Other Commonwealth legislation and guidelines


Other forms of data are protected. They include guidelines on handling tax file numbers, with criminal sanctions; data-matching for tax and other government purposes; National Health and Medical Research Council research guidelines; treatment of personally controlled electronic health records; Pharmaceutical Benefits and Medicare guidelines; use of old criminal records; information about financial securities; and telecommunications codes including the Do not call register.

Freedom of Information Act 1992

As stated under APP12, federal public sector agencies provide access to personal information through the FOI Act. Section 41 also provides an exemption if disclosure of a document would involve an unreasonable disclosure of personal information, subject to the exception that a person cannot be denied access to documents containing their own personal information under this exemption.

Guidelines for tax file numbers

Tax file numbers (TFNs) are unique numbers issued by the Australian Taxation Office (ATO) to individuals. The enhanced TFN scheme, introduced in 1988, allows the ATO to identify those who lodge income tax returns, and to match information provided in tax returns with other sources of information, such as records of interest paid by financial institutions.

Because of concerns raised by the earlier proposal for an Australia Card, a central feature of the TFN scheme is that quotation of the TFN is voluntary. In 1990, the government extended the scheme to make provision of a TFN a condition of receiving assistance from a number of Australian Government agencies, and to allow it to be used to compare income reported to the ATO with income reported to assistance agencies.

Under the Data-matching Program (Assistance and Tax) Act 1990 (Cth), the TFN is used for the matching of records between the ATO and the assistance agencies, subject to strict controls and safeguards monitored by the OAIC. Certain uses of the TFN in relation to superannuation administration are now also authorised by law.

The tax file number guidelines

The handling of TFNs is regulated by legally binding Tax File Number Guidelines 2011, issued by the Australian Information Commissioner under section 17 of the PA 1988, and by tax laws. Among other things, the guidelines prohibit the use of the TFN for a national identification system, and prohibit its use as an identifier in any circumstances other than as authorised by taxation law, personal assistance law, and superannuation administration law.

Generally, no person or organisation may require an individual to provide their TFN. However, the financial consequences of not providing a TFN can be severe. For example, employees and investors who choose not to quote their TFN have tax withheld at the highest marginal rate, and individuals who choose not to provide their TFN to assistance agencies will generally be ineligible for benefits from those agencies.

Any person or organisation authorised to collect TFNs must advise people of the following:

that failure to provide a TFN is not an offence;

the legal authority and purpose of the request; and

the consequences of not providing it.

Recipients of TFNs must also:

use or disclose TFNs only in accordance with the specific provisions of tax, superannuation administration or personal assistance law;

keep them secure;

restrict access to TFNs to authorised staff; and

take reasonable steps to destroy or permanently de-identify TFN information where it is no longer necessary or required by law to be retained.

TFNs can be collected by all employers, and by investment bodies in relation to:

interest-bearing accounts and some deposits with a financial institution;

loans of money to a government body or to a body corporate;

deposits of money with a solicitor that are being invested or lent by, or on behalf of, the solicitor;

units in a unit trust; and

shares in a public company.

TFNs can be collected by superannuation funds, and if provided to employers for superannuation purposes, must be passed on to the fund.


It is a criminal offence under taxation law to make an unauthorised request, record, use or disclosure of another person’s TFN.

Data-matching Program (Assistance and Tax) Act

The Data-matching Program (Assistance and Tax) Act 1990 (Cth) (“Data-matching Act”) and the Guidelines for the Conduct of Data Matching Programs (“Guidelines”) accompanied the extension of the TFN system into the administration of Australian Government assistance payments. Under the Act, TFNs are used by Centrelink and the Department of Veterans’ Affairs to match data with taxpayer information held by the ATO as a means to detect inappropriate payments.

The OAIC is responsible for monitoring compliance with guidelines issued under section 12(2) of the Data-matching Act. The OAIC’s Annual Report must include an assessment of the extent of the program’s compliance with the Data-matching Act, the guidelines and the PA 1988. A breach of the Data-matching Act or Guidelines constitutes an interference with privacy under section 13 of the Privacy Act 1988. Anyone who believes their privacy has been breached under this section can complain to the Privacy Commissioner.

National Health and Medical Research Council’s guidelines

Section 95 Guidelines

The Australian Information Commissioner has approved the Guidelines under Section 95 of the Privacy Act 1988 (“Section 95 Guidelines”), issued by the National Health and Medical Research Council (NHMRC).

These guidelines apply to medical and epidemiological research that involves personal information held by an Australian Government agency:

where the agency intends to use or disclose;

information for the purposes of research in a way that may involve a breach of the APPs.

