Privacy Law in Australia

In Australia, privacy law is regulated by legislation at commonwealth, state and territory levels. This includes the commonwealth Privacy Act 1988 and the Freedom of Information Act 1982. These acts are designed to protect the privacy of individuals by imposing obligations on agencies and companies that collect and handle personal data, and to allow individuals to access their personal data when they need to. This page outlines commonwealth privacy law in Australia.

Does the Privacy Act apply?

The Privacy Act 1988 applies to commonwealth government agencies and departments and to large operators in the private sector. If a business, club, association, union or employee organisation has a turnover of more than three million dollars per year, the Privacy Act applies.

The Privacy Act 1988 may also apply to an entity that does not have a turnover of more than three million if:

  • it provides a health service and holds health information that is not about its employees;
  • it is a credit reporting body or a business that trades in personal information;
  • is created under the Privacy Regulations;
  • is a company that is a holding company or subsidiary of a larger company;
  • has opted to be an organisation for these purposes.

In most cases, the Privacy Act 1988 applies to state government agencies. However, a business that contracts with a state government agency (for example, to provide IT services within a department), will in most cases be bound under the terms of the contract to the relevant state legislation.

The Privacy Act 1988 does not apply to the following bodies:

  • small businesses that are not covered by any of the exceptions set out above;
  • individuals collecting information for personal reasons;
  • universities other than private universities and Australian National University;
  • political parties;
  • public schools;
  • members of parliament and volunteers performing actions in relation to the political process;
  • media organisations engaged in journalism that have made a public commitment to privacy standards;
  • most state or territory government agencies;
  • information that has been obtained by an intelligence agency such as the Defence Intelligence Organisation or Defence Signals Directorate.

Personal information

Under the Privacy Act 1988, personal information encompasses a range of types of data, including:

  • health information
  • employee records
  • tax file numbers

Other information that may be protected under the Privacy Act 1988 includes:

  • individuals’ home addresses, signatures and bank account details
  • details about the employment or business of individuals
  • comments that one person has made about another person such as a manager’s comments about a team member’s performance.

Obligations under the Privacy Act

The privacy obligations imposed under the Privacy Act 1988 include the following:

  • entities must manage information openly and transparently
  • entities must allow individuals to provide information anonymously
  • entities may only use personal information for the purpose for which it has been collected
  • entities must ensure personal information collected is accurate
  • entities must ensure that personal information that has been collected and is inaccurate is corrected
  • entities must store personal information securely
  • entities should only gather the personal information that is reasonably necessary to conduct their business
  • entities must meet certain obligations when personal information is disclosed to overseas persons or entities
  • entities must take reasonable steps to protect personal information form loss, interference, misuse, modification or disclosure
  • individuals should be given access to their information upon request, except where an exception applies.

If an entity fails to comply with its obligations under the Privacy Act 1988, it may be subjected to regulatory action and penalties. If a person believes that their rights under the Privacy Act 1988 have been breached or that their data has been mishandled, they can complain to the Office of the Australian Information Commissioner.

Freedom of Information Act

The commonwealth Freedom of Information Act 1982 (FOI Act) gives individuals the right to access their personal information held by Australian government ministries and agencies. There is also legislation is each state and territory that allows individuals to access records held by the departments and agencies of that state or territory.

A person can make an FOI request seeking their personal information from a government department of agency – for example, Centrelink records, health records or child protection records. A person can also request information about government policies, programs and decision-making processes.

An agency may provide the information requested. However, an agency can also refuse an FOI request for a number of reasons. These include that the information requested is readily available to the applicant, that the work involved in granting the request would substantially and unreasonably divert resources of the agency away from other operations, that the documents cannot be found or have not been received, or because the material requested contains exempt material that cannot be deleted.

If you require legal advice or representation in any legal matter, please contact Taylor Rose.

This article was written by Fernanda Dahlstrom

Fernanda Dahlstrom holds a Bachelor of Laws, a Bachelor of Arts, a Graduate Diploma in Legal Practice, and a Master’s in Writing and Literature. Fernanda practised law for eight years, working in criminal defence, child protection and domestic violence law in the Northern Territory and in family law in Queensland.