Overview of the Privacy Act

Agencies and organisations

5.9 Broadly speaking, the IPPs regulate the activities of Australian Government public sector agencies. ‘Agency’ is defined to include ministers, departments, federal courts and other bodies established for a public purpose.[12] The NPPs regulate the activities of private sector organisations. ‘Organisation’is defined as an individual, a body corporate, a partnership, any other unincorporated association or a trust.[13] There are a number of exceptions to, and exemptions from, the definitions of ‘agency’ and ‘organisation’.[14]

Acts and practices

5.10 The Privacy Act applies to ‘acts and practices’, that is, acts done and practices engaged in by agencies or organisations. The Act includes a wide range of exemptions for particular acts and practices discussed briefly below and in more detail in Part E.

5.11 For the purposes of this Report, the ALRC distinguishes between the terms ‘handling’ and ‘processing’ of personal information. The ALRC uses the term handling personal information to refer to all acts and practices in the information cycle including collection, use, disclosure, storage and destruction of personal information no matter what mechanism is used. The ALRC uses the term processing to refer to electronic processing of personal information. The ALRC notes that the European Union Article 29 Data Protection Working Party has drawn the same distinction in its Opinion 4/2007 on the Concept of Personal Data.[15]

Exemptions and exceptions

5.12 The Privacy Act contains a range of exemptions and exceptions. They are found throughout the Act, in the definitions of some terms, in specific exemption provisions, and in the IPPs and NPPs themselves. This Report distinguishes between exemptions and partial exemptions to the requirements set out in the Act, and exceptions to the privacy principles.An exemption applies where a specified entity or a class of entity is not required to comply with any requirements in the Act. A partial exemption applies where a specified entity or a class of entity is required to comply with either: some, but not all, of the provisions of the Act; or some or all of the provisions of the Act, but only in relation to certain of its activities. For example, the federal courts are partially exempt as they only are required to comply with the Act in relation to their administrative activities. An exception applies where a requirement in the privacy principles does not apply to any entity in a specified situation or in respect of certain conduct. These distinctions are discussed in more detail in Chapter 33.

5.13 The acts and practices ofsome Australian Government agencies—including the intelligence agencies: the Australian Secret Intelligence Service, the Australian Security Intelligence Organisation and the Office of National Assessments—are completely exempt from the Privacy Act.[16]

5.14 Certain acts and practices of other agencies are also exempt. For example, while federal courts fall within the definition of agency for the purposes of the Privacy Act, only some acts and practices of federal courts are covered by the Act.[17] Acts and practices in relation to administrative functions such as personnel files, operational and financial records, and mailing lists, for example, are covered.[18] However, acts done and practices engaged in as part of the courts’ judicial functions are not covered.

5.15 In relation to the private sector, the definition of organisationspecifically excludes many small business operators and registered political parties. Small businesses are defined in the Privacy Act as those with an annual turnover of $3 million or less. This exemption was included in order to avoid the imposition of unjustified compliance costs on small business.[19] Some small businesses that pose a higher risk to privacy—for example, small businesses that hold health information and provide health services or those that trade in personal information—are covered by the Act.[20] Other small business operators may choose to opt in to the regime[21] or may be brought into the regime by regulation.[22]

5.16 State and territory public sector authorities fall outside the definition of ‘agency’ and are specifically excluded from the definition of ‘organisation’. States and territories may request, however, that such authorities be brought into the regime by regulation.[23]

5.17 The Privacy Act does not apply to personal information being collected, used or disclosed for personal, family or household purposes.[24]

5.18 The Privacy Act includes an exemption for employee records. Organisations are exempt in relation to past or present employees if the relevant act or practice is directly related to an employee record and the employment relationship.[25] At the time the private sector amendments were passed, the Attorney-General noted that this type of personal information was deserving of privacy protection but that the issue was more appropriately dealt with in workplace relations legislation.[26] To date, however, the issue has not been effectively dealt with in this way and so employee records in the private sector remain without adequate privacy protection.

