The PA 1988 has four main areas of operation, discussed more fully below.
- Most Australian and ACT Government agencies must comply with a set of 11 standards, known as the Information Privacy Principles (IPPs), when handling personal information.
- Many private sector organisations, including all private health service providers, must comply with the 10 National Privacy Principles (NPPs), or an approved privacy code, when handling personal information.
- Credit providers and credit reporting agencies must comply with the provisions on consumer credit information in Part IIIA of the PA 1988, and with the legally bindingCredit Reporting Code of Conduct issued by the Australian Information Commissioner (formerly by the federal Privacy Commissioner).
- Everyone who handles tax file numbers must comply with the Tax File Number Guidelines, issued by the Australian Information Commissioner (under s.17 of the PA 1988).
The Australian Information Commissioner's functions under the PA 1988 include:
- investigating complaints about breaches of the Act;
- conducting audits of agencies and organisations that are subject to the audit provisions of the Act;
- approving and monitoring privacy codes developed by organisations;
- examining proposed legislation that may affect personal privacy;
- developing or approving mandatory privacy guidelines;
- advising on exemptions under the Commonwealth spent convictions scheme; and
- other research, advisory and community education tasks.
Personal information held by Australian and ACT government agencies: The 11 IPPs are set out in section 14 of the PA 1988. They cover the collection, storage, use and disclosure of personal information by Australian and ACT government agencies (agencies), but do not apply to state entities. If an agency breaches an IPP, an individual may complain to the Australian Information Commissioner (see: "Complaints to the Commissioner", below).
Although the IPPs are briefly summarised below, the full text should be consulted before attempting to apply them, or before making a complaint about a possible interference with privacy. See also: "Contact details", below.
Under IPPs 1–3, personal information must only be collected for lawful purposes and by fair means. If that information is requested from individuals themselves, agencies must take reasonable steps to advise them regarding the purpose for collecting the information, and to whom it is usually disclosed. Agencies must also take steps to ensure that information is not collected in an unreasonably intrusive manner, and that when collected it is relevant, up-to-date, and complete.
Under IPP 4, agencies must take reasonable steps to protect personal information against loss, unauthorised access, modification, use or disclosure, and other misuse.
Under IPPs 5–7, agencies must make available details of the types of personal information they hold. They must also allow individuals to have access to their own personal information, and must take reasonable steps to amend information to ensure it is accurate, relevant, up to date, complete, and not misleading. These rights are also provided under the FOI Act (Cth), and FOI processes should generally be used when seeking access or correction of personal information held in the public sector. The rights provided by the IPPs are expressly subject to the exemptions in the FOI Act (Cth).
Under IPPs 8–9, before using information, agencies must take reasonable steps to ensure that it is accurate, and must only use the information for a relevant purpose.
IPP 10 prohibits the use of information for a purpose other than that for which it was collected, except:
- when the person has given consent;
- to prevent serious and imminent threat to a person's life or health;
- when the use is required or authorised by law;
- when reasonably necessary to enforce criminal laws or protect public revenue; or
- for a directly related purpose.
Use has generally been interpreted as covering actions taken within an agency.
IPP 11 prohibits disclosure of personal information, except in the first four circumstances listed above under IPP 10, and when the person is reasonably likely to be aware that the disclosure in question is the agency's usual practice. There is no "directly related purpose" exception for disclosures.
The federal Privacy Commissioner has issued advisory guidelines to the IPPs that give the Commissioner's views on how Australian government agencies might best comply with the IPPs. These guidelines are available on the OAIC website at www.privacy.gov.au.
The federal Privacy Commissioner published advisory guidelines to help organisations comply with the NPPs: Guidelines to the National Privacy Principles and Guidelines on Privacy in the Private Health Sector. In addition, information sheets are available that give more detailed explanation, good practice and compliance tips on some NPPs. Frequently Asked Questions (FAQs) are also answered for individuals. These resources are available on the OAIC's website at www.privacy.gov.au.
Although they are summarised below, the full text of the NPPs should be consulted when seeking either to apply the legislation or to make a complaint about a possible interference with privacy. See also: "Contact details", below.
The NPPs and personal information held by private sector organisations: The 10 NPPs are set out in Schedule 3 of the PA 1988. The 10 NPPs cover the collection, storage, use and disclosure of personal information, an individual's access to personal information and the transfer of personal information overseas. The NPPs form the key requirements for most private sector entities (organisations) that are bound by the PA 1988.
