The federal Privacy Act 1988 is designed to promote the protection of individuals’ privacy in Australia by imposing obligations on those who collect and handle personal information to manage it responsibly and transparently. It does so by reference to a number of principles (the Australian Privacy Principles).
These principles are similar to those found in other jurisdictions such as Canada and Europe.
Initially the Privacy Act only applied to Commonwealth government agencies and departments, but now it also applies to the private sector.
If your business is a medium to large organisation that collects, handles, or stores personal information, then there is a good chance the Privacy Act applies to you. It is not necessary for the business to be a company in order to be covered – individuals, partnerships, unincorporated associations and trusts are all caught by the legislation.
Where turnover exceeds $3 million, the Privacy Act applies to:
- not for profit organisations (charities and community sector organisations)
- clubs and associations
- unions and employee organisations.
Where turnover is less than $3 million, you may still be caught by the Privacy Act where, for example, your organisation:
- provides a health service to another individual and holds any health information that is not about your employees. ‘Health service’ includes not just medical and allied health care, but also pharmaceutical services, complementary therapies such as acupuncturists and chiropractors, and services such as gyms and health spas.
- is a credit reporting body or a business that trades in personal information
- is a service provider under contract to the Commonwealth government
- is created under the Privacy Regulations (eg if you operate a residential tenancy database)
- is related to a company that is caught by the legislation (eg a holding company or subsidiary of a larger company)
- has opted to be regarded as an organisation for these purposes. A register of these businesses is kept by the Australian Office of the Information Commissioner (OIC). Some businesses benefit from greater customer confidence and trust that may come from operating under the Privacy Act even where they are not strictly required to do so.
The Privacy Act does not cover:
- small businesses (with a turnover below $3 million) that aren’t covered by one of the exceptions above
- an individual collecting information not in the course of running a business but for personal, family or household reasons
- a university other than a private university or the Australian National University
- public schools
- a registered political party
- a member of Parliament or a local government Councillor, performing actions in relation to, or facilitating, elections, referendums, or other aspects of the political process, or a contractor or volunteer engaged to do the same
- a media organisation engaged in journalism which has made a public commitment to observe privacy standards
- state or territory government agencies, unless certain exceptions apply
- information that has originated, or has been received, from an intelligence agency, Defence Intelligence Organisation, Defence Signals Directorate, Defence Imagery and Geospatial Organisation, or the Australian Crime Commission.
In most cases if you are a private sector organisation it is the federal Privacy Act that will apply to you.
If, however, you contract with a state government agency (eg to provide IT services within a department or to provide community based services such as shelter for homeless people), then the terms of that contract will often bind you to the relevant state legislation.
The obligations under the state legislation will be broadly similar to the obligations under the federal Act; however, you should seek legal advice in relation your particular circumstances.
The relevant legislation for the states and territories is:
- ACT – Information Privacy Act 2014, Health Records (Privacy and Access) Act 1997
- New South Wales – Health Records and Information Privacy Act 2002, Privacy and Personal Information Protection Act 1998
- Northern Territory – Information Act
- Queensland – Information Privacy Act 2009
- Tasmania – Personal Information Protection Act 2004
- Victoria – Privacy and Data Protection Act 2014, Health Records Act 2001
- Western Australia – Freedom of Information Act 1992.
Unlike all other states and territories, South Australia’s privacy legislation relates only to the health care sector (Health Care Act 2008). However, government agencies are required to abide by the Information Privacy Principles, and, if relevant, the Code of Fair Information Practice.
This article reflects the state of the law as at 1 February 2016. It is intended to be of a general nature only and does not constitute legal advice. If you require legal assistance, please telephone 1300 636 846 or request a consultation at gotocourt.com.au.