5.19 Media organisations are exempt in relation to acts or practices in the course of journalism.[27] A media organisation is an organisation whose activities consist of or include the collection, preparation and dissemination of news, current affairs, information or documentaries. Media organisations can claim the exemption if they have publicly committed to observing published, written standards that deal with privacy in the context of media activities. This exemption is intended to allow a free flow of information to the public through the media.[28]

5.20 Political acts and practices by political representatives, such as parliamentarians, are exempt where those acts and practices relate to the political process. Contractors, subcontractors and volunteers working for registered political parties or political representatives also may be exempt where their acts or practices are related to the political process.[29]

5.21 The IPPs and NPPs include a number of exceptions. For example, under IPP 6 individuals are entitled to access their own personal information except to the extent that a record‑keeper is required or authorised by or under law to refuse to provide the individual with access. IPP 10 provides that personal information shall not be used for any purpose other than the purpose for which it was collected. This principle is subject to specified exceptions, for example, where the use of the information for that other purpose is: necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person; required or authorised by or under law; or necessary to enforce the criminal law. There are similar exceptions relating to the disclosure of personal information under IPP 11.

5.22 The NPPs contain a range of similar exceptions as well as specific and qualified exceptions for the use of non-sensitive information for direct marketing purposes[30] and the use of health information for research, or the compilation or analysis of statistics, relevant to public health or public safety.[31]

Information Privacy Principles

5.23 The 11 IPPs are based on the OECD Guidelines.[32] The IPPs are a central feature of the Privacy Act and are discussed in detail in Part D. The IPPs require that Australian Government agencies have a lawful purpose for collecting personal information, and that the purpose is related to the functions or activities of the agency.[33] An agency collecting personal information from an individual must ensure that: that individual is generally aware of the purpose for which the information is being collected; whether the collection is authorised or required by or under law; and the agency’s usual practices in relation to disclosure of such information.[34] The IPPs require agencies to ensure that information is relevant, up-to-date and complete.[35]

5.24 Agencies must also store information securely[36] and provide information about the type of personal information they hold.[37] Subject to certain exceptions, agencies must provide individuals with access to personal information about them and correct the information they hold to ensure that it is accurate, up-to-date, relevant, complete and not misleading.[38] Agencies must generally seek an individual’s permission to use or disclose information for a purpose that is not directly related to the purpose for which it was collected.[39]

National Privacy Principles

5.25 The 10 NPPs—developed in consultation with private sector organisations—apply in the private sector where no approved privacy code has been put in place.[40] The NPPs are discussed in detail in Part D. The NPPs require that organisations collect personal information by lawful and fair means and not in an unreasonably intrusive manner. The information must be necessary for one of the organisation’s functions or activities and must be collected from the individual concerned, where it is reasonable and practicable to do so.[41] Sensitive information, including health information, may only be collected with consent except in specified circumstances.[42]

5.26 Organisations may only use and disclose personal information for the purpose for which it was collected, except in a number of defined circumstances. For example, an organisation may use personal information for a related purpose if that would be within the reasonable expectations of the individual.[43] Organisations must take reasonable steps to ensure that the personal information they handle is accurate, complete and up-to-date,[44] and must protect the information from misuse and loss and from unauthorised access, modification or disclosure.[45] Organisations must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed.[46]

5.27 On request, organisations are required to let individuals know what sort of personal information they hold and how they handle that information,[47] and to give individuals access to the information held about them unless particular exceptions apply.[48] There are limits on the use of government identifiers by the private sector,[49] and on transferring personal information overseas.[50] Organisations are also required to have a written privacy policy, which sets out how the organisation manages personal information, and to make the policy available to anyone who asks for it.[51]

