3.5 The Privacy Act 1988 (Cth)is Australia’s key information privacy law. It is concerned with the security of personal information held by certain entities, rather than with privacy more generally.
3.6 The Privacy Act provides 13 ‘Australian Privacy Principles’ (APPs) that regulate the collection, use, disclosure and other handling of personal information. The APPs bind only ‘APP entities’—primarily Australian Government agencies and large private sector organisations with a turnover of more than $3 million. Certain small businesses are also bound, such as those that provide health services and those that disclose personal information to anyone else for a benefit, service or advantage. Generally, individuals are not bound by the Privacy Act.
3.7 Personal information is defined in s 6(1) of the Act as information or opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not in material form.
3.8 A breach of an APP in respect of personal information is an ‘interference with the privacy of an individual’. Serious or repeated contraventions may give rise to a civil penalty order.
3.9 The Privacy Act provides several complaints paths for individuals where there has been (or is suspected to have been) a breach of an APP. The primary complaints process is through a complaint to the Australian Information Commissioner, initiating an investigation by the Commissioner. This process typically requires that the individual has first complained to the relevant APP entity. An investigation may result in a determination by the Commissioner, containing a declaration that:
the respondent’s conduct constituted an interference with the privacy of an individual and must not be repeated or continued;
the respondent must take specified steps within a specified period to ensure that such conduct is not repeated or continued;
the respondent must perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant;
the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint; or
that no further action is needed.
3.10 A complainant may apply to the Federal Court of Australia or the Federal Circuit Court of Australia to enforce a determination of the Commissioner.
3.11 An individual may also apply to the Federal Court or Federal Circuit Court for an injunction where a person has, is, or is proposing to engage in conduct that was or would be a breach of the Privacy Act. This path appears to have been used relatively infrequently.
3.12 The Privacy Act also grants a range of powers to the Australian Information Commissioner, including the power to:
investigate complaints made by individuals or on the Commissioner’s own motion;
direct agencies to conduct privacy impact assessments; and
apply for Federal Court and Federal Circuit Court orders for civil penalties for serious or repeated breaches of the APPs.
3.13 State and territory legislation creates information privacy requirements similar to those under the Privacy Act, with application to state and territory government agencies, as well as (variously) local councils, government-owned corporations and universities. These laws provide various mechanisms for individuals to make complaints and seek redress. The Privacy and Personal Information Protection Act 1998 (NSW), for example, provides powers to the NSW Privacy Commissioner that are primarily conciliatory, while the Information Privacy Act 2009 (Qld) provides for the referral of complaints to Queensland’s Civil and Administrative Tribunal (QCAT), which may order, among other things, that the complainant is entitled to up to $100,000 in compensation.
3.14 The existing Commonwealth, state and territory legislation applies to major organisations that collect and store personal information, such as banks, large retailers, government departments and utilities providers. There are a large number of organisations that are exempt from the application of any of these Acts and whose activities may have an impact on individual privacy. These may include, for example, many small businesses.
3.15 Criminal sanctions currently exist for some specific invasions of privacy. For example, under s 62 of the Privacy and Personal Information Protection Act 1998 (NSW) the unauthorised or corrupt use or disclosure by a public official of personal information obtained through their official functions is an offence punishable by up to 100 penalty units or imprisonment for up to two years.
Health information privacy
3.16 Health and genetic information is recognised as ‘sensitive information’ under the Privacy Act. Sensitive information is given greater protection under the APPs than other information. Separate Commonwealth Acts protect healthcare identifiers and electronic health records.
3.17 Several state and territory laws also offer protections, including limitations on collection, use and disclosure, for health information held by state and territory public and private sector organisations.
3.18 The Telecommunications Act 1997 (Cth) prohibits the disclosure of certain information by telecommunications providers. Contravention of these prohibitions is an offence punishable by up to two years imprisonment.
3.19 There are a number of exceptions, for example, for disclosures to the Australian Security Intelligence Organisation or the Australian Federal Police, under the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act). Exceptions also exist for disclosure under the authority of an ‘authorised officer’ of an enforcement agency, but this does not permit the disclosure of the contents or substance of a communication. An authorised officer must consider the privacy of any person before making an authorisation.
3.20 The TIA Act prohibits the unauthorised access of communications, subject to various exceptions, unless a warrant is obtained. Those who issue warrants must consider, among other things, the privacy of persons affected by the access.
3.21 The TIA Act also prohibits the unauthorised interception of communications over a telecommunications system, again, subject to various exceptions, unless a warrant is obtained. Those who issue an interception warrant must consider, among other things, the privacy of persons affected by the interception.
