Privacy Act exemptions

33.3 There are a number of ways in which entities can be exempt, either completely or partially, from the Privacy Act. Under the existing law, entities may be exempt from the Information Privacy Principles (IPPs), the National Privacy Principles (NPPs) (or an approved privacy code),[3] the tax file number provisions or the credit reporting provisions of the Act.

33.4 Broadly speaking, the IPPs apply to acts and practices of Australian Government agencies and the NPPs apply to acts and practices of private sector organisations.[4] Entities that fall within the definition of an ‘agency’ therefore will be bound by the IPPs; and those that fall within the definition of an ‘organisation’ will be bound by the NPPs. The structural reform of the IPPs and NPPs is discussed in Chapter 18.

33.5 Where entities fall within the definition of an ‘agency’ or an ‘organisation’, their acts and practices may still be exempt from the Privacy Act if those acts or practices are excluded expressly from the reference to an ‘act or practice’ to which the Act applies. Under s 7 of the Act, a reference to an ‘act or practice’ is generally a reference to an act done, or a practice engaged in, by: an agency; a tax file number recipient; a credit reporting agency; or a credit provider. The section, however, excludes a wide range of activities of certain specified entities. For example, while federal courts fall within the definition of an ‘agency’ under the Act, their acts and practices only are covered by the IPPs if they relate to administrative matters.[5] Any activity of the courts that relates to non-administrative matters falls outside the reference to ‘act or practice’ in the Privacy Act and, therefore, is exempt from the Act.

33.6 Part IIIA of the Privacy Act regulates the handling of credit information about individuals by credit reporting agencies and credit providers. Individuals and entities are exempt from the credit reporting provisions where they fall outside the definition of a ‘credit reporting agency’ or a ‘credit provider’, or where their acts and practices are excluded by s 7 of the Act. Credit reporting is discussed in Part G.

Public sector exemptions

33.7 The Privacy Act prohibits an agency from engaging in an act or practice that breaches the IPPs.[6] Agencies include: Australian Government ministers and departments; bodies and tribunals established or appointed for a public purpose by or under Commonwealth and ACT laws; Australian Government statutory office holders and administrative appointees; federal courts; and the Australian Federal Police (AFP). The definition of agency excludes incorporated companies, societies and associations, even if they are established under Commonwealth law.[7]

33.8 Agencies are not subject to the private sector provisions of the Act unless they have been prescribed by regulation.[8] An agency also may be subject to the tax file number provisions and the credit reporting provisions of the Act in some circumstances.[9]

33.9 The definition of agency excludes an organisation within the meaning of the Conciliation and Arbitration Act 1904 (Cth) (now repealed)[10] and a branch of such an organisation.[11] This refers to federally registrable employer and employee associations and federally registrable enterprise associations.[12] In Chapter 5, the ALRC recommends that the Privacy Act be amended to achieve greater logical consistency, simplicity and clarity.[13] Since the Conciliation and Arbitration Act has been repealed, this provisionshould be updated as part of the recommended amendment of the Act.

33.10 Any act or practice engaged in by, or information disclosed to, a person in the course of employment by, or in the service of, an agency is treated as having been done by, engaged in by, or disclosed to, the agency.[14] A person is not to be regarded as an agency, however, merely because he or she is the holder of, or performs the duties of: a judge or magistrate; a member of a prescribed Commonwealth tribunal; a prescribed office under the Privacy Act or the Freedom of Information Act 1982 (Cth) (FOI Act);[15] or an office established under a Commonwealth or ACT law for the purposes of an agency.[16]

33.11 Chapters 34–38 discuss agencies that are completely or partially exempt from the Privacy Act—namely, defence and intelligence agencies, federal courts and tribunals, specified agencies that are exempt under the FOI Act, certain agencies with law enforcement functions, and others.

Private sector exemptions

33.12 Under existing law, the NPPs bind entities that fall within the definition of an ‘organisation’.[17] An ‘organisation’ is defined as an individual, a body corporate,[18] a partnership,[19] any other unincorporated association,[20] or a trust[21] that is not otherwise exempt from the operation of the Privacy Act.[22] Certain entities are specifically excluded from the definition of ‘organisation’ and are, therefore, exempt from the Act. These exempt entities include small business operators, registered political parties, agencies, state and territory authorities, and prescribed state and territory instrumentalities.[23]

33.13 Certain acts and practices of organisations also fall outside the operation of the Privacy Act. There are five ways in which an act or practice may be excluded from the Act. An act or practice may be excluded from:

  • what constitutes a breach of the NPPs or an approved privacy code;

  • what constitutes an interference with the privacy of an individual;

  • the [reference to] an ‘act or practice’;

  • the operation of the Act; or

  • the operations of the NPPs.[24]

33.14 Chapters 39–43 examine current exemptions from the Privacy Act that apply to organisations, including the small business exemption, the employee records exemption, the journalism exemption, the political exemption and other private sector exemptions. Chapter 44 considers whether new exemptions or exceptions should be introduced.

[3] Where the Privacy Commissioner has approved a privacy code for a particular organisation or industry, it replaces the NPPs for those organisations that are bound by the code. To the extent that an organisation is not bound by such a code, it is bound by the NPPs: Ibid s 16A(2).

[4] Ibid ss 16, 16A.

[5] Ibid ss 6(1), 7(1)(a)(ii), (b).

[6] Ibid s 16.

[7] Ibid s 6(1).

[8] Ibid ss 6C, 7A, 16A.

[9] Ibid ss 11, 11A, 11B.

[10] The Conciliation and Arbitration Act 1904 (Cth) was repealed by s 3 of the Industrial Relations (Consequential Provisions) Act 1988 (Cth).

[11]Privacy Act 1988 (Cth) s 6(1).

[12]Workplace Relations Act 1996 (Cth) sch 2, cl 18.

[13] Rec 5–2.

[14]Privacy Act 1988 (Cth) s 8.

[15] No such offices have been prescribed under either Act.

[16]Privacy Act 1988 (Cth) s 6(5).

[17] Ibid s 16A.

[18] A body corporate is ‘any entity that has a legal personality under Australian law or the law of another country’: Office of the Privacy Commissioner, Coverage of and Exemptions from the Private Sector Provisions (Updated with Minor Amendments 27 November 2007), Information Sheet 12 (2001), 6.

[19] An act done, or a practice engaged in, by one of the partners in a partnership is deemed to be an act or practice of the organisation. The Privacy Act 1988 (Cth) imposes obligations on each partner but they may be discharged by any of the partners: Office of the Privacy Commissioner, Coverage of and Exemptions from the Private Sector Provisions (Updated with Minor Amendments 27 November 2007), Information Sheet 12 (2001), 6.

[20] An unincorporated association includes a cooperative. The Privacy Act 1988 (Cth) also covers acts or practices engaged in by an individual in his or her capacity as a member of the cooperative’s committee of management. The Privacy Act imposes obligations on each member of the committee of management but they may be discharged by any of the members of that committee: Office of the Privacy Commissioner, Coverage of and Exemptions from the Private Sector Provisions (Updated with Minor Amendments 27 November 2007), Information Sheet 12 (2001), 6.

[21] An act or practice engaged in by a trustee is taken to have been engaged in by the trust. Obligations under the Privacy Act 1988 (Cth) are imposed on each trustee but may be discharged by any of the trustees: Office of the Privacy Commissioner, Coverage of and Exemptions from the Private Sector Provisions (Updated with Minor Amendments 27 November 2007), Information Sheet 12 (2001), 6.

[22]Privacy Act 1988 (Cth) s 6C(1).

[23] Ibid s 6C(1).

[24] J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [1-650].