Privacy and data protection

Overview of Australian privacy laws

Privacy laws have been enacted by the Federal Government and most states and territories. State and territory privacy laws primarily govern state and territory agencies.

The Privacy Act 1988 (Cth) (Privacy Act) is federal legislation that applies to “APP entities” and regulates the handling of “personal information” about individuals. The Privacy Act is administered by the Office of the Australian Information Commissioner (OAIC).

Amongst other things, the Privacy Act confers on individuals the right to access personal information, reject unwanted direct marketing, correct personal information, and make a complaint to the OAIC regarding a breach of privacy.

What is an “APP entity”?

An “APP entity” is defined under the Privacy Act to mean an “agency” or “organisation”.

Broadly speaking, an “agency” is a federal government department or agency or a body established by or under federal legislation for a public purpose.

An “organisation” is defined broadly to include an individual (e.g. a sole trader), a body corporate, a partnership, any unincorporated association or a trust, that is not a small business operator, a registered political party, an agency, a state or territory authority or a prescribed instrumentality of a state or territory.

The “small business operator” exemption applies to entities with an annual turnover of less than A$3 million and which do not handle health information.

What is “personal information”?

Personal information is defined under Section 6 of the Privacy Act to mean: “information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not”.

Examples of personal information include information about a person’s life, commentary or opinion about a person and a person’s employment details.

Personal information that is considered “sensitive information” is afforded greater protection under the Privacy Act. Sensitive information includes health information, genetic information, biometric information, biometric templates, or information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record.

Australian Privacy Principles

The Privacy Act establishes 13 Australian Privacy Principles. These principles set out standards, rights, and obligations for the handling, holding, disclosure, use, access, and correction of personal information.

 

Australian Privacy Principles

Summary

Consideration of personal information privacy

AAP1 Open and transparent management of personal information

Requires an APP entity to have a clearly expressed and up-to-date privacy policy that is available free of charge

AAP2 Anonymity and pseudonymity

Individuals must have the option of not identifying themselves or using a pseudonym

Collection of personal information

AAP3 Collection of solicited personal information

Requires an APP entity to collect personal information only where it is reasonably necessary for its functions or activities and by lawful and fair means

AAP4 Dealing with unsolicited personal information

Outlines how an APP entity should deal with the receipt of unsolicited personal information

AAP5 Notification of the collection of personal information

Outlines when an APP entity should notify an individual about the collection of information and the requirements of such notification

Dealing with personal

information

AAP6 Use or disclosure of personal information

Outlines how an APP entity may use or disclose personal information  

AAP7 Direct marketing

Outlines when an APP entity can use or disclose personal information for direct marketing

AAP8 Cross‑border disclosure of personal information

Outlines how an APP entity may disclose personal information outside Australia

AAP9 Adoption, use or disclosure of government related identifiers

Limits the use of government related identifiers

Integrity of personal

information

AAP10 Quality of personal information

Requires an APP entity to take reasonable steps to ensure personal information is accurate, complete and up-to-date

AAP11 Security of personal information

Requires an APP entity to take reasonable steps to protect personal information

Access to, and correction of, personal information

AAP12 Access to personal information

Requires an APP entity to grant access to personal information

AAP13 Correction of personal information

Requires an APP entity to take reasonable steps to correct personal information held

Privacy Act reform

In December 2022 a number of important amendments to the Privacy Act were introduced:

  • expanding its extraterritorial reach;
  • increasing penalties for serious or repeated interferences with privacy to A$2.5m for a person other than a body corporate and, for a body corporate, A$50m or three times the value of the benefit obtained from the conduct, if the court can determine this value, or if the court cannot determine the value of the benefit, 30% of the body corporate's adjusted turnover in the relevant period;
  • strengthening the Notifiable Data Breaches scheme;
  • introducing new information sharing powers between regulatory agencies; and
  • enhancing the powers of the OAIC to investigate and resolve privacy breaches.

Further privacy reform has also been flagged by the Australian government, intended to bring Australia's privacy laws more into line with global standards. The proposals include:

  • adopting the concepts of data "controller" and "processor", as used in European data protection laws;
  • expanding the definition of personal information;
  • removing the small business exemption, subject to certain qualifications;
  • introducing an overriding '"fair and reasonable" obligation with respect to the collection, use and disclosure of personal information;
  • introducing a right to erasure;
  • introducing compulsory Privacy Impact Assessments for entities undertaking activities deemed to be high risk; and
  • expanding the regulatory powers of the OAIC.

Mandatory notification of data breaches

The Privacy Act contains a mandatory data breach notification scheme (Scheme). Under the Scheme, an APP entity is required to notify the OAIC and affected individuals as soon as reasonably practicable if there are reasonable grounds to believe that an “eligible data breach” has occurred.

An “eligible data breach” occurs if the unauthorised access, disclosure or loss of the personal information is reasonably likely to result in serious harm to any of the individuals to whom the information relates.

If an APP entity suspects that an “eligible data breach” has occurred, the APP entity is required to engage in a self-assessment exercise to determine whether the breach is an “eligible data breach”.

The OAIC has released four draft guidelines in relation to the Scheme which provide guidance on entities covered by the Scheme, notifying individuals about an eligible data breach, identifying data breaches and the Australian Information Commissioner’s role in the Scheme.

Recent changes to the Privacy Act have strengthened the Notifiable Data Breaches scheme. The Commissioner is now empowered to request information and documents from an APP entity about an actual or suspected eligible data breach and may conduct assessments of an entity's compliance with the scheme.

State and territory-based privacy legislation

State and territory privacy laws primarily regulate state and territory agencies, which are generally not governed by the federal Privacy Act. However, in some states, there is also legislation governing the use of health information which applies to both public and private health service providers. For example, in the State of Victoria, the applicable state laws include the Privacy Data and Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic).

Consequences of non-compliance

Amongst other things, the OAIC is empowered to investigate complaints made by individuals, investigate breaches of the Privacy Act on its own volition, accept an undertaking by an APP entity to comply with the Privacy Act, and make determinations requiring an APP entity to perform certain acts or refrain from specified action.

An APP entity may be liable for civil penalties for breaches of the Privacy Act. For example, liability for serious and repeated interferences with privacy can result in civil penalties of up to A$444,000 for individuals and A$2,220,000 for bodies corporate.

Spam

The Spam Act 2003 (Cth) (Spam Act) is federal law that prohibits the sending of unsolicited commercial electronic messages with an Australian link.

A message becomes an electronic commercial message when it has a “commercial purpose”. An example of a commercial electronic message can include an SMS or email offering goods or promoting a website.

A message has an Australian link if the message originates or was commissioned in Australia or is sent from outside Australia to an address accessed in Australia.

The Australian Communications and Media Authority administers the Spam Act and accepts complaints, reports, and enquiries about spam with an Australian link.

Do Not Call Register

The Do Not Call Register is a register of numbers that telemarketers and fax marketers are prohibited from calling. Registration of a number is free and can be completed online.

The onus is on an organisation in the telemarketing or fax marketing business to monitor whether a number has been registered on the Do Not Call Register. Upon registration of a number into the Do Not Call Register, telemarketers and fax marketers have 30 days to recognise the registration and subsequently refrain from contacting the registered number.

The Do Not Call Register was established by the Do Not Call Register Act 2006 (Cth) and is administered by the Australian Communications and Media Authority.