Information privacy

3.3 The Privacy Act is Australia’s key information privacy law.[1] It is concerned with the security of personal information held by certain entities, rather than with privacy more generally.[2]

3.4 The Privacy Act provides 13 ‘Australian Privacy Principles’ (APPs) that set out the broad requirements on collection, use, disclosure and other handling of personal information.[3] The APPs bind only ‘APP entities’—primarily Australian Government agencies and large private sector organisations with a turnover of more than $3 million. Certain small businesses are also bound, such as those that provide health services and those that disclose personal information to anyone else for a benefit, service or advantage.[4] Generally, individuals are not bound by the Privacy Act.[5]

3.5 Personal information is defined in s 6(1) of the Act as information or opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not in material form.

3.6 A breach of an APP in respect of personal information is an ‘interference with the privacy of an individual’. Serious or repeated contraventions may give rise to a civil penalty order.[6]

3.7 The Privacy Act provides several complaints paths for individuals where there has been (or is suspected to have been) a breach of an APP. The primary complaints process is through a complaint to the Australian Information Commissioner, initiating an investigation by the Commissioner.[7] This process typically requires that the individual has first complained to the relevant APP entity.[8] An investigation may result in a determination by the Commissioner, containing a declaration that:

  • the respondent’s conduct constituted an interference with the privacy of an individual and must not be repeated or continued;

  • the respondent must take specified steps within a specified period to ensure that such conduct is not repeated or continued;

  • the respondent must perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant;

  • the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint; or

  • that no further action is needed.[9]

3.8 A complainant may apply to the Federal Court of Australia or the Federal Circuit Court of Australia to enforce a determination of the Commissioner.[10]

3.9 An individual may also apply to the Federal Court or Federal Circuit Court for an injunction where a person has, is, or is proposing to engage in conduct that was or would be a breach of the Privacy Act.[11] This path appears to have been used relatively infrequently.[12]

3.10 The Privacy Act also grants a range of powers to the Australian Information Commissioner, including the power to:

  • investigate complaints made by individuals or on the Commissioner’s own motion about APP entities;[13]

  • direct agencies to conduct privacy impact assessments;[14] and

  • apply for Federal Court and Federal Circuit Court orders for civil penalties for serious or repeated breaches of the APPs.[15]

3.11 State and territory legislation creates information privacy requirements similar to those under the Privacy Act, with application to state and territory government agencies, as well as (variously) local councils, government-owned corporations and universities.[16]

3.12 The existing Commonwealth, state and territory legislation applies to major organisations that collect and store personal information, such as banks, large retailers, government departments and utilities providers. There are a large number of organisations that are exempt from the application of all of these Acts and whose activities may have an impact on individual privacy. These may include, for example, many small businesses.[17]

3.13 Criminal sanctions currently exist for some specific invasions of privacy. For example, under s 62 of the Privacy and Personal Information Protection Act 1998 (NSW) the unauthorised or corrupt use or disclosure by a public official of personal information obtained through their official functions is an offence punishable by up to 100 penalty units or imprisonment for up to two years.