Privacy In Australia –
Does The Privacy Act Apply To You? The federal Privacy Act 1988 is designed to
promote the protection of individuals’ privacy in Australia by imposing obligations on those
who collect and handle personal information to manage it responsibly and transparently.
It does so by reference to a number of principles known as the Australian Privacy Principles.
These principles are similar to those found in other jurisdictions such as Canada and
Europe. Initially the Privacy Act only applied to
Commonwealth government agencies and departments, but now it also applies to the private sector.
If your business is a medium to large organisation that collects, handles, or stores personal
information, then there is a good chance the Privacy Act applies to you. It is not necessary
for your business to be a company in order to be covered – individuals, partnerships,
unincorporated associations and trusts can all be caught by the legislation.
The Privacy Act applies to businesses, not for profit organisations such as charities
and community sector organisations, clubs and associations, and unions and employee
organisations whenever turnover exceeds $3 million. However, even if turnover is less
than that, you may still be caught by the Act.
For example, the Act will apply if your organisation provides a health service to another individual
and holds any health information that is not about your employees. For these purposes,
‘health service’ includes not just medical and allied health care, but also pharmaceutical
services, complementary therapies such as acupuncture and chiropractic, and services
such as gyms and health spas. It also applies to credit reporting bodies
or businesses that trade in personal information, service providers under contract to the Commonwealth
government, and those entities which are related to a company that is caught by the legislation,
such as a holding company or subsidiary of a larger company.
Some businesses or organisations are created under the Privacy Regulations, such as those
which operate a residential tenancies database, and are automatically subject to the legislation.
Others have opted to be regarded as an organisation for these purposes. A register of these businesses
is kept by the Australian Office of the Information Commissioner or OIC. Some businesses benefit
from greater customer confidence and trust that comes with operating under the Privacy
Act even where they are not strictly required to do so.
The Privacy Act does not cover small businesses – those with a turnover below $3 million
– that aren’t covered by one of the exceptions above, or an individual collecting information
for personal, family or household reasons rather than in the course of running a business.
It does not apply to public schools, or to universities other than a private university
or the Australian National University. Registered political parties are exempt from
the legislation, as are members of Parliament and local government Councillors, contractors
and volunteers who are performing actions in relation to, or facilitating, elections,
referendums, or other aspects of the political process.
Media organisations engaged in journalism which have made a public commitment to observe
privacy standards are not necessarily formally caught by the legislation. State and Territory
government agencies are exempt unless certain conditions apply.
Special exemptions apply to information that has originated, or has been received, from
an Australian intelligence agency, Defence Intelligence Organisation, Defence Signals
Directorate, Defence Imagery and Geospatial Organisation, or the Australian Crime Commission.
In most cases, if you are a private sector organisation, it is the federal Privacy Act
that will apply to you. If, however, you contract with a state government
agency to, for example, provide IT services within a department or to provide community
based services such as shelter for homeless people, then the terms of that contract will
often bind you to the relevant state legislation. The obligations under the state legislation
will be broadly similar to the obligations under the federal Act; however, you should
seek legal advice in relation your particular circumstances.
The privacy legislation which applies in the ACT is the Information Privacy Act 2014 and
the Health Records (Privacy and Access) Act 1997. In New South Wales, privacy is governed
by the Health Records and Information Privacy Act 2002 and the Privacy and Personal Information
Protection Act 1998. Northern Territory privacy law is found in the Information Act. For Queensland,
the relevant legislation is the Information Privacy Act 2009, for Tasmania it is the Personal
Information Protection Act 2004, and for Western Australia, it is the Freedom of Information
Act 1992. In Victoria, privacy laws are found in the Privacy and Data Protection Act 2014
and the Health Records Act 2001. Unlike all other states and territories, South
Australia’s privacy legislation relates only to the health care sector through the
Health Care Act 2008. However, government agencies are required to abide by the Information
Privacy Principles, and, if relevant, the Code of Fair Information Practice.
If you or someone you know is concerned about privacy obligations, or believes that their
privacy has been breached, Go To Court Lawyers operate a Legal Hotline on 1300 636 846 where
you can talk directly to a lawyer 7am – midnight, 7 days/week. Your call will be treated with
the strictest confidentiality and without judgement.
The lawyer will assess your matter and recommend a course of action.
Should you need a lawyer, even if it is at very short notice, the Legal Hotline staff
will be able to arrange legal representation for you. You can also request a call back
via the website gotocourt.com.au and a lawyer will call you back to assess your matter.