Approved privacy codes

5.28 The Privacy Amendment (Private Sector) Act 2000 (Cth) introduced Part IIIAA into the Privacy Act, which allows private sector organisations and industries to develop and enforce their own privacy codes. Once the Privacy Commissioner approves a privacy code, it replaces the NPPs for those organisations bound by the code.[52] Codes may also set out procedures for making and dealing with complaints. Such codes must provide for the appointment of an independent adjudicator to whom complaints may be made.[53]

5.29 The aim of amending the Act in this way was to encourage private sector organisations and industries to develop privacy codes of practice.[54] To date, only four codes have been approved by the Privacy Commissioner: the Market and Social Research Privacy Code, the Queensland Club Industry Privacy Code, the Biometrics Institute Privacy Code and the General Insurance Information Privacy Code. The General Insurance Information Privacy Code has since been revoked. Privacy codes are discussed further in Chapter 48.

Interference with privacy

5.30 Part III Division 1 of the Privacy Act sets out what amounts to an ‘interferencewith privacy’, that is, a breach of the Act that gives grounds for a complaint to the Privacy Commissioner or an independent adjudicator appointed under an approved privacy code. An act or practice by an agency that breaches an IPP is an interferencewith privacy.[55] An act or practice by an organisation that breaches an NPP or an approved privacy code is an interference with privacy.[56] An interference with privacy may also arise in other areas including: credit reporting, the handling of TFN information, and data-matching.

Credit reporting

5.31 As noted above, the Privacy Act was amended in 1990¾following public controversy over the credit industry’s intention to introduce a system of ‘positive’ (more comprehensive) credit reporting[57]¾to provide safeguards for individuals in relation to consumer credit reporting.[58] In particular, Part IIIA of the Act regulates the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers. The Privacy Commissioner is required to issue a Code of Conduct that, together with Part IIIA, applies privacy protections to the handling of personal credit information.[59] The current Code includes amendments made following a number of reviews.[60] The credit reporting provisions have been the subject of criticism[61] and are considered in detail in Part G.

Tax file numbers

5.32 TFNs are unique numbers issued by the Australian Taxation Office (ATO) to identify individuals, companies and others who lodge income tax returns with the ATO. The Privacy Act provides for the making of specific guidelines in relation to the collection, storage, use and security of TFN information relating to individuals.[62] The TFN Guidelines, issued under s 17 of the Privacy Act,are legally binding. A breach of the guidelines is an interference with privacy and provides grounds for a complaint to the Privacy Commissioner.[63]Interim Guidelines contained in a schedule to the Privacy Act operated until they were replaced with the Tax File Number Guidelines 1990. The current guidelines were issued in 1992 and have been amended on a number of occasions.[64]

Privacy Commissioner

5.33 The Privacy Act establishes the position of the Privacy Commissioner as an independent statutory officer who is appointed by the Governor-General for a period of up to seven years.[65] The powers and role of the Privacy Commissioner are examined in detail in Part F.

Office of the Privacy Commissioner

5.34 The Privacy Act establishes the OPC—consisting of the Privacy Commissioner and his or her staff—as a statutory agency to oversee the implementation of the Privacy Act.[66] The Office consists of the following sections:

  • the Executive Unit;
  • the Compliance section;
  • the Policy section; and
  • the Corporate and Public Affairs section.

5.35 The Executive Unit comprises the Privacy Commissioner, Deputy Commissioner, Assistant Commissioner and staff.

5.36 The Compliance section investigates complaints from individuals about agencies and organisations. It also investigates possible breaches of the Data-matching Program (Assistance and Tax) Act 1990 (Cth) and associated Guidelines, the TFN Guidelines, and the guidelines in force under the National Health Act 1953 (Cth). In addition, the section audits agencies, credit providers and credit reporting agencies. Compliance also conducts audits under s 309 of the Telecommunications Act 1997 (Cth). The Enquiries Line is located in the Compliance section and provides assistance to individuals in relation to their rights under the Privacy Act and related legislation. It also provides advice to agencies and organisations on how to comply with the Act and related legislation.