Surveillance laws and laws affecting photography
3.22 Legislation exists in each of the states and territories that variously restricts the use of listening, optical, data and tracking surveillance devices. These surveillance device laws provide criminal offences for using a surveillance device to record or monitor private conversations or activities, for tracking a person or for monitoring information on a computer system. The surveillance device laws also place restrictions on communicating information obtained through the use of a surveillance device.
3.23 The surveillance device laws of each state and territory differ greatly, both in terms of the types of surveillance devices they regulate, and the circumstances in which those surveillance devices may or may not be used. For example, the laws of Victoria, Queensland and the Northern Territory permit a participant to record a private activity in the absence of the consent of other parties, while the remaining surveillance device laws do not.
3.24 Different state and territory workplace surveillance legislation prohibits employers monitoring their employees at work through covert surveillance methods, such as the use of CCTV cameras or computer, internet and email surveillance. Once again, there are inconsistencies between these laws, and such laws only exist in three jurisdictions—NSW, Victoria and the ACT.
3.25 Criminal laws in some—but not all—jurisdictions provide for offences relating to photography being used for indecent purposes or indecent filming without consent. Criminal laws also provide protection against indecent photography of children in private and public places. In each case, the laws are restricted to specific subject matter, for example, matter of a sexual nature; filming for specific purposes, for example, for sexual gratification; or filming of a particular type of person, for example, a child. These laws therefore provide limited general privacy protection.
3.26 At the Commonwealth level, the operation of the Privacy Act is restricted to the actions of government agencies and big business, and does not cover the activities of individuals acting in a personal capacity, such as freelance or amateur photographers. However the Act does regulate the activities of individuals, agencies and companies which ‘disclose personal information about another individual to anyone else for a benefit, service or advantage’. This may provide scope to regulate the actions of photographers who take unauthorised photographs of individuals.
Harassment and stalking offences
3.27 State and territory laws criminalising harassment and stalking vary considerably by jurisdiction. Legislation in Queensland and Victoria expressly prohibits ‘cyber-harassment’ committed through ‘electronic messages’ or by ‘otherwise contacting the victim’.
3.28 The Criminal Code Act 1995 (Cth) provides offences for conduct amounting to harassment that occurs via a communications service (which includes the internet). Relevant offences include ‘using a carriage service to menace, harass or cause offence’ and ‘using a carriage service to make a threat’.
3.29 There is a strong framework in family law to protect individuals from harassment, including harassment that occurs via electronic communications. However, this is limited to the victims of family violence.
Industry codes and guidelines
3.30 Various statutory and self-regulatory bodies oversee and enforce industry codes and guidelines which protect against invasions of privacy.
3.31 Commercial television and radio broadcasters are subject to a self-regulatory scheme under the Broadcasting Services Act 1992 (Cth). Commercial broadcasting industry codes of practice include provisions relating to the protection of privacy. The ABC and SBS are each subject to a separate code of practice; each of these codes also contains provisions relating to the protection of privacy. The Australian Communications and Media Authority (the ACMA) has oversight of each of these codes of practice, however the ACMA has limited powers to provide redress to individuals when a code is breached.
3.32 The Australian Press Council oversees the compliance of its members with its Charter of Press Freedom (2003) and Statement of Privacy Principles (2011). It does not provide a mechanism for individuals to obtain monetary redress.
3.33 Part IIIB of the Privacy Act makes provision for the development of privacy codes (APP codes). APP codes can be developed on the initiative of ‘code developers’, or in response to a request from the Privacy Commissioner. The Commissioner may also develop an APP code. The codes set out compliance requirements for one or more APPs. The code developer may apply to the Commissioner to have the code registered. A breach of a registered code constitutes an ‘interference with privacy’ under the Act, and if the breach is serious or repeated the Commissioner may apply to the Federal Court or Federal Circuit Court for a civil penalty order.
The Privacy Act 1988 (Cth) has been the subject of recent reforms following the ALRC’s previous Privacy Inquiry. A number of recommendations made in ALRC Report 108 have been implemented by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), key provisions of which came into effect on 14 March 2014.
Confusion about the role and scope of the Privacy Act might be avoided if it were renamed to, for example, the Information Privacy Act or the Data Protection Act. These titles are used for similar Acts in the UK and Canada, and would more accurately reflect the remit of the Australian Privacy Act. The ALRC previously made such a recommendation in Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report 108 (2008) Rec 5–3.
Privacy Act 1988 (Cth) sch 1.
