Privacy protection in Australia: Other Commonwealth legislation and guidelines

In addition to the Privacy Act, other Commonwealth laws and guidelines deal with information privacy. These include legislation relating to TFNs, medical research, electronic health records, Pharmaceutical Benefits Scheme (PBS) and Medicare, spent criminal convictions, registered personal property security interests, telecommunications, and the consumer data right (CDR) (see ‘Consumer Data Right’, below).

Freedom of Information Act

As stated under APP 12, federal public sector agencies provide access to personal information through the FoI Act (Cth).

However, section 41 of the FoI Act (Cth) exempts agencies from providing access to personal information if the disclosure involves an unreasonable disclosure of personal information – subject to the exception that a person cannot be denied access to documents containing their own personal information.

A person dissatisfied by the decision of an agency or government minister regarding access to their personal information can apply to the Information Commissioner for a review. In most cases, the request for review must be made within 60 days of being notified of the agency’s or minister’s decision.

TFNs are unique numbers issued to individuals by the Australian Taxation Office (ATO). The enhanced TFN scheme, introduced in 1988, allows the ATO to identify those who lodge income tax returns, and to match information provided in tax returns with other sources of information (e.g. records of interest earned on funds in bank accounts).

Because of concerns about the earlier proposal of an Australia Card, a central feature of the TFN scheme is that supplying a personal TFN is voluntary.

However, in 1990 – through the Data-matching Program (Assistance and Tax) Act 1990 (Cth) (‘Data‑matching Act’) and the Guidelines for the Conduct of Data-matching Programs (‘Data‑matching guidelines’) – the government extended the scheme to make providing a TFN a condition of receiving assistance from a number of Australian Government agencies (e.g. Centrelink and the Department of Veterans’ Affairs). The government also extended the scheme to allow TFNs to be used to compare income reported to the ATO with income reported to federal assistance agencies. This is subject to strict controls and safeguards, and the Information Commissioner monitors Australian Government agencies’ compliance with the Data-matching Act, the Data-matching guidelines, and the Privacy Act.

A breach of the Data-matching Act or Data-matching guidelines is an interference with privacy under the Privacy Act (s 13). If a person’s privacy has been breached under section 13, they can complain to the Information Commissioner.

Certain uses of the TFN in relation to superannuation administration are also authorised by law.

The Privacy (Tax File Number) Rule 2015 (‘TFNR 2015’), issued under section 17 of the Privacy Act covers the collection, recording, use and disclosure of TFNs for individuals. Under the TFNR 2015, a TFN recipient must not record, collect, use or disclose TFN information unless permitted under taxation, superannuation or other laws. TFN recipients must also abide by the Taxation Administration Act 1953 (Cth).

A breach of the TFNR 2015 is an interference with privacy under the Privacy Act. And an individual who believes that the rule has been breached can complain to the Information Commissioner.

Section 95 guidelines

The guidelines under section 95 of the Privacy Act (‘section 95 guidelines’) – issued by the Australian Government’s National Health and Medical Research Council (NHMRC) – apply to medical research that involves personal information held by an Australian Government agency where the agency seeks to use or disclose personal information for research in a way that may breach the APPs. 

The section 95 guidelines provide a framework for Human Research Ethics Committees (HRECs) to assess, and decide whether to approve, research proposals before they proceed.

Section 95A guidelines

The guidelines under section 95A of the Privacy Act (‘section 95A guidelines’) are conceptually similar to the section 95 guidelines issued by the NHMRC. These guidelines apply to:

• the collection, use or disclosure of health information held by private sector organisations for the purposes of research;

• the compilation or analysis of statistics, relevant to public health or public safety; and 

• the collection of health information held by organisations for the purpose of health service management,

where it is impracticable to seek the consent of relevant individuals to collect, use or disclose the health information.

The section 95A guidelines are also used by HRECs, and those involved in conducting research, compiling statistics, or working in health service management. Their use involves an assessment to determine whether the public interest in those activities substantially outweighs the public interest in the protection of privacy afforded by the APPs.

Researchers must obtain approval from a NHMRC-registered HREC to conduct research projects involving people as participants, or their data. The HREC assesses the privacy aspects, along with other factors, in deciding whether or not to approve the research proposal. 

Section 95AA guidelines

In March 2014, the Privacy Commissioner approved updated guidelines for the use or disclosure of a living individual’s genetic information by a private health service provider, to lessen or prevent a serious threat to a genetic relative’s life, health or safety (‘section 95AA guidelines’). The section 95AA guidelines – also issued by the NHMRC – must be followed when seeking to use or disclose this information without the individual’s consent, in reliance on the exception in APP 6.2(d).

Each of the above sets of guidelines are available on the NHMRC’s website (www.nhmrc.gov.au).

The ‘My Health Record’ system is the Australian Government’s electronic health system. The My Health Records Act 2012 (Cth) (‘MHR Act’) (formally known as the Personally Controlled Electronic Health Records Act 2012 (Cth)), together with My Health Records Regulation 2012 (Cth) and the My Health Records Rule 2016 (Cth) make up the legislative framework for the My Health Record system.

