Privacy Law

Overview

Background

• The Privacy Act 1988 (Cth) is the main privacy legislation in Australia, setting out principle-based laws that apply to federal government agencies, organisations with an annual turnover of more than $3 million, and some specific organisations like health service providers. The Act is largely focused on the collection and management of personal information.
• In February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) took effect, requiring government agencies and businesses covered by the Privacy Act 1988 (Cth) to notify any individuals affected by a data breach that is likely to result in serious harm.
• Most States and Territories in Australia have their own privacy or information management legislation that applies to state-based government agencies
• As set out in the Commonwealth Government's 2023-2030 Australian Cyber Security Strategy, in 2022-23, the Mandatory Cyber Incident Reporting ("MCIR") regime reported 188 significant cyber incidents. The Government committed to minimal regulatory burdens while supporting industry, aligning with the Privacy Act.

Legal Framework

Privacy Act 1988 (Cth)

Australian Privacy Principles

• The Privacy Act 1988 (Cth) applies to Australian government agencies, organisations with an annual turnover of more than $3 million plus private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.
• These entities must not breach the 13 Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act 1988 (Cth). The APPs regulate: the collection, use and disclosure of personal information; an entity's governance and accountability; the integrity and correction of personal information; and the rights of individuals to access their personal information.
• The APPs are principles-based law which gives entities flexibility to tailor their personal information handling practices to suit business needs. Some of the relevant APPs are (see Australian Privacy Principle guidelines', Attorney-General's Department (Web Page, 2024)):
  • APP 1 requires an entity to manage personal information in an open and transparent way, including by having an up-to-date privacy policy.
  • APP 6 requires an entity to only use or disclose personal information for the purpose for which it was collected, subject to limited exceptions.
  • APP 10 requires an entity to take reasonable steps to ensure the personal information it collects is accurate, up-to-date and complete.
  • APP 11 requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Notifiable data breach scheme

• Under Part IIIC of the Privacy Act 1988 (Cth), organisations with an annual turnover exceeding $3 million (and private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients) are subject to the notifiable data breach scheme. These organisations must promptly inform individuals whose personal information has been affected in a data breach that is likely to cause serious harm.
• A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost, and a reasonable person would determine this is likely to cause serious harm (or risk thereof) to affected entities.
• An affected organisation must undertake a reasonable and speedy assessment and report its results to the Office of the Australian Information Commissioner within 30 days, and distribute these details to the people at risk of serious harm.
• Part VIB Privacy Act 1988 (Cth) contains penalties for non-compliance and gives the Commissioner investigative powers.

Privacy laws of States and Territories

• The Privacy Act 1988 (Cth) does not regulate local, state or territory government agencies, including public hospitals. For privacy legislation regulating States and Territories see 'State and territory privacy legislation', Office of the Australian Information Commissioner (Web Page, 1 July 2024):
  • Australian Capital Territory - Information Privacy Act 2014 (ACT)
  • New South Wales - Privacy and Personal Information Protection Act 1998 (NSW)
  • Northern Territory - Information Act 2002 (NT)
  • Queensland - Information Privacy Act 2009 (Qld)
  • South Australia - No legislation specific to privacy law exists (but see 'Information Privacy Principles Instruction', Government of South Australia (Web Page, 14 June 2024))
  • Tasmania - Personal Information and Protection Act 2004 (Tas)
  • Victoria - Privacy and Data Protection Act 2014 (Vic)
  • Western Australia - No legislation specific to privacy law exists

Other privacy-related legislation

• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
• Data-matching Program (Assistance and Tax) Act 1990 (Cth)
• Healthcare Identifiers Act 2010 (Cth)
• My Health Records Act 2012 (Cth)
• Personal Property Securities Act 2009 (Cth)
• Telecommunications Act 1997 (Cth)

Statutory Tort of Serious Invasions of Privacy

• Until 2024, the tort of privacy was not recognised at common law or statute, although the availability and principles of such a tort were contemplated by the High Court of Australia (see Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63) and the Australian Law Reform Commission's Serious Invasions of Privacy in the Digital Era Final Report, (Report, June 2014)).
• The Privacy and Other Legislation Amendment Act 2024 (Cth) created a new statutory tort for serious invasions of privacy which will be actionable when:
  

1. objectively, a person in the plaintiff's position would have had a reasonable expectation of privacty in all of the circumstances;
2. if so, the invasion of privacy is serious (for example, the degree of offence; distress or harm to dignity; malicious motivation); and
3. the public interest in protecting the plaintiff's privacy outweighed a competing public interest in the invasion of their privacy (for example, freedom of expression, freedom of the media, or open justice), if that is a relevant issue.

• As of December 2024 the statutory tort had not received judicial treatment.

Regulatory and Policy Framework

Relevant Organisations

• Office of the Australian Information Commissioner:
  • 'Australian Privacy Principle guidelines', Office of the Australian Information Commissioner (Web Page, 2024)
  • 'Notifiable data breaches', Office of the Information Commissioner (Web Page, 2024)
  • 'Data breach preparation and response', Office of the Information Commissioner (Web Page, June 2024)
• Australian Attorney-General's Department (see 'Privacy', Attorney-General's Department (Web Page, 2024)).
• State and Territory privacy agencies:
  • Australian Capital Territory - Office of the Australian Information Commissioner on behalf of ACT
  • New South Wales - NSW Information and Privacy Commission
  • Northern Territory - Office of the Information Commissioner Northern Territory
  • Queensland - Queensland Office of the Information Commissioner
  • South Australia - South Australia privacy committee
  • Tasmania - Tasmania Ombudsman
  • Victoria - Office of the Victorian Information Commissioner
  • Western Australia - Office of the Information Commissioner (WA)

Inquiries & Consultations

• Senate Legal and Constitutional Affairs Legislation Committee, Parliament of Australia, Inquiry into Privacy Amendment (Re-identification Offence) Bill 2016 (Report, 2016).
• 'Review of the Privacy Act 1998', Attorney-General's Department (Web Page, 2024):
  • 'Review of the Privacy Act 1988 — Terms of Reference', Attorney-General's Department (Web Page, 30 October 2020)
  • 'Review of the Privacy Act 1988 — Issues paper', Attorney-General's Department (Web Page, 30 October 2020)

Industry Materials

• Chris Culnane and Kobi Leins, 'Misconceptions in Privacy Protection and Regulation' (2020) 36(2) Law in Context 1

Related Topics

• Consumer Rights
• Directors' Duties
• Healthcare
• Security of Critical Infrastructure
• Telecommunications