‘APP entity’ is defined in s 6(1) of the Privacy Act. Small businesses are not, in general, APP entities, with some exceptions as set out in s 6D.
There are some exceptions. For example, an individual who is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) will be treated as an APP entity under s 6E of the Privacy Act.
Ibid s 13G.
Ibid ss 36, 40.
Ibid s 40(1A).
Ibid s 52(1).
Ibid s 55A.
Ibid s 98.
The ALRC is aware of only two successful applications: Seven Network (Operations) Ltd v Media Entertainment and Arts Alliance  FCA 637 (21 May 2004); Smallbone v New South Wales Bar Association  FCA 1145 (6 October 2011). See Ch 16 on the potential for this path to be an important source of access to the courts if a wider complaints mechanism is introduced into the Act.
Privacy Act 1988 (Cth) pt V.
Ibid s 33D.
Ibid s 80W.
Privacy and Personal Information Protection Act 1998 (NSW); Information Privacy Act 2009 (Qld); Premier and Cabinet Circular No 12 (SA); Personal Information Protection Act 2004 (Tas); Information Privacy Act 2000 (Vic); Information Privacy Act 2014 (ACT); Information Act (NT).
Privacy and Personal Information Protection Act 1998 (NSW) s 49. The Act also provides for an individual to make a complaint to the agency in question, and to apply to the Administrative Appeals Tribunal for a review of an agency’s decision. The Tribunal may make a variety of orders, including an order that the agency pay the individual compensation of up to $40,000: Privacy and Personal Information Protection Act 1998 (NSW) ss 53–55.
Information Privacy Act 2009 (Qld) s 176(1).
Ibid s 178(a)(v).
Privacy Act 1988 (Cth) s 6C.
‘Sensitive information’ is defined in s 6(1) of the Privacy Act. A number of the APPs make special provisions for sensitive information: see, eg, APP 3.
Healthcare Identifiers Act 2010 (Cth).
Personally Controlled Electronic Health Records Act 2012 (Cth).
Health Records and Information Privacy Act 2002 (NSW); Information Privacy Act 2009 (Qld); Health Records Act 2001 (Vic); Health Records (Privacy and Access) Act 1997 (ACT); Information Act (NT).
Telecommunications Act 1997 (Cth) pt 13.
Ibid s 276(3).
Telecommunications (Interception and Access) Act 1979 (Cth) ss 171–182.
Ibid s 172. A disclosure under these provisions is therefore limited to communications data (‘metadata’).
Ibid s 180F.
Ibid s 108.
Ibid ss 110–132.
Ibid s 116(2).
Ibid s 7.
Ibid ss 9–18, 34–61A.
Ibid ss 46(2), 46A(2).
Surveillance Devices Act 2007 (NSW); Invasion of Privacy Act 1971 (Qld); Listening and Surveillance Devices Act 1972 (SA); Listening Devices Act 1991 (Tas); Surveillance Devices Act 1999 (Vic); Surveillance Devices Act 1998 (WA); Listening Devices Act 1992 (ACT); Surveillance Devices Act (NT).
See Ch 13.
Workplace Surveillance Act 2005 (NSW); Surveillance Devices (Workplace Privacy) Act 2006 (Vic); Workplace Privacy Act 2011 (ACT).
Summary Offences Act 1988 (NSW) s 4; Criminal Code Act 1899 (Qld) s 227(1); Police Offences Act 1935 (Tas) s 13.
Crimes Act 1900 (NSW) ss 91K–91M; Criminal Code Act 1899 (Qld) s 227A(1); Summary Offences Act 1953 (SA) s 26D; Police Offences Act 1935 (Tas) s 13A; Summary Offences (Upskirting) Act 2007 (Vic) s 41A.
See, eg, Criminal Law Consolidation Act 1935 (SA) s 63B.
Privacy Act 1988 (Cth) s 6D(4)(c),(d).
Ibid s 6: The definition of ‘record’ includes ‘a photograph or other pictorial representation of a person’.
Crimes Act 1958 (Vic) s 21A(2)(b).
Criminal Code Act 1899 (Qld) s 359A(7)(b).
Criminal Code Act 1995 (Cth) s 474.17.
Ibid s 474.15.
For example, stalking is included in the definition of ‘family violence’ in the Family Law Act 1975 (Cth) s 4AB(2)(c).
Commercial Television Industry Code of Practice 2010 cl 4.3.5; Commercial Radio Codes of Practice and Guidelines 2011 cl 2.1(d).
ABC Code of Practice 2011 cl 6.1; SBS Codes of Practice 2014 cl 1.9.