Australian Privacy Law

Written By Gavin McInnes

The principal statute regulating the collection, use, storage and disclosure of ‘personal information’ is the Privacy Act 1988 (Cth) and in particular the 13 Australian Privacy Principles (APPs) that form part of that Act. The Privacy Act is administered by the Office of the Australian Information Commissioner and the Australian Privacy Commissioner within that office.

Does the Privacy Act apply to my business?

The Privacy Act applies to the handling of personal information by ‘APP entities’.

The term APP entity has an extensive definition and includes:

  • the Australian and Norfolk Island governments and government agencies; and

  • all private sector and non-profit organisations with an annual group global revenue of more than $3 million.

There are, however, numerous exceptions to the general scope of the Privacy Act. It does not apply to registered political parties, state or territory authorities or to the handling of personal information by an individual for the purposes of, or in connection with, the individual’s personal, family or household affairs.

In addition, the Act does apply to organisations with an annual group global revenue of less than $3 million if that organisation:

  • provides a health service and holds health information other than in an employee record;

  • discloses personal information about another individual for a benefit, service or advantage, or provides a benefit, service or advantage to collect personal information from anyone else, unless they do so with the consent of the individual or are required or authorised by legislation to do so; or

  • are contracted service providers for a Commonwealth contract.

Australian application

The Privacy Act applies to the handling of personal information by ‘APP entities’.

The term APP entity has an extensive definition and includes:

  • the Australian and Norfolk Island governments and government agencies; and

  • all private sector and non-profit organisations with an annual group global revenue of more than $3 million.

There are, however, numerous exceptions to the general scope of the Privacy Act. It does not apply to registered political parties, state or territory authorities or to the handling of personal information by an individual for the purposes of, or in connection with, the individual’s personal, family or household affairs.

In addition, the Act does apply to organisations with an annual group global revenue of less than $3 million if that organisation:

  • provides a health service and holds health information other than in an employee record;

    discloses personal information about another individual for a benefit, service or advantage, or provides a benefit, service or advantage to collect personal information from anyone else, unless they do so with the consent of the individual or are required or authorised by legislation to do so; or

  • are contracted service providers for a Commonwealth contract.

Other relevant laws

There are a range of laws in Australia, both at the federal and state and territory levels, which regulate or impact upon privacy and data protection.

Some Australian states and territories have enacted privacy statutes containing data protection principles broadly similar to the federal privacy principles. They govern acts and practices of Australian state and territory government and its agencies, and in some cases the handling by the private sector of personal information collected by the government or its agencies.

In addition, there are numerous federal and state and territory statutes that deal with aspects of privacy and data protection, including:

  • federal and state and territory statutory legislation applicable to specific industries, such as the health and telecommunications sectors;

  • the regulation of unsolicited commercial telephone calls and emails by the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth);

  • federal and state criminal laws dealing with unauthorised access to computer systems, including databases; and

  • developing judge-made law extending the equitable protection of confidential information to the misuse of private confidential information.

Privacy Policies

The Privacy Act requires all APP entities to:

  • have a clearly expressed and up-to-date privacy policy about how the entity manages personal information; and

  • take reasonable steps to make its privacy policy available free of charge in an appropriate form (usually on its website) and, upon request, in a particular form (see APP 1.3-1.6).

What should be in my privacy policy?

The privacy policy of an APP entity must contain the following information:

  • the kinds of personal information collected and held by the entity, for example, contact details, employment history, health information and criminal records;

  • how the entity collects and holds personal information, including whether the personal information is stored by a third party data storage provider and is combined or linked to other information held about an individual;

  • the purposes for which the entity collects, holds, uses and discloses personal information;

  • how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;

  • how an individual may complain about a breach of the APPs or a registered APP code that binds the entity, and how the entity will deal with such a complaint; and

  • whether the entity is likely to disclose personal information to overseas recipients and the countries in which such recipient are likely to be located.

The Privacy Commissioner has emphasised the importance of readily understandable disclosure as to privacy practices and a match of policies to practices. It has also made available a useful guide to developing a compliant privacy policy.

_______________________________________________________________________________________________________________________________________________________________

For more information, please contact Gavin McInnes on 07 3367 8681 or gmcinnes@grmlaw.com.au.

 The information contained in this article is general in nature and cannot be regarded as anything more than general comment. Readers of this article should not act on the basis of this comment without consulting one of GRM LAW 's legal practitioners who will consider their particular circumstances.

Expertise

GRM LAW has a wide range of experience assisting companies in all aspects of business, corporate and IT law.

Not only will you find that GRM LAW is likely to have assisted someone in your exact situation, but you’ll find that a GRM LAW lawyer can distill a complex legal issue into a set of actionable options for you to consider.

Gavin McInnes
Previous

What is data?

Next

Confidentiality Agreements