Organisations are required to comply with the NPPs when handling personal information unless an exemption applies. The term "organisation" refers to an individual, a body corporate, partnership, an unincorporated association, or a trust. Certain organisations and types of activities are exempt from the application of the NPPs (see: "Exemptions from the NPPs",” below).
If an organisation breaches an NPP, an individual may complain to the Australian Information Commissioner (see: "Complaints to the Commissioner", below).
NPP 1 sets out an organisation's obligations when collecting personal information. An organisation must only collect information that is necessary for its functions and activities, using lawful and fair means and not in an unreasonably intrusive way. Where it is reasonable and practicable, an organisation must collect information from the person concerned rather than someone else.
NPP 1 requires an organisation to take reasonable steps to ensure that a person is aware of certain matters when it collects personal information directly from them, including:
- the identity of the organisation and how to contact it;
- the fact that the person can gain access to the information;
- the purposes for which the information is collected;
- organisations to which the information is usually disclosed;
- any law that requires the information to be collected; and
- the consequences for the person if the information is not provided.
When an organisation collects information about a person from someone else, it must take reasonable steps to ensure that the person has been made aware of these matters.
NPP 10 requires an organisation to obtain a person's consent before it collects sensitive information unless specified exceptions apply. Sensitive information is defined. It includes health information, genetic information, as well as information relating to a person's ethnic or racial origin, religious beliefs or political opinions, criminal record (see also: "Spent convictions", below) or membership of a trade union or professional or trade association.
NPP 2 regulates an organisation's use and disclosure of personal information. Generally, "use" refers to the use of personal information within an organisation, and "disclosure" to the release of personal information outside an organisation. NPP 2 states that an organisation can only use or disclose personal information for the purpose for which it was collected (the "primary purpose"), unless one of the exceptions applies.
An organisation can use or disclose personal information for a "secondary purpose":
- when it has obtained the person's consent; or
- where the secondary purpose is related to the primary purpose (or directly related if the information is sensitive information) and is within the individual's reasonable expectations.
There is a limited range of other circumstances under NPP 2 in which personal information can be used or disclosed without the person's consent or for unrelated purposes. These include:
- use for direct marketing (non-sensitive personal information only) where it is impracticable to gain consent, and provided the person is given the opportunity to opt-out of further direct marketing;
- use or disclosure of health information when necessary for research that is relevant to public health or safety, where it is impracticable to seek the person's consent (see: "National Health and Medical Research Council Guidelines", below);
- use or disclosure to prevent a serious and imminent threat to any person's life, health or safety (or a serious threat to public health or safety, which need not be imminent);
- use or disclosure of genetic information to prevent a serious threat to a genetic relative, in accordance with guidelines approved under section 95AA of the PA 1988 (see: "National Health and Medical Research Council Guidelines", below);
- use or disclosure that is required or authorised by law; and
- use or disclosure when reasonably necessary to enforce criminal laws or protect public revenue.
NPP 3 requires an organisation to take reasonable steps to make sure that the personal information that it collects, uses or discloses is accurate, complete and up-to-date.
Under NPP 4 an organisation must take reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorised access, modification or disclosure. NPP 4 also requires an organisation to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2 (which would include legal retention requirements under other laws).
NPP 5 requires an organisation to have a document that clearly expresses its policies on how it manages personal information (known as a "privacy policy"). This document must be made available to anyone who asks for it. In addition to this policy document, the organisation must, upon request, take reasonable steps to provide more detailed information about the sort of personal information it holds, for what purposes and how it collects, holds, uses and discloses that information.
NPP 6 requires an organisation to give a person access to personal information that it holds about them, if requested. If a person establishes that the information is not accurate, complete or up-to-date, the organisation must take reasonable steps to correct the information. If the person and the organisation disagree about accuracy, and the person requests it, the organisation is required to include a statement that the individual claims that the information is not accurate, complete or up-to-date.
Organisations may deny an individual’s request for access to information about themselves in a limited range of circumstances. These include if:
- providing access would:
- pose a serious and imminent threat to the life or health of any person (for health information the threat need not be imminent); or
- have an unreasonable impact on other individuals' privacy; or
- prejudice negotiations between the organisation and the individual; or
- be unlawful; or
- prejudice an investigation of possible unlawful activity; or
- prejudice law enforcement activities; or
- cause damage to Australia's security;
- the request for access is frivolous or vexatious;
- the law authorises or requires access to be denied; or
- the information relates to existing or anticipated legal proceedings between the organisation and the individual, and would not be accessible by the process of discovery in such proceedings.
