Insights

Guide to data protection in Australia

Corporate
Guide to data protection 2021

Corporate partner Lisa Fitzgerald has contributed the Australian chapter to the Terralex Cross-Border Guide to Data Protection.

TerraLex is the premier global network of independent law firms, of which Lander & Rogers is the exclusive member for Australia. The network comprises over 132 firms in 163 jurisdictions, representing more than 22,000 lawyers globally.

This guide looks at the laws and regulations governing data privacy in Australia.

What national laws regulate the processing of personal data in your jurisdiction?

The federal Privacy Act 1988 (Cth), which includes the Australian Privacy Principles (APPs), governs the regulation of personal information in Australia. State and territory laws may also apply, including specific health data regulations.

To whom do the laws apply?

The Privacy Act regulates the way personal information of individuals is handled by relevant organisations, otherwise known as Australian Privacy Principle Entities (APP entities).

An APP entity is generally:

  • an organisation with a turnover of more than AUD3million in a given financial year; or
  • a Commonwealth Government agency; or
  • a provider of a health service or otherwise holds health information;
  • if none of the above, an entity who has voluntarily opted in to be covered by the Act.

Certain entities are specifically excluded from the definition of an "organisation" and are, therefore, exempt from the Act. Those exempt entities include small business operators (excluding those providing health services or holding health information), registered political parties, state and territory authorities, and prescribed state and territory instrumentalities.

What type of data is covered by the law?

Data consisting of "personal information" collected in Australia is covered by the Privacy Act.

Personal information is defined under the Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.

Personal information includes, for example, a person's name or address and can include bank account information, credit history or photos. Personal information also includes "sensitive information" about an individual. Sensitive information is defined under the Act as information or an opinion about an individual's racial or ethnic origin, political opinion, religious beliefs, sexual orientation, or criminal record, provided the information or opinion otherwise meets the definition of personal information.

What are the main exemptions?

Personal information contained in employee records such as training, membership of professional associations, tax, banking and superannuation details and personal and emergency contact details, is not regulated by the Privacy Act. This is known as the employee records exemption.

What rights do the laws grant to the data owners?

None under the Privacy Act. However, there may be separate database rights available as electronic "compilations" under the Australian Copyright Act 1968 (Cth).

What are the lawful grounds for processing personal data or sensitive personal data?

An organisation must only collect personal information which is reasonably necessary for one or more of the entity's functions or activities.

Determining whether a particular collection of personal information is permitted involves a two-step process:

  • identifying an APP entity's functions or activities
  • determining whether the particular collection of personal information is reasonably necessary for one of those functions or activities

Additional requirements are imposed on the collection of sensitive information about an individual. In that case, the APP entity must:

  • ensure the collection of sensitive information is reasonably necessary for one or more of the entity's functions or activities, and
  • obtain consent to the collection from the individual about whom the sensitive information relates.

Consent need not be express, but if an opt-out option is not given at the time personal information is collected, an organisation may not be permitted to assume implied consent. Australian privacy law does not recognise categories of "data processors" or "data controllers". There are only APP entities.

What are the main obligations imposed by the law?

The 13 Australian Privacy Principles impose the following obligations on APP entities:

  1. APP entities must manage personal information in an open and transparent way.
  2. APP entities must give individuals the option of not identifying themselves.
  3. APP entities can collect personal information and sensitive information in accordance with standards.
  4. APP entities must deal with unsolicited personal information in a specific way.
  5. An APP entity that collects personal information about an individual must take reasonable steps either to notify the individual or certain matters or to ensure the individual is aware of those matters.
  6. APP entities can only use or disclose personal information for a purpose for which it was collected.
  7. An organisation must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies.
  8. Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.
  9. An organisation must not adopt, use, or disclose a government-related identifier unless an exception applies.
  10. An APP entity must take reasonable steps to ensure that the personal information it collects is accurate, up-to-date, and complete.
  11. An APP entity must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for the purpose for which the personal information may be used or disclosed under the APPs.
  12. An APP that holds personal information about an individual must give individual access to that information on request.
  13. An APP entity must take reasonable steps to correct personal information to ensure that it is accurate, up-to-date, relevant, and not misleading.

Do the laws establish a data retention period to be observed?

No data retention period is established under the Privacy Act. However, APP 11 provides that an APP entity must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for the purpose for which the personal information may be used or disclosed under the APPs.

Must the data processing activities be recorded under the law?

Data processing is not a concept under the Privacy Act. However, APP entities are required to take reasonable steps to notify individuals of certain matters including:

  • the APP entity's identity and contact details
  • the fact and circumstances of collection
  • whether the collection is required or authorised by law
  • the purposes of collection
  • the consequence if personal information is not collected
  • the entity's usual disclosures of personal information of the kind collected by the entity
  • information about the entity's privacy policy
  • whether the personal information is likely to be disclosed to overseas recipients and, if practicable, the countries where they are located.

Is there a Data Protection National Authority? If so, what is the National Authority's main role?

The Office of the Australian Information Commissioner (OAIC) is the independent statutory agency endowed with functions under the Privacy Act and other legislation relating to data legislation.

The role of the OAIC is to promote and uphold privacy and information access rights. The OAIC is tasked with matters including conducting investigations, handling complaints, monitoring of agency administration, and advising the public, organisations and agencies.

Does the law impose the obligation of designating a data protection officer (DPO)? If so, what is the role of the DPO under the law?

The Privacy Act does not require the designation of a privacy officer. However, the Australian privacy regulator, the OAIC, has issued guidance setting out recommended practices, including appointing a privacy officer or multiple officers depending on the size of the business.

What rules regulate the transfer of data outside your jurisdiction?

Australian Privacy Principle 8 outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

The cross-border disclosure framework provides that before an APP entity discloses personal information about an individual to an overseas recipient, the entity must take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles in relation to that information. Where an entity discloses personal information to an overseas recipient, it is accountable for an act or practice of the overseas recipient that would breach these principles.

Is it necessary to notify the National Authority prior to the international transfer?

No, this is not required.

Do the laws impose any information security standards and/or requirements?

APP 11 establishes personal information security standards that an APP entity must follow to protect personal information at all stages of the information cycle.

Do the laws establish any kind of mandatory notification duty?

The Privacy Act establishes a framework for mandatory data breaches notification which requires that organisations notify individuals and the Australian Information Commissioner when a data breach occurs that is likely to result in serious harm.

What are the sanctions for noncompliance with data protection laws?

An act or practice of an APP entity is an interference with the privacy of an individual if the act or practice breaches an APP or a registered APP code in relation to personal information about the individual. If an entity engages in serious interference with the privacy of an individual, or repeated acts of interference with the privacy of one or more individuals, the civil penalty is 2,000 penalty units or AUD220 000. The maximum civil penalty available under the Privacy Act has increased to AUD2.1million for bodies corporate or AUD420,000 for individuals.

The Privacy Act is currently under review by the Australian federal government.

Visit the Terralex website for the full Guide to Data Protection covering all jurisdictions.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.

Key
Contacts