3.4 The Privacy Act provides 13 ‘Australian Privacy Principles’ (APPs) that set out the broad requirements on collection, use, disclosure and other handling of personal information. The APPs bind only ‘APP entities’—primarily Australian Government agencies and large private sector organisations with a turnover of more than $3 million. Certain small businesses are also bound, such as those that provide health services and those that disclose personal information to anyone else for a benefit, service or advantage. Generally, individuals are not bound by the Privacy Act.
3.5 Personal information is defined in s 6(1) of the Act as information or opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not in material form.
3.6 A breach of an APP in respect of personal information is an ‘interference with the privacy of an individual’. Serious or repeated contraventions may give rise to a civil penalty order.
3.7 The Privacy Act provides several complaints paths for individuals where there has been (or is suspected to have been) a breach of an APP. The primary complaints process is through a complaint to the Australian Information Commissioner, initiating an investigation by the Commissioner. This process typically requires that the individual has first complained to the relevant APP entity. An investigation may result in a determination by the Commissioner, containing a declaration that:
the respondent’s conduct constituted an interference with the privacy of an individual and must not be repeated or continued;
the respondent must take specified steps within a specified period to ensure that such conduct is not repeated or continued;
the respondent must perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant;
the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint; or
that no further action is needed.
3.8 A complainant may apply to the Federal Court of Australia or the Federal Circuit Court of Australia to enforce a determination of the Commissioner.
3.9 An individual may also apply to the Federal Court or Federal Circuit Court for an injunction where a person has, is, or is proposing to engage in conduct that was or would be a breach of the Privacy Act. This path appears to have been used relatively infrequently.
3.10 The Privacy Act also grants a range of powers to the Australian Information Commissioner, including the power to:
investigate complaints made by individuals or on the Commissioner’s own motion about APP entities;
direct agencies to conduct privacy impact assessments; and
apply for Federal Court and Federal Circuit Court orders for civil penalties for serious or repeated breaches of the APPs.
3.11 State and territory legislation creates information privacy requirements similar to those under the Privacy Act, with application to state and territory government agencies, as well as (variously) local councils, government-owned corporations and universities.
3.12 The existing Commonwealth, state and territory legislation applies to major organisations that collect and store personal information, such as banks, large retailers, government departments and utilities providers. There are a large number of organisations that are exempt from the application of all of these Acts and whose activities may have an impact on individual privacy. These may include, for example, many small businesses.
3.13 Criminal sanctions currently exist for some specific invasions of privacy. For example, under s 62 of the Privacy and Personal Information Protection Act 1998 (NSW) the unauthorised or corrupt use or disclosure by a public official of personal information obtained through their official functions is an offence punishable by up to 100 penalty units or imprisonment for up to two years.
The Privacy Act 1988 (Cth) has been the subject of recent reforms following the ALRC’s previous Privacy Inquiry. A number of recommendations made in ALRC Report 108 have been implemented by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), key provisions of which came into effect on 14 March 2014.
Confusion about the role and scope of the Privacy Act might be avoided if it were renamed to, for example, the Information Privacy Act or the Data Protection Act. These titles are used for similar Acts in the UK and Canada, and would more accurately reflect the remit of the Australian Privacy Act. The ALRC previously made such a recommendation in ALRC, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) Rec 5–3.
Privacy Act 1988 (Cth) sch 1.
‘APP entity’ is defined in Ibid s 6(1). Small businesses are not, in general, APP entities, with some exceptions as set out in s 6D.
There are some exceptions. For example, an individual who is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), will be treated as an APP entity under the Privacy Act 1988 (Cth).
Privacy Act 1988 (Cth) s 13G.
Ibid ss 36, 40.
Ibid s 40(1A).
Ibid s 52(1).
Ibid s 55A.
Ibid s 98.
The ALRC is aware of only two successful applications: Seven Network (Operations) Ltd v Media Entertainment and Arts Alliance  FCA 637 (21 May 2004); Smallbone v New South Wales Bar Association  FCA 1145 (6 October 2011).
Privacy Act 1988 (Cth) pt V.
Ibid s 33D.
Ibid s 80W.
Privacy and Personal Information Protection Act 1998 (NSW); Information Privacy Act 2009 (Qld); Premier and Cabinet Circular No 12 (SA); Personal Information Protection Act 2004 (Tas); Information Privacy Act 2000 (Vic). The Privacy Act 1988 (Cth) has application to agencies in the Australian Capital Territory.
Privacy Act 1988 (Cth) s 6C.