5.37 The Policy section provides guidance and advice to agencies and organisations on privacy issues; examines and makes submissions on proposed legislation; comments on inquiries that have significant privacy implications; and seeks to keep up-to-date on technological and social developments that affect individual privacy. The Corporate and Public Affairs section assists the OPC in communicating with stakeholders through publications, media relations, speech writing, events and the OPC website.[67]

Functions of the Privacy Commissioner

5.38 The Privacy Commissioner’s functions are set out in a number of Acts including the Privacy Act. Those in the Privacy Act include:

  • promoting an understanding and acceptance of the IPPs and the NPPs and undertaking educational programs in relation to privacy;
  • investigating acts or practices that may breach the IPPs or NPPs, either in response to complaints or on the Commissioner’s own initiative;
  • auditing the handling of personal information by agencies to ensure that they comply with the IPPs;
  • considering and approving privacy codes and reviewing the operation of the codes and decisions of adjudicators appointed under those codes;
  • considering legislation that might impact on privacy and ensuring that any adverse effects are minimised;
  • undertaking research into and monitoring developments in data processing and computer technology to ensure that any adverse privacy effects of such developments are minimised;
  • publishing various guidelines, including binding guidelines, on the development of privacy codes and the use of health information for medical research;[68] and
  • providing advice to the Minister and others.[69]

5.39 As noted above, the Privacy Commissioner also has functions under the Privacy Act in relation to TFN information and credit reporting. In addition, the Commissioner has responsibilities under the:

  • Data-matching Program (Assistance and Tax) Act 1990 (Cth) in regulating the conduct of Australian Government data-matching programs. The Privacy Commissioner is required to issue guidelines under the Act and has the power to investigate acts or practices that may breach the guidelines;[70]
  • National Health Act 1953 (Cth) in regulating the handling of Medicare and Pharmaceutical Benefits Program claims information. The Privacy Commissioner is required to issue guidelines under the Act and has the power to investigate acts or practices that may breach the guidelines;[71]
  • Crimes Act 1914 (Cth) in regulating the handling of information about spent convictions. Part VIIC of the Act provides for a spent convictions scheme that prevents discrimination against individuals on the basis of certain previous convictions. The Commissioner has the power to investigate complaints about breaches of Part VIIC;[72] and
  • Telecommunications Act 1997 (Cth) in monitoring disclosures of personal information to law enforcement agencies and consulting on industry codes and standards in a range of consumer protection and privacy areas.[73]

5.40 In performing his or her functions, the Privacy Commissioner is required to take certain matters into account, including Australia’s international obligations and relevant international guidelines on privacy. The Commissioner is also required to have due regard to the protection of important human rights and social interests that compete with privacy such as the free flow of information through the media and the right of government and business to achieve their objectives in an efficient way.[74]

Investigations

5.41 The Privacy Commissioner has the power to investigate—on his or her own motion, or in response to a complaint—acts and practices of agencies or organisations that may breach the IPPs or NPPs.[75] In conducting such investigations, the Commissioner can require the production of documents and information, and may also require people to appear and answer questions.[76] The Commissioner may examine such witnesses on oath or affirmation.[77]

5.42 The Privacy Commissioner may make a determination where there has been a breach of the IPPs or NPPs.[78] The Commissioner may determine that the conduct must not be repeated; that the agency or organisation must take action to redress the loss or damage caused; or that the complainant is entitled to a specified amount of compensation. The Commissioner also may dismiss the complaint or decide to take no further action. Such determinations, however, are not binding as between the parties. If it becomes necessary to enforce the determination, action must be taken in the Federal Court or the Federal Magistrates Court.[79]

Public Interest Determinations

5.43 The Privacy Commissioner has the power to make Public Interest Determinations (PIDs) and Temporary Public Interest Determinations (TPIDs) that exempt certain acts and practices from the operation of the Act, where they would otherwise be a breach of the IPPs or NPPs.[80] The Commissioner may issue a PID where he or she is satisfied that the public interest in an agency or organisation doing an act or engaging in a practice substantially outweighs the public interest in adhering to the IPPs or NPPs. The Privacy Commissioner may make a TPID, in limited circumstances, where an application for a PID contains matters of an urgent nature.

