The principal statute regulating the collection, use, storage and disclosure of ‘personal information’ is the Privacy Act 1988 (Cth) and in particular the 13 Australian Privacy Principles (APPs) that form part of that Act. The Privacy Act is administered by the Office of the Australian Information Commissioner and the Australian Privacy Commissioner within that office.
The Privacy Act applies to the handling of personal information by ‘APP entities’.
The term APP entity has an extensive definition and includes:
- the Australian and Norfolk Island governments and government agencies; and
- all private sector and non-profit organisations with an annual group global revenue of more than $3 million.
There are, however, numerous exceptions to the general scope of the Privacy Act. It does not apply to registered political parties, state or territory authorities or to the handling of personal information by an individual for the purposes of, or in connection with, the individual’s personal, family or household affairs.
In addition, the Act does apply to organisations with an annual group global revenue of less than $3 million if that organisation:
- provides a health service and holds health information other than in an employee record;
- discloses personal information about another individual for a benefit, service or advantage, or provides a benefit, service or advantage to collect personal information from anyone else, unless they do so with the consent of the individual or are required or authorised by legislation to do so; or
- are contracted service providers for a Commonwealth contract.
The Privacy Act extends to an act done, or practice engaged in, outside of Australia if the organisation or small business operator has an Australian link, namely where it is:
- an Australian citizen or a person whose continued presence in Australia is not subject to a legal time limitation;
- a partnership formed, or a trust created, in Australia;
- a body corporate incorporated in Australia; or
- an unincorporated association that has its central management and control in Australia.
An organisation that does not fall within one of those categories will nevertheless have the requisite Australian link where:
- it carries on business in Australia; or
- it collected or held personal information in Australia either before or at the time of the act or practice.
The meaning of ‘carrying on a business in Australia’ is very broad and can apply to parent companies of Australian subsidiaries in some circumstances.
There are a range of laws in Australia, both at the federal and state and territory levels, which regulate or impact upon privacy and data protection.
Some Australian states and territories have enacted privacy statutes containing data protection principles broadly similar to the federal privacy principles. They govern acts and practices of Australian state and territory government and its agencies, and in some cases the handling by the private sector of personal information collected by the government or its agencies.
In addition, there are numerous federal and state and territory statutes that deal with aspects of privacy and data protection, including:
- federal and state and territory statutory legislation applicable to specific industries, such as the health and telecommunications sectors;
- the regulation of unsolicited commercial telephone calls and emails by the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth);
- federal and state criminal laws dealing with unauthorised access to computer systems, including databases; and
- developing judge-made law extending the equitable protection of confidential information to the misuse of private confidential information.
Click here for more on the equitable protection of confidential information.