The Privacy Act 1988 (Cth) and the Australian Privacy Principles
Introduction
The Privacy Act 1988 (Cth) is Australia’s principal privacy and data protection statute. Enacted in 1988 and significantly amended in 2000 (to extend the Act to the private sector) and in 2012 (to introduce the Australian Privacy Principles), the Act regulates the collection, use, disclosure, storage, and disposal of personal information by Australian government agencies and private sector organisations. The Act is overseen by the Office of the Australian Information Commissioner (OAIC), headed by the Australian Information Commissioner.
The Privacy Act operates within a framework of international privacy principles (modelled on the OECD Privacy Guidelines and the APEC Privacy Framework) and reflects the fair information practice principles that underpin modern data protection law. The Act has been the subject of significant reform in response to the challenges of the digital economy, including major amendments in 2022 (increasing penalties) and ongoing reform following the Privacy Act Review (2022).
Scope and Application
The Privacy Act applies to “APP entities” — Australian government agencies (including departments, agencies, and authorities of the Commonwealth) and private sector organisations that have an annual turnover of more than $3 million. Smaller businesses (with an annual turnover of $3 million or less) are generally exempt, unless they: trade in personal information; provide health services; are related to a larger entity; or are covered by a specific code registered under the Act.
The Act applies extraterritorially: it applies to acts done or practices engaged in outside Australia by an APP entity that has an Australian link (carrying on business in Australia and collecting personal information in Australia). The Act also applies to acts of Australian government agencies outside Australia.
The Act defines personal information broadly as “information or an opinion about an identified individual, or an individual who is reasonably identifiable” (s 6(1)). The definition is technology-neutral and includes both factual information and opinion, recorded or not. The High Court has held that information is “about” an individual if it relates to them in a meaningful sense: Lee v Superior Wood (2019) 268 CLR 60. The concept of “reasonable identifiability” requires the entity to consider the means reasonably available to identify the individual.
The Australian Privacy Principles (Schedule 1)
The Australian Privacy Principles (APPs) are the core of the Privacy Act. The 13 APPs, set out in Schedule 1 of the Act, govern the handling of personal information from collection through to disposal.
APP 1 — Open and transparent management of personal information: APP entities must manage personal information in an open and transparent way, by having a clearly expressed and up-to-date privacy policy (APP 1.4–1.6) describing how the entity manages personal information, the kind of information collected, the purposes for which it is collected, and how an individual may access and correct their information.
APP 2 — Anonymity and pseudonymity: individuals must have the option of dealing with an APP entity without identifying themselves, or using a pseudonym, where it is lawful and practicable to do so.
APP 3 — Collection of solicited personal information: an APP entity must only collect personal information that is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities. The information must be collected by lawful and fair means, and the individual must be notified of the collection.
APP 4 — Unsolicited personal information: if an APP entity receives unsolicited personal information, it must determine whether it could have collected the information under APP 3 if it had solicited it. If not, the entity must destroy or de-identify the information as soon as practicable.
APP 5 — Notification of the collection of personal information: at the time of collecting personal information (or as soon as practicable thereafter), the entity must notify the individual of specified matters: the entity’s identity and contact details; the purposes of collection; the types of third parties to whom the entity may disclose the information; the existence of any law requiring or authorising collection; the consequences of not providing the information; the individual’s right to access and correct their information; and whether the information will be disclosed to overseas recipients.
APP 6 — Use or disclosure of personal information: an APP entity may use or disclose personal information for the primary purpose for which it was collected. Use or disclosure for a secondary purpose is permitted only where: the individual has consented; the secondary purpose is related to the primary purpose (and the individual would reasonably expect the use or disclosure); the use or disclosure is required or authorised by or under an Australian law; or a permitted general situation applies (e.g., serious threat to life, health, or safety, or the prevention of unlawful activity).
APP 7 — Direct marketing: an entity that holds personal information may use the information for direct marketing only where: the individual has consented; or the information was collected from the individual and the individual would reasonably expect the entity to use it for direct marketing, and the entity provides a simple means to opt out. The entity must not use sensitive information (e.g., health information, political opinions, religious beliefs) for direct marketing without consent.
APP 8 — Cross-border disclosure of personal information: before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs. The entity is accountable for any breach by the overseas recipient, unless the entity has informed the individual that the recipient is not required to comply with the APPs and the individual has consented to the disclosure.
APP 9 — Adoption or disclosure of government related identifiers: an APP entity must not adopt a government related identifier (e.g., a Tax File Number, Medicare number, driver licence number) as its own identifier of an individual, nor disclose the identifier to a third party, unless permitted by law.
APP 10 — Quality of personal information: an APP entity must take reasonable steps to ensure that the personal information it collects, uses, or discloses is accurate, up to date, complete, and relevant.
