the Code Development Guidelines for more information.

Organisations that do not have their own code must comply with the NPPs set out in the Privacy Act.

  • public sector provisions

The Information Privacy Principles (IPPs)in the Privacy Act, which are based on the OECD guidelines, set out strict safeguards for any personal information that is handled by Federal government and ACT government agencies. These rules cover the collection, storage, use and disclosure of this information.

  • complaints

The Privacy Commissioner has specific statutory functions in relation to complaint handling and investigation of breaches of the Privacy Act in the private and public sectors.

  • other protection under the Privacy Act

Tax File Numbers

The Privacy Act also provides protection for individuals' tax file numbers (TFNs), preventing their use as an identifier, and giving individuals the right to withhold this information. Where a TFN is provided, its use is limited to tax related, assistance agency and superannuation purposes. Under the Privacy Act, the Privacy Commissioner issues and administers legally binding guidelines.

Credit Information

The Privacy Act has applied to credit information in the private sector since 1990. Part IIIA of the Privacy Act places safeguards on the way the credit industry handles individuals' consumer credit information. These provisions recognise the sensitivity of credit worthiness information and the implications for individuals should it be mishandled. Strict penalties apply where these provisions are knowingly breached.

  • additional federal legislation

The Privacy Commissioner also performs functions under the following legislation:

  • Part VIIC of the Crimes Act 1914, the Commonwealth 'Spent Convictions Scheme'. This law provides protection for individuals with old minor convictions in certain circumstances. The Commissioner has the power to investigate breaches of the legislation, and is also required to provide advice to the Attorney General in relation to exemptions under the scheme;
  • The Data-Matching Program (Assistance and Tax) Act 1990 which regulates data matching between the Tax Office and four assistance agencies to detect overpayments and ineligibility for assistance. Under the Privacy Act, the Privacy Commissioner is responsible for issuing Guidelines for protecting privacy, investigating complaints and monitoring agency compliance;
  • The National Health Act 1953, under which the Privacy Commissioner is required to issue Guidelines covering the storage, use, disclosure and retention of individuals' claims information under the Pharmaceutical Benefits Scheme and the Medicare program; and
  • The Telecommunications Act 1997, under which the Privacy Commissioner has some monitoring and compliance functions.

Privacy Legislation and Development in Other States and Territories

The following information gives a brief overview of State and Territory privacy development. For more detail please refer to the appropriate state agency.

New South Wales

The Privacy and Personal Information Protection Act 1998 (NSW) established the Office of the New South Wales Privacy Commissioner.

The Health Records and Information Privacy Bill 2002 was introduced into the NSW parliament in June 2002. Once passed, this Act will apply to the State public sector and will also apply to acts or practices in the private sector not covered by the Privacy Act. The jurisdiction of the NSW Act is generally limited to the public sector. However, the Commissioner (NSW) can also investigate and conciliate privacy breaches by organisations and individuals who are not public sector agencies.

Victoria

The Information Privacy Act 2000 covers all personal information except health information in the public sector in Victoria. This Act adopts ten Information Privacy Principles which are based on the NPPs set out in the Privacy Act. Some changes were made to these principles to adapt them to the Victorian state public sector context. Compliance with the principles of this Act is required from 1 September 2002.

The Health Records Act came into effect from 1 July 2002. This Act covers the handling of all personal information held by health service providers in the State public sector and also applies to acts or practices in the Victorian private sector that are not covered by the Privacy Act . This includes any information about a person's health or disability, information about the donation of body parts, organs or substances, and genetic information. This Act is based on the ACT Health Records (Access and Privacy) Act 1997 and contains a set of principles adapted from NPPs.

Queensland

A privacy scheme applies to Queensland State Government agencies and most statutory government-owned corporations. The regime commenced in September 2001 and includes Information Standard and privacy guidelines, based on the Information Privacy Principles of the Privacy Act 1988 will be produced.

To ensure a nationally consistent approach between the public and private health sectors, Queensland Health will participate in the national privacy scheme for the private sector and be governed by the 10 NPPs. Otherwise Queensland Health is subject to Queensland Privacy in the same way as all other Queensland Government agencies.

