Commonwealth privacy legislation: Privacy Act

The Privacy Act sets minimum standards for how personal information (see the definition in ‘Personal information’, below) can be collected, used, held and disclosed. It gives individuals rights in relation to personal information, including the right to access information an entity holds about them, and the right to seek its correction.

Two key features of the Privacy Act are:

• the 13 Australian Privacy Principles (APPs): legally binding principles that cover the handling of personal information by the Australian Government and most Australian businesses and not-for-profit organisations (although most small businesses are exempt; see ‘Exemptions from the Privacy Act’, below); and

• obligations on credit providers and credit-reporting bodies: when engaged in a credit-reporting business (as defined in Privacy Act ss 6G, 6P), these bodies must comply with the credit-reporting provisions in Part IIIA of the Privacy Act and with the legally binding Privacy (Credit Reporting) Code 2014 (‘CR Code 2014’).

• a Notifiable Data Breach (NDB) Scheme: this details notification obligations and other related functions of entities bound by the Act, concerning security-compromised personal information. 
  
  

Australian Privacy Principles guidelines

The APP guidelines are advisory guidelines. They outline the requirements of the APPs and provide advice on how to interpret and comply with them. The APP guidelines are an invaluable resource for assessing privacy rights in individual circumstances. They are available at www.oaic.gov.au/privacy.

On 14 May 2020, the Privacy Act was amended to add Part VIIIA to protect data in the COVIDSafe app and in the National COVIDSafe Data Store. 

Part VIIIA of the Privacy Act:

• prohibits anyone from being required to download or use the COVIDSafe app;

  • strictly limits the purposes for which data can be collected, used or disclosed: data can only be collected, used or disclosed by state or territory officials who are contact tracing individuals who have possibly been exposed to COVID-19, and 

  • information collected cannot be accessed by police officers or used in court proceedings except in relation to a suspected crime as a result of a breach of Part VIIIA;

• protects information sent to a state or territory health department from the National COVIDSafe Data Store; and

• requires data to be deleted when not required.

To assist regulated entities during the COVID-19 pandemic, the Office of the Australian Information Commissioner (OAIC) published a guide titled Coronavirus (COVID-19): Understanding your privacy obligations to your staff (1 June 2021). For more information, see www.oaic.gov.au/privacy.

Some functions and powers brought in to assist management of the pandemic have since come to an end. One example is the Occupational Health and Safety Amendment (COVID-19 Vaccination Information) Regulations 2022 (Vic). Businesses that had relied upon the regulations (or a pandemic order predating the regulations) to collect, record, hold or use vaccination information from ‘specified persons’ were required to destroy all such data by 11 August 2023. These rules acknowledge that when a pandemic ceases to impose public health risks to the community, any special measures which limit individual rights should be scaled back accordingly.

Under the Privacy Act, ‘personal information’ is defined as information, or an opinion, about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not.

Whether an individual is ‘reasonably identifiable’ depends on the circumstances, including the nature of the information and any other available facts. The test of whether a person is reasonably identifiable is an objective test that considers the context. An individual might not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly.

‘Individual’ means a natural person; this does not include a deceased person. However, information about a deceased person may include personal information about a living person in some contexts.

The Privacy Act defines ‘sensitive information’ as:

Information or an opinion (that is also personal information) about an individual’s:

• racial or ethnic origin;

• political opinions;

• membership of a political association;

• religious beliefs or affiliations;

• philosophical beliefs;

• membership of a professional or trade association;

• membership of a trade union;

• sexual orientation or practices;

• criminal record;

• health information, including an individual’s healthcare identifier and any other personal information collected for the purpose of providing a health service;

• genetic information;

• biometric information that is to be used for automated biometric verification or biometric identification; or

• biometric templates.

In general, sensitive information has a higher level of protection under the APPs than other personal information (see, for example, APPs 3, 6, 7).

The Privacy Act applies to federal government agencies (including federal ministers, the Australian Federal Police, federal courts, and a Norfolk Island agency). The Privacy Act also applies to most private sector organisations, including:

• individuals who collect, use or disclose personal information in the course of running a business;

• owners corporations;

• partnerships, unincorporated associations and trusts; and

• contracted service providers (federal contracts).

Some of the APPs apply differently to Australian Government agencies and private sector organisations. The term ‘APP entity’ is used where the APPs apply to both private sector organisations and to government agencies. The APPs apply to acts and practices engaged in inside and outside Australia by organisations and small business operators that have an Australian link, as defined in the Privacy Act.

Exemption for individuals acting in a non-business capacity

The Privacy Act does not apply to personal information that individuals collect, hold, use or disclose for the purposes of their personal, family or household affairs. In other words, the Privacy Act does not apply to an individual’s handling of personal information unless it is done in the course of running a business.

Small business exemption

Most small business operators do not have to comply with the Privacy Act. A small business is an organisation (including sole trader businesses) with an annual turnover of $3 million or less.

Some small businesses are not exempt from the Privacy Act, including those that:

• provide a health service and hold any health information;

• trade in personal information, either:

  • disclosing personal information for a benefit, service or advantage, or 

  • providing a benefit, service or advantage to collect an individual’s personal information from anyone else (unless the individual consents, or the disclosure or collection is required or authorised by law);

• are service providers contracted by the Commonwealth Government;

• are a ‘reporting entity’ under the Anti-Money Laundering and Counter-terrorism Financing Act 2006 (Cth); or

• have opted to be covered by the Privacy Act.

