Interaction with state and territory laws

13.56 In Chapter 17, the ALRC considers how the Privacy Act interacts with state and territory privacy laws. State and territory laws are sometimes inconsistent with the Privacy Act and with each other. Legislation regulates personal information at the federal level and in New South Wales, Victoria, Tasmania, the ACT and the Northern Territory. Queensland and South Australia have adopted administrative regimes for the management of personal information in their state public sectors. Western Australia does not have a legislative scheme to regulate personal information. State freedom of information legislation and public records legislation, however, provide some privacy protection.[17]

13.57 Further, legislation in New South Wales, Victoria and the ACT regulates health information in the public and private sectors. These Acts overlap substantially with the private sector provisions of the Privacy Act. Regulation of health information in other jurisdictions is restricted to public sector agencies or is the subject of codes and guidelines. Inconsistency and fragmentation in health privacy regulation is discussed in Part H.

Federal, state and territory regimes that regulate personal information

13.58 There is inconsistency in the coverage of the Privacy Act and the state and territory schemes. For example, state-owned corporations, ministers, universities and local governments are regulated under privacy regimes in some states and territories, but not others. The types of personal information regulated at the federal, state and territory level also differs. For example, employee records are excluded from the operation of the Privacy Act. Some state and territory privacy regimes, however, provide limited protection of employee records.

13.59 Although the IPPs, NPPs and privacy principles under state and territory privacy regimes are similar, they are not identical. The privacy regimes in some jurisdictions include privacy principles that are similar to the IPPs, while other jurisdictions have modelled their principles on the NPPs.

13.60 The nature and functions of privacy regulators vary across the jurisdictions. For example, the Privacy Act and other federal legislation provide the Privacy Commissioner with a number of powers and functions, including powers to investigate and conciliate complaints, and approve and monitor privacy codes and guidelines. Although most states and territories have privacy regulators, their nature and functions vary widely. For example, the Privacy Committee of South Australia’s powers and functions are limited when compared to the federal, New South Wales and Victorian privacy commissioners.

13.61 The remedies available to individuals whose privacy rights are infringed can differ according to the jurisdiction in which the complaint is made. For example, the maximum amount of compensation that is payable for an interference with privacy differs across the states and territories.

13.62 As noted above, in Chapter 3 the ALRC recommends that the states and territories enact privacy laws that apply the model UPPs, any relevant regulations that modify the application of the UPPs and relevant definitions used in the Privacy Act, to regulate the public sector in that state or territory. Implementation of this recommendation will go a long way to address inconsistency in the regulation of personal information.

Privacy rules, codes and guidelines

13.63 In addition to the Privacy Act and state and territory legislation, various privacy rules, codes and guidelines regulate the handling of personal information. Sometimes privacy rules, codes and guidelines are required by legislation. Sometimes, however, particular industries or sectors choose to develop guidelines.

13.64 A number of stakeholders noted that if rules, codes and guidelines are not aligned with the Privacy Act, they can contribute to inconsistency and fragmentation. On the other hand, it was also noted that additional privacy rules, codes and guidelines can clarify sector-specific issues and provide more detailed protection for personal information where appropriate.

13.65 In the ALRC’s view, when agencies and organisations are developing privacy rules, codes and guidelines, they should consult with the relevant body responsible for privacy for their industry or sector to ensure that the rules, codes or guidelines will interact and operate effectively with existing privacy laws.

Residential tenancy databases

13.66 Residential tenancy databases (RTDs) are also discussed in Chapter 17. RTDs are electronic databases operated by private companies that contain information about tenants, including their rental history. The purpose of such databases is to enable real estate agents to assess ‘business risk’ on behalf of the property owner. The listings on the database are based on information provided by real estate agents to the database operators. Listings are generally collected from across Australia and can be accessed nationally.

13.67 A number of inquiries have recognised the need for national consistency in the regulation of RTDs. As RTDs contain personal information, they are generally subject to the private sector provisions of the Privacy Act. They are also regulated by legislation in some states and territories. While the states and territories can regulate the actions of the lessors and agents in their jurisdictions, they lack the power to regulate effectively the RTD operators based in other jurisdictions.

13.68 Stakeholders raised a number of concerns about the operation of RTDs, including that: prospective tenants often will have little choice but to consent to a real estate agent passing information on to RTD operators; information stored on RTDs is sometimes inaccurate; and tenants sometimes have difficulties in finding out whether they are listed on RTDs. The ALRC also heard that inconsistent state and territory legislation in relation to RTDs causes a number of problems.

13.69 The states and territories should enact legislation that addresses the relationship between the agent and the tenant. Issues to be covered include informing the tenant of the use of RTDs and the collection of information; and the way that agents interact with RTDs, including such matters as controlling the information provided by agents to RTDs.

13.70 Further, all RTD operators should be regulated by the Privacy Act, regardless of whether they are small business operators or whether they gain consent for the collection or disclosure of an individual’s personal information. The ALRC does not recommend binding rules to regulate RTD operators, however, the Australian Government should continue to monitor the use and operation of RTDs in order to determine whether it should promulgate regulations under the Privacy Act to regulate RTD operators.

[17] On 28 March 2007, the Information Privacy Bill 2007 (WA) was introduced into the Western Australian Parliament. The Bill proposes to regulate the handling of personal information in the state public sector and the handling of health information by the public and private sectors in Western Australia. In May 2008, the Bill had been read for a second time in the Legislative Council.