An organisation must provide reasons for denial of access or for a refusal to correct personal information. If an organisation charges for providing personal information, those charges must not be excessive and must not apply to lodging a request for access.
NPP 7 limits the handling of an identifier of an individual that has been issued by an Australian government agency or a contracted service provider for a Commonwealth contract (such as passport and Medicare numbers). In particular, NPP 7 prohibits an organisation from adopting such an identifier as its own identifier, or from using and disclosing an identifier, except in limited circumstances including fulfilling its obligations to the issuing agency. The aim is to prevent a single identifier being used to track individuals' movements and transactions beyond what the community would expect.
NPP 8 states that wherever it is lawful and practicable, an individual must have the option of not identifying themselves when entering transactions with an organisation.
NPP 9 restricts when an organisation can transfer an individual's personal information to another person or entity in a foreign country. For example, NPP 9 permits overseas transfer where:
- the recipient of the personal information is subject to a law, binding scheme or contract that provides the same level of privacy protection as the NPPs; or
- the person consents to the transfer; or
- the transfer is necessary for the performance of a contract between the person and the organisation or the implementation of pre-contractual measures requested by the person; or
- the transfer is necessary for the performance of a contract concluded in the interest of the person between the organisation and a third party; or
- the organisation has taken reasonable steps to ensure that the information which it has transferred will not be handled by the recipient inconsistently with the NPPs.
The NPPs do not apply to personal information that individuals collect, hold, use or disclose for the purposes of their personal, family or household affairs. In other words, the NPPs do not apply to an individual's handling of personal information unless it is done in the course of running a business.
Under the PA 1988, most small business operators are exempt from complying with the NPPs. A small business is an organisation with an annual turnover of $3 million or less.
Some small businesses are not exempt from the PA 1988, including those that:
- provide a health service and hold any health information;
- trade in personal information, either:
- disclosing personal information for a benefit, service or advantage; or
- providing a benefit, service or advantage to collect an individual's personal information from anyone else (unless the individual consents, or the disclosure or collection is required or authorised by law);
- are contracted service providers for a Commonwealth contract; or
- are a "reporting entity" under the Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth) for activities conducted to comply with that Act.
Acts and practices that are directly related to:
- a current or former employment relationship; and
- an employee record,
are exempt from the NPPs. "Employee record" refers to a record of personal information relating to the employment of a person, such as information about the employee's:
- health;
- engagement, training, disciplining or resignation;
- terms and conditions of employment;
- personal and emergency contact details;
- performance or conduct; and
- taxation, banking or superannuation affairs.
The journalistic activities and practices of media organisations are exempt from the NPPs. A "media organisation" is an organisation whose activities consist of the collection, preparation and dissemination of news, current affairs, information or documentaries. The media organisation must be publicly committed to observing published standards that deal with privacy in the context of the activities of media organisations. Examples include industry codes regulated by the Australian Communications and Media Authority and the Australian Press Council.
The political activities of registered political parties, members of Parliament and local government councillors are exempt from the NPPs. For the purposes of the exemption, the political activities must have some connection with an election under electoral law, a referendum or some other aspect of the political process. The political activities of contractors and volunteers of registered political parties for these purposes are also exempt.
The PA 1988 provides safeguards around consumer credit reporting about individuals. The Act regulates the handling of information about an individual's credit-worthiness by credit reporting agencies and credit providers. (Credit reporting agencies keep credit history records on individuals. Credit providers such as banks use this information in assessing applications for loans, credit cards and deferred payment schemes.)
Part IIIA of the PA 1988 places limits on the content, use and disclosure of credit reports, and is aimed primarily at restricting the use of this information to the assessment of applications for credit. (Note: The legislation does not directly affect commercial credit information for loans, credit cards and deferred payment schemes.) The main credit reporting provisions in Part IIIA of the PA 1988 are outlined below.
A credit provider may not pass information about a person to a credit reporting agency without giving that person prior notice. This is usually satisfied by including such a notice on the loan application form.
The type of information that credit reporting agencies can hold on an individual's credit information file is generally restricted to:
- identifying information;
- inquiries made by credit providers together with the amount of credit sought;
- inquiries made by mortgage and trade insurers;
- the names of current credit providers; and
- specified information about bad debts.
Credit providers and credit reporting agencies must take steps to ensure that any information contained in credit reports they possess is accurate, up to date, complete and not misleading. The information must also be protected by reasonable security safeguards against loss, unauthorised access, use, modification or disclosure.
