2. Current privacy protection - Commonwealth
Updates and background for this project (Digest)
INTRODUCTION
2.1 The law of privacy in New South Wales is regulated by federal and State privacy legislation, primarily in relation to information privacy. These statutes govern the conduct of government agencies and in some cases, the private sector, when dealing with the subject matter of the relevant legislation. While they do impose penalties, they do not generally provide for civil liability for breach of their provisions.
2.2 The common law of Australia protects privacy interests in specific causes of action but does not provide a general civil cause of action. However, as discussed in more detail in Chapter 5, the Commission has recently published a Consultation Paper that considers the need for such a cause of action.1
2.3 This chapter provides an overview of the current federal privacy statutes, focusing on the Privacy Act 1988 (Cth). It summarises the Act’s coverage, the role and purpose of the information privacy principles, the applicable exemptions and the complaints handling mechanisms. The following chapter engages in a similar exercise in relation to privacy laws operating in New South Wales, primarily the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW).
THE PRIVACY ACT 1988 (CTH)
2.4 The Privacy Act 1988 (Cth) (“Privacy Act”) is the key piece of federal privacy legislation regulating the handling of an individual’s personal information. It applies to both the public and private sectors in relation to the acts done and practices engaged in by agencies or organisations, subject to a wide range of exceptions and exemptions.
2.5 When first enacted in 1988, the Privacy Act regulated the collection, storage, use and disclosure of “personal information” by Australian Government departments and agencies only, by means of a set of 11 Information Privacy Principles (“Commonwealth IPPs”). “Personal information” was, and is, defined as “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”2
2.6 Since its passage in 1988, the Privacy Act has been amended on several occasions. Notably, in 1994, when the ACT public service was established as a separate entity from the Australian Government, amendments were made to continue coverage for ACT public service agencies.3 In 1990, coverage was extended to provide safeguards for individuals in relation to consumer credit reporting.4 In 2000, coverage was further extended to include private sector entities and a further set of privacy principles, known as the National Privacy Principles (“NPPs”), was incorporated into the Privacy Act. The types of entities covered are included within the definition of an “organisation”. These are: an individual, body corporate, partnership, or any other unincorporated association or trust.5
2.7 Thus, the Privacy Act now regulates the Australian Government and ACT public sector through its 11 Commonwealth IPPs, and the private sector through its 10 NPPs subject to a wide range of specified exceptions and exemptions.
2.8 Although it has wide coverage within the area of information privacy, the Privacy Act is not intended to cover the field.6 It does not regulate the handling of personal information by the New South Wales public service, which is regulated by the Privacy and Personal Information Protection Act 1988 (NSW). It does, however, apply to the private sector including private sector health service providers. The latter are also covered under the Health Records and Information Privacy Act 2002 (NSW), creating some overlap.7
The Commonwealth Information Privacy Principles
2.9 The Commonwealth IPPs, set out in s 14 of the Privacy Act, regulate the way in which Australian Government agencies should handle personal information. The individuals and bodies to whom the principles apply are: ministers, departments, federal courts, the Australian Federal Police and other bodies or tribunals established or appointed for a public purpose.8 In summary, the Commonwealth IPPs set the following parameters:
- Personal information should only be collected for a lawful purpose that is necessary for, or directly related to, the function of the agency and must not be collected by unlawful or unfair means.9
- When soliciting information from an individual, the individual must be made aware of the purpose for which the information is collected, whether the collection of the information is authorised or required by law, and the agency’s usual practices regarding disclosure.10
- When soliciting information generally, the information collected must be relevant, up to date and complete. The collection of the information must not intrude unreasonably upon the personal affairs of the individual.11
- Storage and security of personal information is regulated12 and an agency is required to keep records of the type of information that is held.13
- Agencies are also required to give persons access to their personal information unless such access is excepted by law.14 They are also required to make any necessary amendments to ensure that the information is accurate and up-to-date.15 Such information must be accurate16 and should only be used for a purpose to which the information is relevant.17
- Where the information is obtained for a particular purpose, there are limits on the use of such information for any other purpose unless: the individual has consented to its use; it is necessary to prevent an imminent threat to life; it is required by law; or it is necessary for the enforcement of the criminal law.18 There are also similar limits on disclosure of personal information.19
The National Privacy Principles
2.10 While the Commonwealth IPPs apply to Australian Government agencies, the National Privacy Principles (“NPPs”) apply to private sector organisations with an annual turnover of over $3million that do not have their own approved privacy codes. An “organisation” is defined as an individual, a body corporate, a partnership, or any other unincorporated association or a trust.20
2.11 Amendments to the Privacy Act in 200021 allowed private sector organisations to develop their own privacy codes, which, once approved by the Privacy Commissioner, would replace the NPPs. To date, there are only three approved and operative codes.22 Hence, the NPPs continue to have wide application in the private sector.
