“The Privacy Act 1988 (Cth) (Privacy Act), which is the key legislation regulating the use of personal information in Australia. It imposes privacy related obligations on public and private organisations which do business in Australia, in relation to the collection, use, disclosure and storage of personal information.”
An “organisation” includes an individual, body corporate, partnership, unincorporated association
and a trust. Specifically excluded are, among other entities, small businesses (defined as a business with a turnover of $3 million or less a year and which does not trade in personal information, provide a health service, hold health information or provide services to the Federal Government).
The core privacy obligations for private sector organisations are currently contained in ten National Privacy Principles (NPPs). The NPPs contain broad policy statements regarding the collection, use, disclosure, quality and security of personal information.
An important requirement for foreign organisations is the restriction the NPPs place on the transfer of personal information to a location outside Australia. The three main instances in which a transfer is permitted to occur is where the organisation transferring the information:
- believes that the recipient of the information will be subject to regulation which is substantially similar to the NPPs;
- has taken reasonable steps to ensure that the recipient of the information will not hold, use or disclose the information in a manner that is inconsistent with the NPPs; or
- where the organisation has obtained consent to transfer the information.
The Privacy Act places special requirements on operators in the health, credit providing and credit reporting industries. It also contains more stringent rules which apply to organisations which collect sensitive information, which includes information concerning a person’s racial or ethnic origin, political or religious affiliations, membership of a trade association or union, sexual practices, criminal record or health.
At present, there is an exemption from the NPPs in relation to “employee records” - this can be a limited category.
Compliance with the NPPs is mandatory, but an organisation may seek approval from the Privacy Commissioner to comply with its own code instead
of the NPPs.
The Privacy Act has been significantly reformed with the introduction of the new Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) at the end of 2012. The resulting changes to the Privacy Act will commence in March 2014.
The most significant change is that the NPPs will be replaced with a new set of principles known as the Australian Privacy Principles (APPs). The thirteen APPs will apply to both Australian government agencies as well as the private sector. Among other things, the new APPs place greater accountability an organisation involved in transferring personal information overseas by requiring such organisation to take reasonable steps to ensure that the recipient of the information does not breach the APPs.
All organisations must ensure that they are compliant with the new privacy reforms, including the APPs, by the March 2014 commencement date.
At State level, the requirements of the Privacy Act are supplemented by State legislation and regulations regarding personal and health information. In New South Wales, all employers must comply with:
- the Workplace Surveillance Act 2005 (NSW) which regulates how employees may be monitored while at work, including in relation to video surveillance and computer tracking/monitoring of emails; and
- the Health Records and Information Privacy Act 2002 (NSW) in relation to “health information” of individuals.