The federal system

3.3 The Australian Constitution establishes a federal system of government in which legislative powers are distributed between the Commonwealth and the six states. Section 109 of the Australian Constitution provides that: ‘when a law of a State is inconsistent with a law of the Commonwealth, the latter shall prevail, and the former shall, to the extent of the inconsistency, be invalid’. This provision may operate in two ways: it may directly invalidate state law where it is impossible to obey both the state law and the federal law;[5] or it may indirectly invalidate state law where the Australian Parliament’s legislative intent is to ‘cover the field’ in relation to a particular matter.[6]

3.4 It has been observed that inconsistency in the regulation of personal information stems largely from the failure of federal law to ‘cover the field’.[7] Section 3 of the Privacy Act states:

It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction, disclosure or transfer of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.

3.5 The provision makes clear that the Australian Parliament did not intend to ‘cover the field’ or to override state and territory laws relating to the protection of personal information, if such laws are capable of operating alongside the Privacy Act. Section 3 of the Privacy Act does not, however, sit comfortably with s 3 of the Privacy Amendment (Private Sector) Act 2000 (Cth), which states that one of the objects of the Act is

to establish a single comprehensive national scheme providing, through codes adopted by private sector organisations and National Privacy Principles, for the appropriate collection, holding, use, correction, disclosure and transfer of personal information by those organisations.[8]

3.6 A number of the states and territories have enacted privacy legislation regulating the handling of personal information in the state and territory public sectors. These regimes are sometimes inconsistent with the Privacy Act and with each other.[9] Further, New South Wales, Victoria and the ACT all have legislation that regulates the handling of personal health information in the public and private sectors. This means that health service providers and others in the private sector in those jurisdictions are required to comply with both federal and state or territory legislation.[10]

3.7 Although the Information Privacy Principles (IPPs), the National Privacy Principles (NPPs) and privacy principles under state and territory privacy legislation are similar, they are not identical. The privacy regimes in some jurisdictions include privacy principles that are similar to the IPPs, while other jurisdictions have modelled their principles on the NPPs.[11]

3.8 The Office of the Privacy Commissioner (OPC) review of the private sector provisions of the Privacy Act (OPC Review) recommended that the Australian Government should consider amending s 3 of the Privacy Act to remove any ambiguity as to the regulatory intent of the private sector provisions.[12]

[5]Australian Boot Trade Employees Federation v Whybrow & Co (1910) 10 CLR 266; R v Licensing Court of Brisbane; Ex parte Daniell (1920) 28 CLR 23.

[6]Clyde Engineering Co Ltd v Cowburn (1926) 37 CLR 466.

[7] See, eg, Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [4.21].

[8]Privacy Amendment (Private Sector) Act 2000 (Cth) s 3(a).

[9] See discussion in Chs 2, 17.

[10] For further discussion of national consistency in the regulation of health information, see Part H.

[11] See discussion in Chs 2, 17.

[12] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 2.