APP 11 — Security of personal information: an APP entity must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. The entity must also destroy or de-identify personal information where it is no longer needed for any permitted purpose.
APP 12 — Access to personal information: an individual has a right to request access to personal information held by an APP entity. The entity must respond to the request within a reasonable period and must give access unless a specific exemption applies. The permitted grounds for refusing access are limited and include: an enforcement related activity conducted by an enforcement body; the protection of another individual’s privacy; and where the request is frivolous or vexatious.
APP 13 — Correction of personal information: an individual may request the correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information held by an APP entity. The entity must take reasonable steps to correct the information and must notify any third parties to whom the information has been disclosed.
The Notifiable Data Breaches Scheme (Part IIIC)
The Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act, effective 22 February 2018) requires APP entities to notify the OAIC and affected individuals when an eligible data breach occurs. A data breach is “eligible” where: (a) there is unauthorised access to or disclosure of personal information, or loss of personal information in circumstances where unauthorised access or disclosure is likely; (b) the breach is likely to result in serious harm to any of the individuals to whom the information relates; and (c) the entity has not been able to take remedial action to prevent the likely risk of serious harm.
“Serious harm” includes physical, psychological, emotional, economic, and reputational harm. The entity must carry out a reasonable and expeditious assessment of whether the breach is likely to result in serious harm. If so, the entity must prepare a statement setting out the nature of the breach, the kind of information compromised, and the recommended steps for affected individuals. The statement must be provided to the OAIC and to each affected individual (or, where that is not practicable, published on the entity’s website).
The Office of the Australian Information Commissioner (OAIC)
The OAIC is the independent statutory authority responsible for oversight of the Privacy Act, the Freedom of Information Act 1982 (Cth), and the Government Information (Public Access) Act 2009 (NSW) (in relation to Commonwealth agencies). The OAIC is headed by the Australian Information Commissioner, who is assisted by the Privacy Commissioner and the Freedom of Information Commissioner.
The OAIC’s functions include: (a) the investigation of complaints about interference with privacy (including through conciliation and determination); (b) the assessment of APP entities’ compliance with the APPs and the NDB scheme; (c) the registration of APP codes; (d) the provision of guidance and resources to entities and individuals; (e) the undertaking of research and policy advice; and (f) the conduct of privacy assessments of government agencies and private sector organisations.
The OAIC has the power to make a determination (including a declaration that the entity must take specified action to remedy the interference with privacy) and may apply to the Federal Court for a civil penalty order in respect of a serious or repeated interference with privacy.
Privacy Act Review (2022)
In 2020, the Commonwealth Attorney-General commissioned a comprehensive review of the Privacy Act. The Privacy Act Review Report (the “Attorney-General’s Report”), released in December 2022, made 116 recommendations for reform, including: (a) the introduction of a statutory cause of action for serious invasion of privacy (a tort of privacy); (b) the strengthening of the consent framework (requiring “meaningful consent” rather than assumed consent); (c) the expansion of the definition of personal information to include technical and inferred data; (d) the imposition of direct obligations on “online platforms” (social media, data brokers, and large digital platforms); (e) the introduction of a right to erasure (a “right to be forgotten”); (f) the introduction of mandatory data protection impact assessments; and (g) the expansion of the extra-territorial application of the Act.
The Review’s recommendations have been the subject of ongoing consultation and are expected to be implemented through a series of legislative amendments over the period 2023–2026.
The 2023 Penalty Amendments
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2023 significantly increased the maximum penalties for serious or repeated interferences with privacy. From 13 December 2023, the maximum civil penalty for a body corporate is the greater of: (a) $50 million; (b) three times the value of any benefit obtained directly or indirectly from the contravention; or (c) if the court cannot determine the value of the benefit, 30% of the body corporate’s adjusted turnover in the relevant period. The amendments also strengthened the OAIC’s investigation and enforcement powers, including the power to issue infringement notices.
Credit Reporting (Part IIIA)
Part IIIA of the Privacy Act regulates the handling of credit reporting information by credit reporting bodies (CRBs) — organisations that collect and maintain information about individuals’ credit histories. The comprehensive credit reporting regime (introduced in 2014 and made mandatory in stages) requires CRBs to collect and disclose positive credit information (including repayment history information, credit limits, and the date of opening and closing accounts). Individuals have the right to access their credit information and to correct errors. Complaints about credit reporting may be made to the OAIC or to the Australian Financial Complaints Authority (AFCA).
Tax File Number and Health Information
The Privacy Act contains specific provisions governing the handling of Tax File Numbers (TFNs) (Part VA) and health information (including the Health Privacy Principles, which apply to health service providers and supplement the APPs). Health information is defined as a subset of sensitive information (s 6FA) and is subject to additional protections under the Act, including the requirement that an APP entity obtain the individual’s consent to collect health information, subject to limited exceptions (including the provision of health services and the management of public health risks).