Privacy In Australia – Does The Privacy Act Apply To You?
The federal Privacy Act 1988 is designed to promote the protection of individuals’ privacy
in Australia by imposing obligations on those who collect and handle personal information
to manage it responsibly and transparently. It does so by reference to a number of principles
known as the Australian Privacy Principles. These principles are similar to those found
in other jurisdictions such as Canada and Europe.
Initially the Privacy Act only applied to Commonwealth government agencies and departments,
but now it also applies to the private sector. If your business is a medium to large organisation
that collects, handles, or stores personal information, then there is a good chance the
Privacy Act applies to you. It is not necessary for your business to be a company in order
to be covered – individuals, partnerships, unincorporated associations and trusts can
all be caught by the legislation. The Privacy Act applies to businesses, not
for profit organisations such as charities and community sector organisations, clubs
and associations, and unions and employee organisations whenever turnover exceeds $3
million. However, even if turnover is less than that, you may still be caught by the
Act. For example, the Act will apply if your organisation
provides a health service to another individual and holds any health information that is not
about your employees. For these purposes, ‘health service’ includes not just medical
and allied health care, but also pharmaceutical services, complementary therapies such as
acupuncture and chiropractic, and services such as gyms and health spas.
It also applies to credit reporting bodies or businesses that trade in personal information,
service providers under contract to the Commonwealth government, and those entities which are related
to a company that is caught by the legislation, such as a holding company or subsidiary of
a larger company. Some businesses or organisations are created
under the Privacy Regulations, such as those which operate a residential tenancies database,
and are automatically subject to the legislation. Others have opted to be regarded as an organisation
for these purposes. A register of these businesses is kept by the Australian Office of the Information
Commissioner or OIC. Some businesses benefit from greater customer confidence and trust
that comes with operating under the Privacy Act even where they are not strictly required
to do so. The Privacy Act does not cover small businesses
– those with a turnover below $3 million – that aren’t covered by one of the exceptions
above, or an individual collecting information for personal, family or household reasons
rather than in the course of running a business. It does not apply to public schools, or to
universities other than a private university or the Australian National University.
Registered political parties are exempt from the legislation, as are members of Parliament
and local government Councillors, contractors and volunteers who are performing actions
in relation to, or facilitating, elections, referendums, or other aspects of the political
process. Media organisations engaged in journalism
which have made a public commitment to observe privacy standards are not necessarily formally
caught by the legislation. State and Territory government agencies are exempt unless certain
conditions apply. Special exemptions apply to information that
has originated, or has been received, from an Australian intelligence agency, Defence
Intelligence Organisation, Defence Signals Directorate, Defence Imagery and Geospatial
Organisation, or the Australian Crime Commission. In most cases, if you are a private sector
organisation, it is the federal Privacy Act that will apply to you.
If, however, you contract with a state government agency to, for example, provide IT services
within a department or to provide community based services such as shelter for homeless
people, then the terms of that contract will often bind you to the relevant state legislation.
The obligations under the state legislation will be broadly similar to the obligations
under the federal Act; however, you should seek legal advice in relation your particular
circumstances. The privacy legislation which applies in the
ACT is the Information Privacy Act 2014 and the Health Records (Privacy and Access) Act
1997. In New South Wales, privacy is governed by the Health Records and Information Privacy
Act 2002 and the Privacy and Personal Information Protection Act 1998. Northern Territory privacy
law is found in the Information Act. For Queensland, the relevant legislation is the Information
Privacy Act 2009, for Tasmania it is the Personal Information Protection Act 2004, and for Western
Australia, it is the Freedom of Information Act 1992. In Victoria, privacy laws are found
in the Privacy and Data Protection Act 2014 and the Health Records Act 2001.
Unlike all other states and territories, South Australia’s privacy legislation relates
only to the health care sector through the Health Care Act 2008. However, government
agencies are required to abide by the Information Privacy Principles, and, if relevant, the
Code of Fair Information Practice. If you or someone you know is concerned about
privacy obligations, or believes that their privacy has been breached, Go To Court Lawyers
operate a Legal Hotline on 1300 636 846 where you can talk directly to a lawyer 7am – midnight,
7 days/week. Your call will be treated with the strictest confidentiality and without
judgement. The lawyer will assess your matter and recommend
a course of action. Should you need a lawyer, even if it is at
very short notice, the Legal Hotline staff will be able to arrange legal representation
for you. You can also request a call back via the website www.gotocourt.com.au and a lawyer
will call you back to assess your matter.