Existing legislative privacy protection

Information privacy

3.5 The Privacy Act 1988 (Cth)is Australia’s key information privacy law.[1] It is concerned with the security of personal information held by certain entities, rather than with privacy more generally.[2]

3.6 The Privacy Act provides 13 ‘Australian Privacy Principles’ (APPs) that regulate the collection, use, disclosure and other handling of personal information.[3] The APPs bind only ‘APP entities’—primarily Australian Government agencies and large private sector organisations with a turnover of more than $3 million. Certain small businesses are also bound, such as those that provide health services and those that disclose personal information to anyone else for a benefit, service or advantage.[4] Generally, individuals are not bound by the Privacy Act.[5]

3.7 Personal information is defined in s 6(1) of the Act as information or opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not in material form.

3.8 A breach of an APP in respect of personal information is an ‘interference with the privacy of an individual’. Serious or repeated contraventions may give rise to a civil penalty order.[6]

3.9 The Privacy Act provides several complaints paths for individuals where there has been (or is suspected to have been) a breach of an APP. The primary complaints process is through a complaint to the Australian Information Commissioner, initiating an investigation by the Commissioner.[7] This process typically requires that the individual has first complained to the relevant APP entity.[8] An investigation may result in a determination by the Commissioner, containing a declaration that:

  • the respondent’s conduct constituted an interference with the privacy of an individual and must not be repeated or continued;

  • the respondent must take specified steps within a specified period to ensure that such conduct is not repeated or continued;

  • the respondent must perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant;

  • the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint; or

  • that no further action is needed.[9]

3.10 A complainant may apply to the Federal Court of Australia or the Federal Circuit Court of Australia to enforce a determination of the Commissioner.[10]

3.11 An individual may also apply to the Federal Court or Federal Circuit Court for an injunction where a person has, is, or is proposing to engage in conduct that was or would be a breach of the Privacy Act.[11] This path appears to have been used relatively infrequently.[12]

3.12 The Privacy Act also grants a range of powers to the Australian Information Commissioner, including the power to:

  • investigate complaints made by individuals or on the Commissioner’s own motion;[13]

  • direct agencies to conduct privacy impact assessments;[14] and

  • apply for Federal Court and Federal Circuit Court orders for civil penalties for serious or repeated breaches of the APPs.[15]

3.13 State and territory legislation creates information privacy requirements similar to those under the Privacy Act, with application to state and territory government agencies, as well as (variously) local councils, government-owned corporations and universities.[16] These laws provide various mechanisms for individuals to make complaints and seek redress. The Privacy and Personal Information Protection Act 1998 (NSW), for example, provides powers to the NSW Privacy Commissioner that are primarily conciliatory,[17] while the Information Privacy Act 2009 (Qld) provides for the referral of complaints to Queensland’s Civil and Administrative Tribunal (QCAT),[18] which may order, among other things, that the complainant is entitled to up to $100,000 in compensation.[19]

3.14 The existing Commonwealth, state and territory legislation applies to major organisations that collect and store personal information, such as banks, large retailers, government departments and utilities providers. There are a large number of organisations that are exempt from the application of any of these Acts and whose activities may have an impact on individual privacy. These may include, for example, many small businesses.[20]

3.15 Criminal sanctions currently exist for some specific invasions of privacy. For example, under s 62 of the Privacy and Personal Information Protection Act 1998 (NSW) the unauthorised or corrupt use or disclosure by a public official of personal information obtained through their official functions is an offence punishable by up to 100 penalty units or imprisonment for up to two years.

Health information privacy

3.16 Health and genetic information is recognised as ‘sensitive information’ under the Privacy Act. Sensitive information is given greater protection under the APPs than other information.[21] Separate Commonwealth Acts protect healthcare identifiers[22] and electronic health records.[23]

3.17 Several state and territory laws also offer protections, including limitations on collection, use and disclosure, for health information held by state and territory public and private sector organisations.[24]

Communications privacy

3.18 The Telecommunications Act 1997 (Cth) prohibits the disclosure of certain information by telecommunications providers.[25] Contravention of these prohibitions is an offence punishable by up to two years imprisonment.[26]

3.19 There are a number of exceptions, for example, for disclosures to the Australian Security Intelligence Organisation or the Australian Federal Police, under the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act). Exceptions also exist for disclosure under the authority of an ‘authorised officer’ of an enforcement agency,[27] but this does not permit the disclosure of the contents or substance of a communication.[28] An authorised officer must consider the privacy of any person before making an authorisation.[29]