5.44 The Privacy Commissioner has made 10 PIDs to date. PIDs and TPIDs are disallowable instruments under the Legislative Instruments Act 2003 (Cth). They must be tabled in the Australian Parliament and are then subject to disallowance.[81]

Privacy Advisory Committee

5.45 The Privacy Act provides for the establishment of a Privacy Advisory Committee made up of the Privacy Commissioner and not more than six other members.[82] The Act requires that members of the Advisory Committee have a range of expertise, for example, in industry or public administration, the trade union movement, electronic data processing, social welfare and civil liberties.[83]

5.46 The Advisory Committee is intended to provide high-level strategic advice to the Privacy Commissioner and, subject to any direction by the Commissioner, to engage in community education and consultation.[84]

Privacy regulations

5.47 Section 100(1) of the Privacy Act provides that:

The Governor-General may make regulations, not inconsistent with this Act, prescribing matters:

(a) required or permitted by this Act to be prescribed; or

(b) necessary or convenient to be prescribed for carrying out or giving effect to this Act.

5.48 Various other provisions in the Act also provide for the making of regulations. Section 6(5C), for example, states that the regulations may provide that businesses or undertakings of a specified kind are not credit reporting businesses within the meaning of the Act. Section 6E provides that the regulations may prescribe certain small business operators to be organisations for the purposes of the Act. Section 6F provides that the regulations may prescribe certain state and territory authorities and instrumentalities to be organisations for the purposes of the Act.

5.49 In Chapter 54, the ALRC recommends that the provisions dealing with credit reporting be promulgated as regulations under the Privacy Act.[85]In Chapter 60, the ALRC recommends that the provisions dealing specifically with the handling of health information be promulgated as regulations under the Act.[86] Both these sets of regulations are intended to modify the operation of the model Unified Privacy Principles (UPPs)—discussed in detail in Part D—in relation to credit reporting information and health information respectively.

5.50 In the Discussion Paper, Review of Australian Privacy Law (DP 72),[87] the ALRC proposed that the Privacy Act should be amended to provide for the making of regulations that modify the operation of the UPPs to impose different or more specific requirements in particular contexts, including imposing more or less stringent requirements on agencies and organisations than are provided for in the UPPs.[88] This proposal was based on the view that such modifications can be consistent with the Privacy Act—and with the objects of the Privacy Act recommended below[89]even where they impose less stringent requirements on agencies and organisations than those imposed by the UPPs. For example, it may be necessary to modify the operation of the UPPs in order to achieve an appropriate balance between the public interest in protecting the privacy of individuals with other public interests, such as allowing important public health research to proceed.

Submissions and consultations

5.51 The OPC did not support this proposal. The OPC was concerned that the proposed regulation-making power seemed to envisage the making of regulations that would be inconsistent with the Privacy Act. The Office was of the view that the regulation-making power should continue to be modified by the phrase ‘not inconsistent with this Act’. The OPC also expressed concern about allowing statutory protections to be modified by regulation, and noted that the Australian Government Legislation Handbook provides that rules that have a significant impact on individual rights and liberties should be implemented through Acts of Parliament.[90]

5.52 Telstra stated that:

There are two major concerns with this proposal. First, regulations are not the most appropriate mechanism for modifying primary legislation in this way. Under the proposal, the regulations will contain substantial obligations inconsistent with the Privacy Act. Regulations are delegated legislation and disallowable instruments, not legislation, and it is inappropriate for regulations to significantly modify primary legislation passed by the Parliament.