Individuals have legally enforceable rights to see and, where inaccurate, amend information about themselves on a credit information file held by a credit reporting agency, or in a credit report issued by a credit reporting agency. A free copy is generally available if you can wait 10 business days. Fees will apply for faster service.
For information about how to access your credit file held by a credit reporting agency, see the OAIC's fact sheets at www.privacy.gov.au. (See also: "Credit reporting" in Chapter 13 Credit and Finance.)
The PA 1988 limits the circumstances in which anyone other than the individual concerned can have access to credit report information issued by a credit reporting agency. Such access is restricted primarily to credit providers, as defined in the Act, for the purpose of assessing applications for credit or collecting overdue payments on credit granted to individuals. The PA 1988 defines credit providers as banks, building societies, credit unions or businesses for which providing loans represents a substantial part of their activities.
Three Determinations issued by the federal Privacy Commissioner allow additional organisations to access the credit reporting system for particular transactions. These include corporations that give loans or allow deferral of payment for goods or services for at least seven days, mortgage insurers when taking assignment of a loan and Indigenous Business Australia. These Determinations can be found on the OAIC's website at www.privacy.gov.au.
Credit providers may not disclose consumer credit reports or any other information relating to the consumer creditworthiness of individuals, subject to a limited range of exceptions.
Some of the permitted disclosures are:
- to a credit reporting agency where an individual has applied for credit;
- to a credit reporting agency, information relating to an overdue payment where an individual to whom credit has been provided is at least 60 days overdue with that payment, and collection action has commenced;
- to another credit provider where the individual has consented to disclosure for the particular purpose;
- to a debt collector, provided that no information derived from a credit report is disclosed other than identity particulars and the amount of the debt outstanding;
- to a person considering taking over a debt, information concerning the amount owing;
- to another credit provider or to a law enforcement agency when the credit provider believes the individual has committed a serious credit infringement;
- to a person who manages loans for the credit provider; and
- where it is required or authorised by law.
Credit providers may only use consumer credit reports obtained from credit reporting agencies for limited purposes, including the following:
- to assess an application for consumer credit;
- to assess an application for commercial credit, if the individual has consented;
- to assess whether to accept an individual as a guarantor;
- to collect overdue payments;
- to assist an individual to avoid defaulting on credit obligations in certain circumstances;
- where the use is required or authorised by law; and
- where the credit provider believes that the individual has committed a serious credit infringement.
Where an individual is refused credit on the basis of an adverse credit report issued by a credit reporting agency, the credit provider must give the person written notification, including the name and address of the credit reporting agency.
In 1991, amended up to 1996, the federal Privacy Commissioner issued a legally binding Credit Reporting Code of Conduct (now under the OAIC's jurisdiction). The Code explains in greater detail the requirements of Part IIIA of the PA 1988, and sets out procedures for complying with those requirements, including provisions for resolving credit reporting disputes.
Tax file numbers (TFNs) are unique numbers issued by the Australian Taxation Office (ATO) to individuals. The enhanced TFN Scheme, introduced in 1988, allows the ATO to identify those who lodge income tax returns, and to match information provided in tax returns with other sources of information, such as records of interest paid by financial institutions.
Because of concerns raised by the earlier proposal for an Australia Card, a central feature of the TFN Scheme is that quotation of the TFN is voluntary. In 1990, the Government extended the Scheme to make provision of a TFN a condition of receiving assistance from a number of Australian Government agencies, and to allow it to be used to compare income reported to the ATO with income reported to assistance agencies.
Under the Data-matching Program (Assistance and Tax) Act 1990 (Cth), the TFN is used for the matching of records between the ATO and the assistance agencies, subject to strict controls and safeguards monitored by the Australian Information Commissioner. Certain uses of the TFN in relation to superannuation administration are now also authorised by law.
The handling of TFNs is regulated by legally binding Tax File Number Guidelines, issued by the Australian Information Commissioner (formerly by the Privacy Commissioner) under section 17 of the PA 1988, and by tax laws. Amongst other things, the Guidelines prohibit the use of the TFN for a national identification system, and prohibit its use as an identifier in any circumstances other than as authorised by taxation law, assistance agency law and for limited purposes under superannuation administration law.
Generally, no person or organisation may require an individual to provide their TFN.