The MHR Act places strict controls on the collection, use and disclosure of the health information in an individual’s ‘My Health Record’. A collection, use or disclosure that is not authorised by the legislation is both a contravention of the MHR Act and an interference with the individual’s privacy under the Privacy Act. The MHR Act also imposes mandatory data breach notification obligations on the system operator, repository operators and portal operators.

A ‘My Health Record’ allows an individual’s doctors and other healthcare providers to view the individual’s health information in accordance with access controls imposed by the individual.

Individual health records can be accessed at www.digitalhealth.gov.au/initiatives-and-programs/my-health-record.

The system was previously opt-in only. However, since 31 January 2019, every Australian who did not already have a ‘My Health Record’ is automatically registered, unless they opt out. 

The Information Commissioner regulates the handling of personal information under the My Health Record system by individuals, Australian Government agencies, private sector organisations, and some state and territory agencies, instrumentalities and authorities (in particular circumstances). The Information Commissioner has issued the My Health Records (Information Commissioner Enforcement Powers) Guidelines, which outline the commissioner’s investigation and enforcement powers with respect to the My Health Record system. See www.digitalhealth.gov.au/initiatives-and-programs/my-health-record.

The Healthcare Identifiers Act 2010 (Cth) and the Healthcare Identifiers Regulations 2010 (Cth) implement a national system for assigning unique identifiers to individuals. 

Healthcare identifiers are assigned and administered through the Healthcare Identifiers Service (see ‘Contacts’ at the end of this chapter).

Healthcare identifiers help healthcare providers to communicate information to each other about an individual, and to identify and access a patient’s records in the My Health Record system. Healthcare identifiers can only be accessed, used and disclosed for limited purposes. Any unauthorised use and disclosure is a breach of the Privacy Act.

Section 135AA of the National Health Act 1953 (Cth) provides for the issue of legally binding guidance covering the handling of certain health information within the PBS and the Medicare Benefits Program (Medicare) by Australian Government agencies.

The National Health (Privacy) Rules 2021 regulate the way Australian Government agencies link and store claims information under the PBS and Medicare.

Under Part VIIC of the Crimes Act 1914 (Cth), a person is able to not disclose some old criminal convictions in certain circumstances and is protected against unauthorised use and disclosure of this information. This is known as the ‘Commonwealth Spent Convictions Scheme’.

For the purposes of the scheme, a person is said to have been convicted of an offence if:

• they have been convicted of the offence;

• they have been found guilty of the offence but discharged without conviction; or

• they have been found not guilty of an offence, but a court has taken the offence into account when sentencing them for another offence.

A ‘spent’ conviction is a conviction that satisfies the following conditions:

• it is 10 years since the date of conviction (or five years for juvenile offenders);

• the sentence imposed was a fine, bond, community service order, or term of imprisonment not greater than 30 months;

• the individual has not been convicted of a further offence committed during the 10 (or five) years waiting period; and

• an exclusion does not apply (see ‘Exclusions under the scheme’, below).

For the purposes of the scheme, a ‘spent’ conviction also includes:

• a conviction for which a person has been granted a pardon because they were wrongly convicted; or

• a conviction that has been quashed by a court.

The scheme covers all offences that meet the criteria for a spent conviction above, including foreign convictions. However, the protections under the scheme are limited by whether the conviction was for a Commonwealth offence (including an Australian external territory or Jervis Bay Territory), a state offence (including the Australian Capital Territory and Northern Territory), or a foreign offence, and where the recipient of the information is located.

Protections under the scheme

The Commonwealth Spent Convictions Scheme offers the following protections:

• an individual does not have to disclose a spent conviction;

• an individual can claim on oath that they were not convicted of an offence; and

• any other person who knows, or ought to reasonably know, about the spent conviction is prohibited from taking the conviction into account or disclosing the conviction.

The right of non-disclosure is limited, depending on the type of conviction, who the recipient of the information is and where they are located.

If the spent conviction is for a Commonwealth offence, an individual does not have to disclose it to any person wherever they are located in Australia or to any Commonwealth or state authority located in a foreign country.

If the spent conviction is for a state or foreign offence, an individual does not have to disclose it to any person located in an Australian external territory or Jervis Bay Territory. A person does not have to disclose the spent conviction to any Commonwealth authority located in a state, territory or overseas.

Complaints of breaches of the Commonwealth Spent Convictions Scheme may be made to the Australian Information Commissioner. 

Exclusions under the scheme

Exclusions under the Commonwealth Spent Convictions Scheme are limited to specific organisations that need to know about particular offences for special purposes. For example, if a person is applying for a position involving the care and control of children, the potential employer can find out about any sex offence convictions, or convictions for offences where the victim was a child. If an agency is excluded, it should explain this fact, and what it means for the person concerned. 

State and territory schemes

Some states and territories have their own spent convictions schemes for state offences. This now includes Victoria since the enactment of the Spent Convictions Act 2021 (Vic), which operates retrospectively, meaning that it applies to convictions that were imposed before, on or after the day on which the Act came into operation.

A specific scheme providing for the expungement of historical homosexual offences that are not criminal offences today has operated in Victoria since September 2015 (see www.justice.vic.gov.au/expungement-scheme).