Second, regulations are capable of being changed relatively easily, which gives rise to a concern that there will be insufficient checks and balances applicable to the process of changing the privacy regime governing some of these specific industries. Given the significance of the industry specific regulatory regime, it should be dealt with through primary legislation and only changed by an amending Act.[91]

5.53 The Australian Bankers’ Association (ABA) was also concerned that the proposal may result in ongoing changes to compliance obligations.[92]

5.54 The Office of the Victorian Privacy Commissioner (OVPC), and a number of other stakeholders, did not support allowing the regulations to impose less stringent requirements than the UPPs.[93] The Public Interest Advocacy Centre (PIAC) noted that:

PIAC is concerned that such an approach may lead to a gradual erosion of privacy protection through subordinate legislation as has happened in New South Wales. In recent years, the NSW Government has gradually watered down the Privacy and Personal Information Protection Act 1998 (NSW) through successive regulations and other statutory instruments, sometimes without consulting the Privacy Commissioner.[94]

5.55 A number of stakeholders also stated that allowing the UPPs to be modified by regulation might undermine the aim of harmonisation or create unnecessary complexity.[95] The OVPC noted that any such regulations will need to be replicated in state and territory legislation in order to maintain national consistency.[96]

5.56 On the other hand, Microsoft Asia Pacific noted that the Legislative Instruments Act requires consultation where practicable and appropriate before the making of regulations and other legislative instruments. This is particularly the case where the regulations are likely to have a direct or substantial indirect effect on business.[97] Microsoft Asia Pacific expressed the view that this would

help to ensure that proposed regulations have no unintended consequences, and that they are an appropriate and effective means of regulating the particular context in which they are intended to apply.[98]

5.57 Google Australia also supported the proposal in principle submitting that:

A flexible approach to regulation is essential in a landscape where technology is developing at a pace that is quicker than the capacity for legislation to address the challenges posed by new technologies.[99]

5.58 The Australian Government Department of Human Services expressed support for the proposal, but noted that a similar outcome could be achieved more easily and with the same level of legal certainty, oversight and transparency using other forms of legislative instrument, rather than regulations. The department did not indicate, however, what form of instrument would be appropriate.[100] The Australian Privacy Foundation also supported the proposal in principle, but noted that any derogation from the UPPs should be ‘positively affirmed’ by the Australian Parliament rather than left to the discretion of the Privacy Commissioner.[101] Other stakeholders expressed unqualified support for the proposal.[102]

ALRC’s view

5.59 The ALRC did not propose, and is not recommending, a regulation-making power that is inconsistent with the Privacy Act. The ALRC is recommending a regulation-making power that allows modifications to be made to the UPPs. In the ALRC’s view, such modifications can be consistent with the Privacy Act, even where they impose less stringent requirements than the UPPs on agencies and organisations. The ALRC agrees with the OPC that the regulation-making power should continue to be modified by the phrase ‘not inconsistent with this Act’ and has included this qualification in the recommendation below.

5.60 The ALRC notes, in addition, that the Australian Government Legislation Handbook states that matters subject to frequent change and other matters may be included in subordinate legislation in order to streamline primary legislation. The ALRC has recommended that amendments to the UPPs relevant only to health information, for example, be included in the new Privacy (Health Information) Regulations for these reasons.[103] This regulatory framework will allow the UPPs to remain as streamlined as possible, while providing flexibility to adapt the UPPs where necessary in particular contexts.

5.61 The Act should make clear that the regulations may modify the operation of the UPPs to impose different or more specific requirements in particular contexts, including imposing more or less stringent requirements on agencies and organisations than are provided for in the UPPs. The Privacy Commissioner may currently modify the operation of the IPPs and NPPs by making a Public Interest Determination (PID). PIDs are issued on the basis that the public interest in a particular act or practice outweighs the public interest in maintaining the level of protection provided by the IPPs or NPPs. This means that a PID may put in place a regime which imposes different or more specific requirements in particular contexts, including imposing less stringent requirements on agencies and organisations than are provided for in the IPPs and NPPs. The Privacy Commissioner should retain the power to issue PIDs.[104] In developing regulations that would modify the application of the UPPs, similar issues would have to be considered in order to ensure that the regulations were consistent with the Privacy Act.