However, the financial consequences of not providing a TFN can be severe. For example, employees and investors who choose not to quote their TFN have tax withheld at the highest marginal rate, and individuals who choose not to provide their TFN to assistance agencies will generally be ineligible for benefits from those agencies.
Any person or organisation authorised to collect TFNs must advise people of the following:
- that failure to provide a TFN is not an offence;
- the legal authority for the request; and
- the consequences of not providing it.
Recipients of TFNs must also:
- use them only for tax, or specific superannuation or assistance-agency purposes;
- keep them secure;
- restrict access to TFNs to authorised staff; and
- disclose TFNs only in accordance with the specific provisions of tax or superannuation or assistance agency law.
TFNs can be collected by all employers, and by investment bodies in relation to:
- interest-bearing deposits and accounts with a financial institution;
- loans of money to a government body or to a body corporate;
- deposits of money with a solicitor which are being invested or lent by, or on behalf of, the solicitor;
- units in a unit trust; and
- shares in a public company.
TFNs can be collected by superannuation funds, and if provided to employers for superannuation purposes, must be passed on to the fund.
Note: From 1 July 2007, there are additional (longer term) financial disadvantages for employees who do not provide their TFN to their superannuation fund.
Note: It is a criminal offence under taxation law to make an unauthorised request, record, use or disclosure of another person's TFN.
The Data-matching Program (Assistance and Tax) Act 1990 (Cth) ("Data-matching Act") accompanied the extension of the TFN system into the administration of Australian Government assistance payments. Under the Act, TFNs are used by Centrelink and the Department of Veterans' Affairs to match data with taxpayer information held by the ATO as a means to detect inappropriate payments.
The Australian Information Commissioner is responsible for monitoring compliance with guidelines issued under section 12(2) of the Data-matching Act. The Commissioner must include in the OAIC's Annual Report an assessment of the extent of the program's compliance with the Data-matching Act, the guidelines and the PA 1988.
The federal Privacy Commissioner (now under the OAIC) has approved the Guidelines under Section 95 of the Privacy Act 1988 ("Section 95 Guidelines"), issued by the National Health and Medical Research Council (NHMRC).
These guidelines apply to medical and epidemiological research that involves personal information held by an Australian Government agency, where:
- the agency intends to use or disclose the information for that research without obtaining the research subject's consent; and
- the use or disclosure may involve a breach of the IPPs.
The Section 95 Guidelines are a framework under which a Human Research Ethics Committee (HREC) must assess, and decide whether to approve, a research proposal before it proceeds. Approval by a HREC does not oblige an Australian Government agency to release data. The latest version of the Section 95 Guidelines was issued by the NHMRC in March 2000.
The federal Privacy Commissioner has approved the Guidelines Approved Under Section 95A of the Privacy Act 1988 ("Section 95A Guidelines"), which are conceptually similar to the Section 95 Guidelines and were issued by the NHMRC in December 2001.
These guidelines apply to:
- the collection, use or disclosure of health information by private sector organisations (where it is impracticable to seek the relevant individuals' consent) for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety; and
- the collection of health information by organisations (where consent is impracticable) for the purpose of health service management, funding or monitoring.
The Section 95A Guidelines provide a framework for assessing the privacy aspects of research proposals by HRECs, and those involved in conducting research, compiling statistics or health service management. The assessment needs to determine whether the public interest in those activities substantially outweighs the public interest in the protection of privacy. Researchers must obtain approval from HRECs for research projects.
Before applying for approval of a research proposal, researchers must assess its privacy impact and decide whether it is practicable to seek consent for the use or disclosure of personal information. The HREC will then assess the privacy aspects, along with other factors, in deciding whether or not to approve the research proposal.
In December 2009, guidelines approved by the then Privacy Commissioner came into effect for the use or disclosure of a living individual's genetic information by a private health service provider, to lessen or prevent a serious threat to a genetic relative's life, health or safety. The Guidelines, issued by the NHMRC, must be followed when seeking to use or disclose this information without the individual's consent, in reliance on the exception in NPP 2.1(ea). The Guidelines on Use and Disclosure of Genetic Information to a Patient's Genetic Relatives under Section 95AA of the Privacy Act 1988 (Cth) are available at www.nhmrc.gov.au.
 Prev |
 Next
|
|
| THE RIGHT TO PRIVACY | OTHER LEGISLATION |
Table of Contents
Legislation and Cases
Search The Law Handbook
|
 Printable Version
Glossary of Legal Terms
|
THE PRIVACY ACT :: Last updated: Thu Jul 1st 2010