A list of small businesses and not-for-profit organisations that have opted to be covered by the Privacy Act is available at www.oaic.gov.au/privacy/privacy-registers.

Employee records exemption

Acts and practices that directly relate to:

• a current or former employment relationship; and 

• an employee record,

are exempt from the Privacy Act. An ‘employee record’ is a record of personal information that relates to the employment of a person, such as information about the employee’s:

• health;

• engagement, training, disciplining or resignation; 

• terms and conditions of employment;

• personal and emergency contact details;

• performance or conduct; and

• taxation, banking or superannuation affairs.

Note that the exemption does not apply to (the handling of) information about people who are applying for employment, or to (information handled about) contractors or volunteers. The original intention of the exemption was that matters of workplace privacy would be regulated through workplace relations law, wherever applicable.

Journalism exemption

Journalistic activities and practices of media organisations are exempt from the Privacy Act. A ‘media organisation’ is an organisation whose activities consist of the collection, preparation and dissemination of news, current affairs, information or documentaries. The media organisation must be publicly committed to observing published industry standards that deal with privacy. Examples of such standards include industry codes regulated by the Australian Communications and Media Authority (ACMA) and the Australian Press Council.

Political exemption

The political activities of registered political parties, members of parliament, and local government councillors are exempt from the Privacy Act. For the purposes of the exemption, the political activities must have some connection with an election under electoral law, a referendum, or some other aspect of the political process. The political activities of contractors and volunteers of registered political parties are also exempt.

Permitted general situation exception

Some APPs do not apply if a ‘permitted general situation’ exists. This exception applies to the collection of sensitive information (APP 3), the use and disclosure of personal information (APPs 6, 8), and the use and disclosure of a government-related identifier (APP 9).

The seven permitted general situations are:

• lessening or preventing a serious threat to the life, health or safety of an individual – or to public health or safety – but only if it is unreasonable or impracticable to obtain consent;

• taking action in relation to suspected unlawful activity or serious misconduct;

• locating a person reported as missing;

• asserting a legal or equitable claim;

• conducting an alternative dispute resolution;

• performing diplomatic or consular functions (only applies to agencies); and

• conducting specified Australian Defence Force activities.

State of emergency or state of disaster exemption

If the prime minister, or another government minister, declares a state of emergency or a state of disaster, Part VIA of the Privacy Act enables an entity to collect, use and disclose personal information if the entity reasonably believes the individual is involved in the emergency or disaster and the collection, use, etc of personal information is for a permitted, emergency or disaster-related purpose. 

Public interest determinations

Under Part VI of the Privacy Act, the Information Commissioner can make a public interest determination if satisfied that an act or practice breaches one or more of the APPs or the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) (‘APP Code’) but that the public interest in doing that act or practice outweighs the public interest in complying with the APPs or APP Code.

Where an entity breaches an APP, this is ‘an interference with the privacy of an individual’ under section 13(1) of the Privacy Act. Part V of the Privacy Act gives the Information Commissioner the power to investigate possible interferences with privacy, on the commissioner’s own initiative or in response to a complaint.

The commissioner can seek certain remedies for breaches of the APPs, including enforceable undertakings, injunctions, and civil penalty orders. 

Since 22 February 2018, APP entities have also been subject to a mandatory data breach notification scheme in the Privacy Act (see ‘Data breach notification’, below). 

The OAIC has published a Guide to Privacy Regulatory Action under the Privacy Act (see www.oaic.gov.au/about-the-OAIC/our-regulatory-approach/guide-to-privacy-regulatory-action).

Under section 35A of the Privacy Act, the Information Commissioner can ‘recognise’ external dispute resolution (EDR) schemes to handle particular privacy related complaints. The Information Commissioner has issued guidelines for recognising EDRs. For a list of recognised EDR schemes see ‘Contacts’ at the end of this chapter.

The Information Commissioner has the power to approve and register enforceable codes for certain entities, or to cover specific industry functions (see www.oaic.gov.au/privacy/privacy-registers/privacy-codes/privacy-codes-register for a listing of these codes). 

To date, the registered codes are:

• The APP Code, which sets out specific requirements and steps that agencies must take in complying with APP 1.2 (see ‘Australian Privacy Principle 1: Management of personal information’, next);

• The CR Code 2014 (See ‘Privacy and credit reporting’, in this chapter); and

• The Privacy (Market and Social Research) Code 2021.

The OAIC is the independent statutory agency that was created by the Australian Information Commissioner Act 2010 (Cth) (‘AICA 2010’) to administer the Privacy Act and the Freedom of Information Act 1982 (Cth) (‘FoI Act (Cth)’). The AICA 2010 (s 6) created three information officers: the Information Commissioner, the Freedom of Information Commissioner, and the Privacy Commissioner.

The Privacy Commissioner has the privacy functions, but certain actions can only be undertaken with the Information Commissioner’s approval. The Information Commissioner has all the functions under the Privacy Act and the FoI Act (Cth).

The Information Commissioner can delegate most of these functions under the Privacy Act.