For further information about spent convictions, see ‘Spent convictions’ in Chapter 3.9: Understanding criminal records. See also www.oaic.gov.au/privacy/your-privacy-rights/more-privacy-rights/criminal-records. For Victorian offences 

The Personal Property Securities Act 2009 (Cth) (‘PPS Act’) has established a national register for personal property and security interests (for more information, visit www.ppsr.gov.au).

‘Personal property’ means property other than land, buildings or fixtures that form a part of land. It can include tangibles (e.g. cars, crops and machinery) and intangibles (e.g. contract rights and intellectual property).

A personal property security is created when a ‘secured party’ takes an interest in personal property as security for a loan or other obligation or enters into a transaction that involves the supply of secured finance. A secured party is a person or entity that has a security interest in the collateral of someone else (the grantor). ‘Collateral’ is personal property (consumer or commercial) with a security interest attached.

Registrations on the PPS register can include:

• data about the grantor’s property or collateral;

• a person’s name and date of birth;

• data about the secured party, although the secured party’s details are not searchable.

Grantors must be notified when a secured party makes a registration against them.

The PPS Act protects grantors, secured parties and others from misuse of the register (e.g. illegitimate searches and registrations), with civil penalties to protect people’s privacy. A breach of certain limitations is also an interference with privacy under the Privacy Act. A breach may also give rise to damages.

The telecommunications sector is regulated by the Privacy Act, the Telecommunications Act 1997 (Cth) (‘Telecommunications Act (Cth)’) and the Telecommunications (Interception and Access) Act 1979 (Cth) (‘TIA Act’). These Acts set out specific obligations, which include prohibiting a telecommunications provider from disclosing personal information (subject to limited exemptions). These obligations are in addition to telecommunications providers’ obligations to comply with the APPs (see ‘Summary of the Australian Privacy Principles’, above).

The Telecommunications Act (Cth) provides for the registration of telecommunications codes under a self-regulatory framework. These codes are developed by the industry through the Communications Alliance and may be registered with the ACMA.

The Communications Alliance has issued several codes with privacy-related obligations: calling number display (G522:2016), handling of life-threatening and unwelcome calls (C525:2023), and integrated public number database (C555:2020).

For more information about Telecommunications Act (Cth) codes and standards currently in force, visit www.acma.gov.au. 

The TIA Act permits telecommunications providers to disclose personal information to the Australian Security Intelligence Organisation (ASIO) or to the Federal Police. The TIA Act prohibits the unauthorised access and interception of communications, subject to various exceptions, unless a warrant is obtained. Those issuing warrants must consider, among other things, the privacy of the people affected by the access and interception. The OAIC can monitor compliance with the record-keeping requirements contained in part 13 of the Telecommunications Act (Cth), which requires telecommunications providers to keep records of certain disclosures of personal information.

Telecommunications providers are required to collect and retain certain types of telecommunications data (metadata) for a minimum period of two years.

Do not call register

A national ‘do not call register’ began operating in May 2007 in accordance with the Do Not Call Register Act 2006 (Cth). The register is administered by the ACMA. The Act allows people to register (without charge) their home phone, domestic mobile and fax number to opt out of a wide range of unsolicited telemarketing calls. 

The Do Not Call Register Legislation Amendment Act 2010 (Cth) has enabled all Australian telephone and fax numbers to be registered, allowing organisations and individuals to access the register’s protections.

Businesses can still contact other businesses with whom they have a relationship under the inferred consent provisions. Businesses that have given express consent to receive calls or faxes may also continue to be contacted. However, ‘cold calls’ and marketing faxes to businesses that do not fall under the express or inferred consent provisions are prohibited for numbers on the register.

As a part of the registration process, new registrants are provided with the option to nominate to receive calls or faxes relating to a list of industry classifications. The legislation makes it illegal for any non-exempt telemarketer in Australia and overseas to contact a number on the register without consent.

There are exemptions for government bodies, educational or religious organisations, registered political parties, independent members of parliament, electoral candidates and charities. 

Market and social researchers may call to conduct standard opinion polling and questionnaire research, subject to a national industry standard. Businesses that have an existing relationship with a person may also call numbers on the do not call register.

Enquiries and complaints relating to the do not call register can be made to the ACMA.

The CDR is intended to give consumers greater control over their data. The CDR also gives consumers the ability to direct a data holder to provide their CDR data to an accredited data recipient in a CDR-compliant format. The CDR was enacted by the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth), which inserted a new Part IVD into the Competition and Consumer Act 2010 (Cth).

The CDR scheme was introduced in the banking sector on 1 July 2020 and is being progressively rolled out to other sectors. The energy sector has been bound since 15 November 2022. Expansion to the non-bank lending and telecommunications sectors is currently paused. The Competition and Consumer (Consumer Data Right) Rules 2020 (‘CDR Rules’) provide the framework for how the CDR legislation applies, including in relation to consent and privacy safeguards.

The CDR is co-regulated by the Australian Information Commissioner and the Australian Competition and Consumer Commission. For more information about the CDR, see www.cdr.gov.au.