The Section 95 Guidelines are a framework under which Human Research Ethics Committees (HRECs) must assess, and decide whether to approve, a research proposal before it proceeds. Approval by a HREC does not oblige an Australian Government agency to release data. The latest version of the Section 95 Guidelines was issued by the NHMRC in March 2014.

Section 95A Guidelines

The federal Privacy Commissioner has approved the Guidelines Approved under Section 95A of the Privacy Act 1988 (“Section 95A Guidelines”), which are conceptually similar to the Section 95 Guidelines and were issued by the NHMRC in March 2014.

These guidelines apply to:

the collection, use or disclosure of health information held by private sector organisations for the purposes of research;

the compilation or analysis of statistics, relevant to public health or public safety, and

the collection of health information held by organisations for the purpose of health service management;

where it is impracticable to seek the consent of relevant individuals.

The Section 95A Guidelines provide a framework for assessing the privacy aspects of research proposals by HRECs, and those involved in conducting research, compiling statistics or health service management. The assessment needs to determine whether the public interest in those activities substantially outweighs the public interest in the protection of privacy afforded by the APPs. Researchers must obtain approval from HRECs for research projects.

Before applying for approval of a research proposal, researchers must assess its privacy impact and decide whether it is impracticable to seek consent for the use or disclosure of personal information. The HREC will then assess the privacy aspects, along with other factors, in deciding whether or not to approve the research proposal.

Section 95AA Guidelines

In March 2014, the Privacy Commissioner approved updated guidelines for the use or disclosure of a living individual’s genetic information by a private health service provider, to lessen or prevent a serious threat to a genetic relative’s life, health or safety. The guidelines, issued by the NHMRC, must be followed when seeking to use or disclose this information without the individual’s consent, in reliance on the exception in APP 6.2(d). The guidelines on “Use and Disclosure of Genetic Information to a Patient’s Genetic Relatives” under section 95AA of the PA 1988 are available at www.nhmrc.gov.au.

Personally Controlled Electronic Health Records Act

The Personally Controlled Electronic Health Records Act 2012 (Cth) (“PCEHR Act”) provides strict controls on the collection, use and disclosure of health information included in an individual’s eHealth record. A collection, use or disclosure that is not authorised by the legislation is both a contravention of the PCEHR Act and an interference with the privacy of the individual under the PA 1988. The legislation also imposes mandatory data breach notification obligations on the system operator, repository operators and portal operators.

OAIC regulates the handling of personal information under the eHealth record system by individuals, Australian Government agencies, private sector organisations and some state and territory agencies, instrumentalities and authorities (in particular circumstances). On 19 June 2013, the Australian Information Commissioner issued guidelines to which it will have regard in exercising its investigation and enforcement powers with respect to eHealth records. The PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 (“PCEHR Guidelines”) outline how OAIC will approach enforcement issues under the PCEHR Act and related legislation.

Pharmaceutical Benefits Scheme and Medicare Program Guidelines

Section 135AA of the National Health Act 1953 (Cth) requires the Australian Information Commissioner to issue legally binding guidelines for the handling of certain health information within the Medicare Benefits Program (Medicare) and the Pharmaceutical Benefits Scheme (PBS).

These guidelines cover the storage, use, disclosure, and retention of an individual’s Medicare and PBS claims information, and limit the matching of claims information held by Australian Government agencies. A breach of the guidelines is an “interference with privacy” under the PA 1988.

The most recent guidelines came into effect from 1 July 2008. The guidelines can be found at www.oaic.gov.au.

Spent convictions

Under part VIIC of the Crimes Act 1914 (Cth) (“Crimes Act (Cth)”), a person is able to disregard some old criminal convictions, and is protected against unauthorised use and disclosure of this information. This is known as the Commonwealth Spent Convictions Scheme.

A “spent” conviction is a conviction that satisfies the following conditions:

it is 10 years since the date of conviction (or five years for juvenile offenders);

the sentence imposed was a fine, bond, community service order, or term of imprisonment not greater than 30 months;

the individual has not been convicted of a further offence committed during the 10 (or five) years waiting period; and

an exclusion does not apply (seeExclusions”).

What types of offences?

The scheme covers all convictions for minor Commonwealth or territory offences. It also covers convictions for minor state and foreign offences when dealing with Australian Government agencies. Some states and territories (not including Victoria) have their own spent conviction schemes covering minor offences under state law. The scheme also covers pardons and quashed convictions.

Protections under the scheme

The scheme offers the following protections:

the individual does not have to disclose a spent conviction;

the individual can claim on oath that they were not convicted of an offence; and

any other person who knows, or ought to reasonably know, about the spent conviction is prohibited from taking into account the conviction or disclosing the conviction.