3.20 The TIA Act prohibits the unauthorised access of communications, subject to various exceptions,[30] unless a warrant is obtained.[31] Those who issue warrants must consider, among other things, the privacy of persons affected by the access.[32]

3.21 The TIA Act also prohibits the unauthorised interception of communications over a telecommunications system, again, subject to various exceptions,[33] unless a warrant is obtained.[34] Those who issue an interception warrant must consider, among other things, the privacy of persons affected by the interception.[35]

Surveillance laws and laws affecting photography

3.22 Legislation exists in each of the states and territories that variously restricts the use of listening, optical, data and tracking surveillance devices. These surveillance device laws provide criminal offences for using a surveillance device to record or monitor private conversations or activities, for tracking a person or for monitoring information on a computer system.[36] The surveillance device laws also place restrictions on communicating information obtained through the use of a surveillance device.

3.23 The surveillance device laws of each state and territory differ greatly, both in terms of the types of surveillance devices they regulate, and the circumstances in which those surveillance devices may or may not be used. For example, the laws of Victoria, Queensland and the Northern Territory permit a participant to record a private activity in the absence of the consent of other parties, while the remaining surveillance device laws do not.[37]

3.24 Different state and territory workplace surveillance legislation prohibits employers monitoring their employees at work through covert surveillance methods, such as the use of CCTV cameras or computer, internet and email surveillance.[38] Once again, there are inconsistencies between these laws, and such laws only exist in three jurisdictions—NSW, Victoria and the ACT.

3.25 Criminal laws in some—but not all—jurisdictions provide for offences relating to photography being used for indecent purposes[39] or indecent filming without consent.[40] Criminal laws also provide protection against indecent photography of children in private and public places.[41] In each case, the laws are restricted to specific subject matter, for example, matter of a sexual nature; filming for specific purposes, for example, for sexual gratification; or filming of a particular type of person, for example, a child. These laws therefore provide limited general privacy protection.

3.26 At the Commonwealth level, the operation of the Privacy Act is restricted to the actions of government agencies and big business, and does not cover the activities of individuals acting in a personal capacity, such as freelance or amateur photographers. However the Act does regulate the activities of individuals, agencies and companies which ‘disclose personal information about another individual to anyone else for a benefit, service or advantage’.[42] This may provide scope to regulate the actions of photographers who take unauthorised photographs of individuals.[43]

Harassment and stalking offences

3.27 State and territory laws criminalising harassment and stalking vary considerably by jurisdiction. Legislation in Queensland and Victoria expressly prohibits ‘cyber-harassment’ committed through ‘electronic messages’[44] or by ‘otherwise contacting the victim’.[45]

3.28 The Criminal Code Act 1995 (Cth) provides offences for conduct amounting to harassment that occurs via a communications service (which includes the internet). Relevant offences include ‘using a carriage service to menace, harass or cause offence’[46] and ‘using a carriage service to make a threat’.[47]

3.29 There is a strong framework in family law to protect individuals from harassment, including harassment that occurs via electronic communications. However, this is limited to the victims of family violence.[48]

Industry codes and guidelines

3.30 Various statutory and self-regulatory bodies oversee and enforce industry codes and guidelines which protect against invasions of privacy.

3.31 Commercial television and radio broadcasters are subject to a self-regulatory scheme under the Broadcasting Services Act 1992 (Cth). Commercial broadcasting industry codes of practice include provisions relating to the protection of privacy.[49] The ABC and SBS are each subject to a separate code of practice; each of these codes also contains provisions relating to the protection of privacy.[50] The Australian Communications and Media Authority (the ACMA) has oversight of each of these codes of practice, however the ACMA has limited powers to provide redress to individuals when a code is breached.

3.32 The Australian Press Council oversees the compliance of its members with its Charter of Press Freedom (2003) and Statement of Privacy Principles (2011). It does not provide a mechanism for individuals to obtain monetary redress.

3.33 Part IIIB of the Privacy Act makes provision for the development of privacy codes (APP codes). APP codes can be developed on the initiative of ‘code developers’, or in response to a request from the Privacy Commissioner. The Commissioner may also develop an APP code. The codes set out compliance requirements for one or more APPs. The code developer may apply to the Commissioner to have the code registered. A breach of a registered code constitutes an ‘interference with privacy’ under the Act, and if the breach is serious or repeated the Commissioner may apply to the Federal Court or Federal Circuit Court for a civil penalty order.