The Privacy Act

7.31 There is a great deal of existing federal, state and territory regulation of information privacy. At the federal level, information privacy is regulated by the Privacy Act. While the Privacy Act is the major focus of consideration in this chapter, state and territory legislation is also discussed in the context of the need for greater harmonisation across Australian jurisdictions.

7.32 The Privacy Act is intended to protect the personal information of individuals and to give them greater control over how that information is collected, used and disclosed. The legislation sets out certain safeguards that government, private sector organisations and individuals must observe in collecting, storing, using and disclosing personal information. It also gives individuals rights to access and correct their own personal information.

7.33 The Privacy Act contains privacy safeguards set out in a number of Information Privacy Principles (IPPs) and NPPs, which have the force of law.[27] The IPPs cover collection, storage and security, use, disclosure and access to ‘personal information’, which is in a ‘record’ held by an ‘agency’, as those terms are defined in the Privacy Act. With limited exceptions, agencies include only Commonwealth and Australian Capital Territory (ACT) public sector entities.

7.34 Most private sector organisations are covered by the new private sector provisions of the Privacy Act.[28] The organisations covered include all health services holding ‘health information’ as defined by the Privacy Act. The Act extends privacy protection to personal information collected, used and disclosed by private sector entities such as private hospitals, health practitioners and insurance companies.[29]

7.35 Private sector organisations must comply with the NPPs. The NPPs set out how organisations should collect, use and disclose personal information, maintain data quality, keep personal information secure, maintain openness, allow for access and correction of personal information, use identifiers, allow anonymity, conduct transborder data flows and collect sensitive information. Some of these principles are similar to the IPPs. However, among other differences, the NPPs contain special provisions for ‘sensitive information’ and ‘health information’, which is a subset of ‘sensitive information’.

[27]Privacy Act 1988 (Cth) s 14 (IPPs), Sch 3 (NPPs).

[28] The Privacy Amendment (Private Sector) Act 2000 (Cth)came into operation on 21 December 2001 and extended the coverage of the Privacy Act to much of the private sector. The new private sector provisions of the Privacy Act apply to ‘organisations’, which include partnerships, unincorporated associations and bodies corporate. An individual who is self-employed or a sole trader is considered an organisation for the purposes of the Privacy Act. Organisations are generally responsible for the actions of their employees, contractors and subcontractors, all of which are covered by the Privacy Act: ss6C, 8.

[29] To the extent that genetic information comprises ‘personal information’ and/or ‘health information’ as those terms are defined in the Act: Privacy Act 1988 (Cth) s 6.