Complaints of breaches of the scheme may be made to the Australian Information Commissioner.


Exclusions under the scheme are limited to specific organisations needing to know about particular offences for special purposes. For example, if a person is applying for a position involving the care and control of children, the potential employer can find out about any sex offence convictions, or convictions for offences where the victim was a child.

If an agency has an exclusion, it should explain this fact, and what it means for the person concerned. Details of exclusions are available from the OAIC.

For further information about spent convictions, seeSpent convictions” in Understanding criminal records.

Personal Property Securities Act

The Personal Property Securities Act 2009 (Cth) (“PPS Act”) established a national register for personal property and security interests. The PPS Act and PPS register commenced operation in May 2011 (for more information, visit www.ppsr.gov.au).

The PPS Act protects grantors, secured parties and others from misuse of the register (such as illegitimate searches and registrations), with civil penalties to protect people’s privacy. A breach of certain limitations is also an interference with privacy under the PA 1988. A breach may also give rise to damages.

“Personal property” means property other than land, buildings or fixtures that form a part of land. It can include tangibles such as cars, crops and machinery; and intangibles such as contract rights and intellectual property.

A personal property security is when a “secured party” takes an interest in personal property as security for a loan or other obligation, or enters into a transaction that involves the supply of secured finance. A “secured party” is a person or entity that has a security interest in the collateral of someone else (the grantor). “Collateral” is personal property (consumer or commercial) with a security interest attached.

Registrations on the PPS register include data about the grantor’s property or collateral and may contain information such as a person’s name and date of birth. Registrations will also include data about the secured party, such as the secured party’s identifier and address for service, though the secured party’s details will not be searchable. Grantors must be notified when a secured party makes a registration against them.


The telecommunications sector is regulated by both the PA 1988 and specific obligations set out in the Telecommunications Act 1997 (Cth) (“Telecommunications Act”) and the Telecommunications (Interception and Access) Act 1979 (Cth). Those specific obligations include prohibiting a telecommunications provider from disclosing personal information, subject to limited exemptions. These obligations are in addition to obligations to comply with the APPs (seeSummary of the Australian Privacy Principles (APPs)”).

The Telecommunications Act provides for the registration of telecommunications codes under a self-regulatory framework. These codes are developed by industry through Communications Alliance (an industry body), and may be registered with the Australian Communications and Media Authority (ACMA). ACMA consults with OAIC on the codes.

There are a number of privacy obligations in telecommunications codes registered by ACMA, such as calling number display (C522:2007), handling of life threatening and unwelcome calls (C525:2006) and integrated public number database (C555:2007). For more information, go to the Communications Alliance website at www.commsalliance.com.au.

The Telecommunications (Interception and Access) Act 1979 (Cth) (“TIA Act”) permits disclosure of personal information by a telecommunications provider to ASIO or the Federal Police. The TIA Act prohibits the unauthorised access and interception of communications, subject to various exceptions, unless a warrant is obtained. Those issuing warrants must consider, among other things, the privacy of persons affected by the access and interception.

Do not call register

A national “do not call register” began operating in May 2007 in accordance with the Do Not Call Register Act 2006 (Cth). The register is administered by ACMA. The Act allows people to register (without charge) their home phone, domestic mobile and fax numbers in order to opt out of a wide range of unsolicited telemarketing calls. Government bodies and emergency services numbers may also register. The Do Not Call Register Legislation Amendment Act 2010 (Cth) amended the Act from 30 May 2010 to enable all Australian telephone and fax numbers to be registered, allowing organisations including businesses as well as individuals to access the protections of the register. Businesses can still contact other businesses with whom they have a relationship under the inferred consent provisions. Businesses that have given express consent to receive calls or faxes may also continue to be contacted. However, “cold calls” and marketing faxes to businesses that do not fall under the express or inferred consent provisions will be prohibited for numbers that are listed on the register. As a part of the registration process, new registrants are provided with the option to nominate to receive calls or faxes relating to a list of industry classifications. The legislation makes it illegal for any non-exempt telemarketer in Australia and overseas to contact a number listed on the register without consent.

There are exemptions for government bodies, educational or religious organisations, registered political parties, independent members of parliament, electoral candidates and charities. Market and social researchers may call to conduct standard opinion polling and questionnaire research, subject to a national industry standard. Businesses that have an existing relationship with a person may also call numbers on the do not call register. Enquiries and complaints relating to the do not call register can be made online at www.donotcall.gov.au or by calling 1300 792 958.