The Health Rights Commission provides an enquiry service and a health complaint system including privacy-related complaints involving the State public health sector.

Western Australia

The State public sector in Western Australia does not currently have a legislative privacy regime. Various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information legislation.

South Australia

South Australia has issued an administrative instruction requiring its government agencies to generally comply with a set of Information Privacy Principles(SA).

South Australia also has a Code of Fair Information Practice based on the NPPs. This Code applies to health information handled by SA government departments dealing with health, housing and community. For more information contact the Department of Human Services.

Tasmania

In 1997 Tasmania issued Information Privacy Principles based on federal legislation and recommended the principles to Tasmanian government agencies. Privacy legislation for the public sector is in development.

The Northern Territory

A draft Information Bill which covers the protection of personal information and record keeping and archive management was tabled in the Legislative Assembly in October 2001. The revised Information Bill is expected to be introduced in August 2002.

A media release on Protecting the Privacy of Health Information in the Territory was issued in March 2002.

Australian Capital Territory

The Privacy Act also applies to ACT government agencies and is administered by the Privacy Commissioner on behalf of the ACT government. The Health Records (Privacy and Access) Act 1997(ACT) covers health records held in the public sector in the ACT and also applies to acts or practices in the private sector not covered by the Privacy Act. The Health Records Act contains privacy principles based on the federal legislation but modified to suit the requirements of health records. The ACT Community and Health Services Complaints Commissioner handles health record privacy complaints.

Other Key Privacy Issues

  • private sector privacy overseas

The move in Australia to give greater privacy protection to personal information in the private sector is part of a worldwide trend. The principles applying to the public sector and private sectors in the Privacy Act are based on the Organisation for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data developed in 1980. These guidelines govern the way personal information about individuals is collected, stored, used and disclosed. They also establish the right of individuals to gain access to, and have amended, information about them held by others.

Most European countries have passed laws for the public and private sectors based on the OECD principles. New Zealand, Hong Kong and Taiwan also have privacy laws that apply to both public and private sectors. For more information refer to international regulator sites.

The development of new technology and e-commerce has raised new issues about information privacy. Increasing use of the Internet and other technology means that personal information may be very easily collected and transferred around the world. Some countries have laws that prohibit businesses from transferring information to other countries that do not have equivalent protection for personal information. A number of countries, including Australia, are responding to this by developing their own private sector privacy regimes. NPP 9 of the Privacy Act deals with the handling of personal information in transborder dataflows.

  • information technology, the internet, e-commerce and electronic service delivery

The continuing growth of the Internet has seen a corresponding growth in concern about online privacy. Surveys continue to show that users are concerned about the collection, security, use and disclosure of information about them on the Net.

  • Three major pieces of research were published by the Office in July 2001 on Australians and privacy. Sectors targeted were the community, business and government. The surveys showed that Australians regard privacy as a closely held and highly personal value. People look for signals that an organisation will manage their personal information well, for example, 59% said they would trust an organisation more if that organisation gave them control over how their information was to be used, and 55% said that organisations with privacy policies would be more likely to gain their trust.
  • The Privacy Commissioner monitors technological and Internet related developments that may affect privacy. Of particular interest have been a number of proposed technological solutions to Internet privacy protection. The Office published Guidelines for Federal and ACT Government Websites for the protection of privacy of users of federal and ACT agency websites in May 1999 and Guidelines on Workplace E-mail, Web Browsing and Privacy in March 2000.
  • The Privacy Commissioner issued Guidelines to assist agencies to manage the privacy risks associated with public key infrastructure in 2001.

Various government bodies have been involved in projects and activities designed to encourage the uptake of E-commerce and Electronic Service Delivery. The federal Government committed to delivering all appropriate services electronically by 2001 and has passed enabling legislation, the Electronic Services Transactions Act 1999. Many of these projects have privacy implications that impact on the work of the Privacy Commissioner.

Office of the Federal Privacy Commissioner
Updated August 2002
Spacer Gif> Privacy Policy Spacer Gif> Copyright Spacer Gif> About the Office Spacer Gif> Site map Spacer Gif> Join Email List Spacer Gif> Contact Us