5.62 In Chapter 3, the ALRC recommends that the Australian Government and state and territory governments establish an intergovernmental cooperative scheme under which each state and territory would enact legislation regulating the handling of personal information in that state or territory’s public sector. Such legislation would apply the UPPs, any relevant regulations that modify the application of the UPPs and relevant definitions used in the Privacy Act.[105] To promote and maintain uniformity across the jurisdictions, the ALRC also recommends that the Standing Committee of Attorneys-General (SCAG) should develop an intergovernmental agreement to ensure that any proposed changes to these key elements must be approved by SCAG and, where relevant, the Australian Health Ministers’ Conference.[106] Any regulations enacted that would amend the UPPs would have to be considered and approved in this way.

Recommendation 5-1 The regulation-making power in the Privacy Act should be amended to provide that the Governor-General may make regulations, consistent with the Act, modifying the operation of the model Unified Privacy Principles (UPPs) to impose different or more specific requirements, including imposing more or less stringent requirements, on agencies and organisations than are provided for in the UPPs.

[12]Privacy Act 1988 (Cth) s 6(1).

[13] Ibid s 6C.

[14] Exceptions and exemptions to the Privacy Act are discussed in detail in Part E.

[15] European Union Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, 01248/07/EN WP136 (2007), 5.

[16]Privacy Act 1988 (Cth) s 7. This issue is discussed in detail in Ch 34.

[17] Ibid s 7. This issue is discussed in detail in Ch 35.

[18]I v Commonwealth Agency [2005] PrivCmrA 6.

[19] Commonwealth, Parliamentary Debates, House of Representatives, 12 April 2000, 15749 (D Williams—Attorney-General). This issue is discussed in detail in Ch 39.

[20]Privacy Act 1988 (Cth) s 6D(4).

[21] Ibid s 6EA.

[22] Ibid s 6E.

[23] Ibid s 6F.

[24] Ibid ss 7B(1), 16E. This issue is discussed in Ch 11.

[25] Ibid s 7B(3). This issue is discussed in detail in Ch 40.

[26] Commonwealth, Parliamentary Debates, House of Representatives, 12 April 2000, 15749 (D Williams—Attorney-General).

[27]Privacy Act 1988 (Cth) s 7B(4).

[28] Commonwealth, Parliamentary Debates, House of Representatives, 12 April 2000, 15749 (D Williams—Attorney-General). This issue is discussed in detail in Ch 42.

[29]Privacy Act 1988 (Cth) s 7C. This issue is discussed in detail in Ch 41.

[30] Ibid sch 3, NPP 2.1(c).

[31] Ibid sch 3, NPP 2.1(d).

[32] Ibid s 14.

[33] Ibid s 14, IPP 1.

[34] Ibid s 14, IPP 2.

[35] Ibid s 14, IPP 3.

[36] Ibid s 14, IPP 4.

[37] Ibid s 14, IPP 5.

[38] Ibid s 14, IPP 7.

[39] Ibid s 14, IPPs 10, 11.

[40] Ibid sch 3.

[41] Ibid sch 3, NPP 1.

[42] Ibid sch 3, NPP 10.

[43] Ibid sch 3, NPP 2.

[44] Ibid sch 3, NPP 3.

[45] Ibid sch 3, NPP 4.

[46] Ibid sch 3, NPP 4.

[47] Ibid sch 3, NPP 5.

[48] Ibid sch 3, NPP 6.

[49] Ibid sch 3, NPP 7.

[50] Ibid sch 3, NPP 9.

[51] Ibid sch 3, NPP 5.

[52] Ibid s 16A.

[53] Ibid s 18BB.

[54] Commonwealth, Parliamentary Debates, House of Representatives, 12 April 2000, 15749 (D Williams—Attorney-General).

[55]Privacy Act 1988 (Cth) s 13.

[56] Ibid s 13A.