2.12 The 10 NPPs are contained in Schedule 3 to the Privacy Act23 and regulate collection of information, use and disclosure, data quality, data security, openness, access and correction, identifiers, anonymity, transborder data flows and sensitive information.
A unified set of principles
2.13 The two sets of principles are largely similar, with a few differences. For instance, the NPPs have special rules regarding the handling of sensitive information and the transfer of personal information overseas whereas the Commonwealth IPPs do not. On the other hand, there are some instances when both sets of principles may apply to one organisation, such as when Government services are outsourced to a private organisation.
2.14 The Australian Law Reform Commission (“ALRC”), in its Discussion Paper 72, Review of Privacy, has proposed that there should be one set of principles that applies to both the public and private sectors and refers to these new principles as the Unified Privacy Principles.24 These proposed new principles have been drafted and structured using the NPPs as a template.
2.15 As well as creating a unified set of principles, the ALRC has proposed some changes to the contents of the principles.25 For instance, it proposes that the principle of anonymity, which is contained in NPP 8, should be extended to apply to agencies (in addition to organisations which are already covered by NPP 8).26 Similarly, the ALRC has proposed that agencies and organisations should have the option to transact pseudonymously provided it is lawful, practicable and not misleading.27
2.16 The ALRC also evaluated the need to include additional privacy principles not currently covered by the IPPs or the NPPs, such as an accountability principle, a prevention of harm principle, a consent principle and a data breach notification principle. It ultimately concluded against such inclusion.28
Exceptions and exemptions
2.17 The provisions of the Privacy Act are subject to a wide range of exemptions, partial exemptions and exceptions that limit the application of the Act. They are scattered throughout the Act in the definitions of terms, in the Commonwealth IPPs and NPPs and in specific exemption/exception provisions.29
2.18 The distinction between exemptions, partial exemptions and exceptions is explained in the following paragraphs.
2.19 Exemptions apply to a specified entity or organisation. Small businesses, namely those with an annual turnover of $3million or less, registered political parties, State and Territory authorities and prescribed State and Territory instrumentalities are excluded from the definition of an “organisation”30 and thus exempt from the operation of the Privacy Act.31 By virtue of s 7 of the Privacy Act, the acts and practices of agencies listed under the Freedom of Information Act 1982 (Cth), a federal court, a Minister, the Integrity Commissioner, the ACC and a Royal Commission are wholly exempted from the operation of the Privacy Act.32 The ALRC has proposed that both these exemptions be removed.33
2.20 Partial exemptions are those that apply to a specified entity or a class of entity, but only partially, removing the requirement to comply with some, but not all, of the privacy principles or only apply in relation to particular activities. Thus, even where a certain entity falls within the definition of an “agency” or an “organisation”, their acts and practices may still be exempt from the Privacy Act if those acts or practices are excluded from the definition of acts or practices to which the Act applies. For instance, the federal courts fall within the definition of an “agency” but only their administrative matters are covered by the Commonwealth IPPs. Activities of the courts that relate to non-administrative matters are exempt from the Privacy Act because they fall outside the definition of an “act or practice”.34
2.21 In the public sector, there are more than 20 agencies that are partially or completely exempt from the Act.35 In the private sector, apart from the specifically exempt entities, namely, the small business operators, registered political parties, State and Territory authorities and prescribed State and Territory instrumentalities, there are eight categories of organisations that are exempt from the operation of the Act.36
2.22 Exceptions occur where a requirement in the privacy principles does not apply to an entity in specified circumstances or in respect of certain conduct. For instance, an organisation is usually prohibited from using or disclosing information for a secondary purpose. However, an exception to this prohibition lies where an individual has consented to such use or disclosure.37
