Doing Business in Australia 2011: Privacy Law

“The Privacy Act 1988 (Cth) (Privacy Act), which is the key legislation regulating the use of personal information in Australia, imposes privacy related obligations on public and private organisations which do business in Australia.”

An “organisation” includes an individual, body corporate, partnership, unincorporated association and a trust. Specifically excluded are registered political parties, state or territory agencies, authorities or prescribed instrumentalities and small businesses (a business with a turnover of less than $3 million a year and which does not trade in personal information, provide a health service, hold health information or provide services to the Federal Government).

The core privacy obligations imposed by the Privacy Act are contained in the ten National Privacy Principles (NPPs). The NPPs contain broad policy statements regarding the collection, use, disclosure, quality and security of personal information by an organisation. An important requirement for foreign organisations is the restriction the NPPs place on the transfer of personal information to a location outside Australia. The two main instances in which a transfer is permitted to occur is where the organisation transferring the information:

  • believes that the recipient of the information will be subject to regulation which is substantially similar to the NPPs, or
  • has taken reasonable steps to ensure that the recipient of the information will not hold, use or disclose the information in a manner that is inconsistent with the NPPs.

The Privacy Act places special requirements on operators in the health, credit providing and credit reporting industries and also contains more stringent rules which apply to organisations which collect sensitive information. Sensitive information includes information concerning a person’s racial or ethnic origin, political or religious affiliations, membership of a trade association or union, sexual practices, criminal record or health.

Compliance with the NPPs is mandatory but an organisation may seek approval from the Privacy Commissioner to comply with its own code instead of the NPPs.

At State level the requirements of the Privacy Act are supplemented by State legislation and regulations regarding personal and health information. In New South Wales, all employers must abide by Workplace Surveillance Act 2005 (NSW) which regulates how employees may be monitored whilst at work.