[57] Office of the Federal Privacy Commissioner, Credit Reporting Code of Conduct (1991) <www.privacy. gov.au> at 14 April 2008.

[58]Privacy Amendment Act 1990 (Cth).

[59]Privacy Act 1988 (Cth) s 28A.

[60] Office of the Federal Privacy Commissioner, Credit Reporting Code of Conduct (1991) <www.privacy. gov.au> at 14 April 2008.

[61] See, eg, G Greenleaf, ‘The Most Restrictive Credit Reference Laws in the Western World?’ (1992) 66 Australian Law Journal 672; Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [5.11].

[62] TFNs are discussed in detail in Ch 30.

[63] Unauthorised use or disclosure of TFNs is also an offence under the Taxation Administration Act 1953 (Cth). This Act protects all TFNs and not just those of individuals.

[64] Office of the Federal Privacy Commissioner, Tax File Number Guidelines (1992).

[65]Privacy Act 1988 (Cth) ss 19–25.

[66] Ibid ss 19, 26A.

[67] Office of the Privacy Commissioner, About the Office <www.privacy.gov.au/about/> at 14 April 2008.

[68] The guidelines made under ss 95 and 95A of the Privacy Act in relation to the use of health information in research are discussed in Ch 64.

[69]Privacy Act 1988 (Cth) s 27.

[70] These guidelines are discussed further in Chs 10 and 47.

[71] These guidelines are discussed further in Chs 47 and 61.

[72] These functions are discussed further in Ch 47.

[73] Office of the Privacy Commissioner, About the Office <www.privacy.gov.au/about/> at 14 April 2008. These functions are discussed further in Ch 71.

[74]Privacy Act 1988 (Cth) s 29.

[75] Ibid pt V.

[76] Ibid s 44.

[77] Ibid s 45.

[78] Ibid s 52.

[79] Ibid s 55A.

[80] Ibid ss 72, 80A and 80B.

[81] Ibid ss 80 and 80C. These provisions both refer to s 46A of the Acts Interpretation Act 1901 (Cth). That provision has been repealed. Section 6(d)(i) of the Legislative Instruments Act 2003 (Cth) provides that instruments declared to be disallowable instruments for the purposes of s 46A of the Acts Interpretation Act should be deemed legislative instruments for the purposes of the Legislative Instruments Act.

[82] Ibid s 82. The Privacy Advisory Committee is discussed further in Ch 46.

[83] The current members of the Advisory Committee are Peter Coroneos, Chief Executive Officer, Internet Industry Association; Associate Professor John M O’Brien, School of Organisation and Management, University of New South Wales; Suzanne Pigdon, former Privacy and Customer Advocacy Manager, Coles Myer Group; Dr William Pring, Director of Consultation-Liaison, Psychiatry Services, Box Hill Hospital; Joan Sheedy, Assistant Secretary, Privacy and FOI Policy Branch, Department of the Prime Minister and Cabinet; and Robin Banks, Chief Executive Officer, Public Interest Advocacy Centre Ltd and Director, Public Interest Law Clearing House Inc.

[84]Privacy Act 1988 (Cth) s 83.

[85] Rec 54–1.

[86] Rec 60–1.

[87] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007).

[88] Ibid, Proposal 3–1.

[89] Rec 5–4.

[90] Australian Government Department of the Prime Minister and Cabinet, Legislation Handbook (1999), [1.12].

[91] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[92] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[93] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[94] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[95] Confidential, Submission PR 570, 13 February 2008; Government of South Australia, Submission PR 565, 29 January 2008; Confidential, Submission PR 536, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[96] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[97]Legislative Instruments Act 2003 (Cth) s 17.

[98] Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[99] Google Australia, Submission PR 539, 21 December 2007.

[100] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[101] Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[102] GE Money Australia, Submission PR 537, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[103] Australian Government Department of the Prime Minister and Cabinet, Legislation Handbook (1999), [6.45]–[6.46].

[104] See Ch 47.

[105] Rec 3–4.

[106] Rec 3–5.