2.23 Some have argued that the many exemptions and exceptions make the Privacy Act ineffectual. The merits of this argument have been canvassed by the ALRC,38 whose view is that “exemptions should be limited to the extent possible and justified on sound policy grounds”.39 The ALRC has made a number of proposals in accordance with this policy position. The ALRC has also recommended streamlining the exemptions and exceptions by grouping them according to categories of applicable entities or types of acts or practices in a separate part of the Act, and setting out exemptions and partial exemptions to specific named entities in a Schedule to the Act.40
Breaches
2.24 An interference with privacy constitutes a breach of the Privacy Act. Part III states that an act or practice by an agency that breaches an IPP,41 and an act or practice by an organisation that breaches an NPP,42 are both interferences with privacy. There are various other breaches that are considered interferences with privacy, such as breaches of tax file number guidelines,43 data matching44 and credit reporting infringements.45
Enforcement
2.25 The Privacy Act provides that individuals may complain about any acts or practices by an agency or organisation that may be an interference with privacy but there is no right to direct civil action by individuals against agencies or organisations that breach the Privacy Act. The Privacy Commissioner is empowered to investigate, conciliate and make determinations, either dismissing the complaint or finding the complaint substantiated. The only compensation available to complainants is through the Privacy Commissioner’s power to make a declaration that a complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint.46 However, such determinations are not binding between the parties. If it becomes necessary to enforce the determination, action must be taken in the Federal Court or the Federal Magistrates Court.47 Since the Privacy Act commenced, the Privacy Commissioner has made only two determinations awarding compensation for loss or damage.48
2.26 The Privacy Act also gives the Privacy Commissioner a discretion to refer complaints to other bodies, such as the Human Rights and Equal Opportunity Commission, the Ombudsman, the Postal Industry Ombudsman or the Public Service Commissioner.49 Where organisations are guided by an approved privacy code, the code can provide state the procedures for dealing with complaints that do not involve the Privacy Commissioner.
OTHER FEDERAL PRIVACY LEGISLATION
2.27 There are a number of other federal statutes relating to dealings with personal information. For example, the handling of tax file numbers is regulated by various statutes, such as the Income Tax Assessment Act 1936 (Cth), the Taxation Administration Act 1953 (Cth) and the Data-matching Program (Assistance and Tax) Act 1990 (Cth).50
2.28 Other significant federal statutes relating to privacy include the following:
- The Freedom of Information Act 1982 (Cth) grants every person a right to access documents held by government agencies or Ministers, including information about the person who is seeking access. The Act provides for exemptions, such as documents relating to the national security, defence or international relations, cabinet documents, internal working documents of government agencies and Ministers, documents subject to legal professional privilege, documents affecting personal privacy, and so forth.51 The Act also gives an individual the right to have personal information relating to him or her amended by the relevant government body.52 Similar access and amendments rights are provided by the Privacy Act and parallel State information privacy statutes. This is the main area of overlap between freedom of information and information privacy statutes.53
- The Telecommunications (Interception and Access) Act 1979 (Cth) safeguards the privacy of individuals when using the telecommunications system, telephones in particular. The Act makes it an offence to intercept communications passing over the telecommunications system, at the same time balancing Australia’s law enforcement and national security interests. It specifies the circumstances in which it is permissible for law enforcement agencies and the Australian Security Intelligence Organisation to intercept communications under the authority of a warrant, subject to reporting and accountability mechanisms.
The Australian Postal Corporation Act 1989 (Cth) safeguards the privacy of individuals when using the postal services system. The Act makes it an offence to open or examine articles while they are in the course of post and under the control of Australia Post.54
FOOTNOTES
1. New South Wales Law Reform Commission, Invasion of Privacy (Consultation Paper 1, 2007).
2. Privacy Act 1988 (Cth) s 6(1).
3. Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth).
4. Privacy Act 1988 (Cth) pt IIIA.
5. Privacy Act 1988 (Cth) s 6C(1).
6. See Australian Law Reform Commission, Review of Privacy (Discussion Paper 72, 2007).
7. This is discussed further in Chapter 3.
8. Privacy Act 1988 (Cth) s 6(1).
9. IPP 1.
10. IPP 2.
11. IPP 3.
12. IPP 4.
13. IPP 5.
14. IPP 6.
15. IPP 7.
16. IPP 8.
17. IPP 9.
18. IPP 10.
19. IPP 11.
20. Privacy Act 1988 (Cth) s 6C.
21. Privacy Amendment (Private Sector) Act 2000 (Cth).
22. These are: the Market and Social Research Privacy Code, the Queensland Club Industry Privacy Code and the Biometrics Institute Privacy Code. The General Insurance Information Privacy Code was approved but has since been revoked.
23. Unlike the IPPs, which are contained in the body of the Act (in s 14).
24. ALRC DP 72, Proposal 15-2, 567.
25. ALRC DP 72, Vol 2, pt D, Ch 15-28.
26. ALRC DP 72, 590-591.
27. ALRC DP 72, 595-597.
28. ALRC DP 72, Chapter 29.
29. For a detailed discussion of exemptions and exceptions see ALRC DP 72, Vol 2, pt E.
30. Privacy Act 1988 (Cth) s 6C(1), subject to s 6E and s 6EA in the case of small business operators.
31. Privacy Act 1988 (Cth) s 6D.
32. Privacy Act 1988 (Cth).
33. ALRC DP 72, Proposals 35-1, 37-1 and 34-5.
34. Privacy Act 1988 (Cth) s 7(1)(a)(ii).
35. Privacy Act 1988 (Cth) s 7.
36. These are: individuals acting in a non-business capacity (s 7B(1)); contracted service provider for a Commonwealth contract (s 7B (2)); current or former employers of an individual (s 7B(3)); media organisation (s 7B(4)), contracted service providers for a State contract (s 7B(5)); political representatives (s 7C); related bodies corporate (s 13B); partnerships (s 13C).
37. NPP 2.1(b).
38. ALRC DP 72, Ch 30.
39. ALRC DP 72, 892, [30.55].
40. ALRC DP 72, 896-897, Proposals 30-1 and 30-2.
41. Privacy Act 1988 (Cth) s 13.
42. Privacy Act 1988 (Cth) s 13A.
43. Privacy Act 1988 (Cth) s 13(b).
44. Privacy Act 1988 (Cth) s 13(ba).
45. Privacy Act 1988 (Cth) s 13(d).
46. Privacy Act 1988 (Cth) s 52(1)(b)(iii).
47. Privacy Act 1988 (Cth) s 55A.
48. See <http://www.privacy.gov.au/act/casenotes/index.html#comdet> at 1 December 2006. Both cases involved disclosure of personal information by government agencies. The Privacy Commissioner determined $2,643 in one case and $5,000 in the other as appropriate compensation.
49. Privacy Act 1988 (Cth) s 50.
50. There are provisions under other federal legislation that require or authorise certain acts involving the collection, use and disclosure of personal information. For example, the Census and Statistics Act 1905 (Cth) and the Commonwealth Electoral Act 1918 (Cth) require or authorise the collection of large amounts of personal information. Other Acts require or authorise the disclosure of personal information in a range of circumstances, such as the Australian Passports Act 2005 (Cth), Corporations Act 2001 (Cth), Telecommunications Act 1997 (Cth) and Migration Act 1958 (Cth).
51. See Freedom of Information Act 1982 (Cth) pt IV (exempt documents). For a recent decision illustrating one class of exempt documents (internal working documents of government agencies or Ministers), see McKinnon v Secretary, Department of Treasury [2006] HCA 45.
52. See Freedom of Information Act 1982 (Cth) pt V (amendment and annotation of personal records).
53. There are at least two areas of potential friction or conflict. The first is where a document subject to protection from disclosure under an information privacy statute is required to be disclosed under freedom of information legislation. The second is where a person who has rights of access and amendment under information privacy laws has similar rights which are subject to differently worded exceptions under freedom of information legislation: see M Paterson, Freedom of Information and Privacy in Australia (Butterworths, 2005), [1.46]-[1.51].
54. See Australian Postal Corporation Act 1989 (Cth) pt 7B (dealing with articles and their contents).
