Privacy Law

Overview

• Privacy law in Australia is a complicated area of law involving different levels of government and a mix of regulations (legislation, common law and law-based principles). Australian government agencies and most large organisations are subject to a set of national privacy principles. More specific laws also apply to certain industries or issues, like healthcare or consumer law.

Background

• The Privacy Act 1988 (Cth) is the main privacy legislation in Australia, setting out principle-based laws that apply to federal government agencies, organisations with an annual turnover of more than $3 million, and some specific organisations like health service providers. The Act is largely focused on the collection and management of personal information.
• In February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) took effect, requiring government agencies and businesses covered by the Privacy Act 1988 (Cth) to notify any individuals affected by a data breach that is likely to result in serious harm.
• Most States and Territories in Australia have their own privacy or information management legislation that applies to state-based government agencies
• As set out in the Commonwealth Government's 2023-2030 Australian Cyber Security Strategy, in 2022-23, the Mandatory Cyber Incident Reporting ("MCIR") regime reported 188 significant cyber incidents. The Government committed to minimal regulatory burdens while supporting industry, aligning with the Privacy Act.

Legal Framework

Privacy Act 1988 (Cth)

Australian Privacy Principles

• The Privacy Act 1988 (Cth) applies to Australian government agencies, organisations with an annual turnover of more than $3 million plus private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients).
• These entities must not breach the 13 Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act 1988 (Cth). The APPs regulate: the collection, use and disclosure of personal information; an entity's governance and accountability; the integrity and correction of personal information; and the rights of individuals to access their personal information.
• The APPs are principles-based law which gives entities flexibility to tailor their personal information handling practices to suit business needs. Some of the relevant APPs are:
  • APP 1 requires an entity to manage personal information in an open and transparent way, including by having an up-to-date privacy policy.
  • APP 6 requires an entity to only use or disclose personal information for the purpose for which it was collected, subject to limited exceptions.
  • APP 10 requires an entity to take reasonable steps to ensure the personal information it collects is accurate, up-to-date and complete.
  • APP 11 requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
• See Australian Privacy Principle guidelines

Notifiable data breach scheme

• Under Part IIIC of the Privacy Act 1988 (Cth), organisations with an annual turnover exceeding $3 million (plus private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients) are subject to the notifiable data breach scheme. These organisations must promptly inform individuals whose personal information has been affected in a data breach that is likely to cause serious harm.
• A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost, and a reasonable person would determine this is likely to cause serious harm (or risk thereof) to affected entities.
• An affected organisation must undertake a reasonable and speedy assessment and report its results to the Office of the Australian Information Commissioner within 30 days, and distribute these details to the people at risk of serious harm.
• Part VIB Privacy Act 1988 (Cth) contains penalties for non-compliance and gives the Commissioner investigative powers.

Privacy laws of States and Territories

• The Privacy Act 1988 (Cth) does not regulate local, state or territory government agencies (including public hospitals). For privacy legislation regulating States and Territories see:
  • Australian Capital Territory - Information Privacy Act 2014 (ACT)
  • New South Wales - Privacy and Personal Information Protection Act 1998 (NSW)
    
  • Northern Territory - Information Act 2002 (NT)
  • Queensland - Information Privacy Act 2009 (Qld)
  • South Australia - No legislation specific to privacy law exists, but Information Privacy Principles exist
  • Tasmania - Personal Information and Protection Act 2004 (Tas)
  • Victoria - Privacy and Data Protection Act 2014 (Vic)
  • Western Australia - No legislation specific to privacy law exists
• See Privacy in your state, Office of the Australian Information Commissioner

Other privacy-related legislation

• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
• Data-matching Program (Assistance and Tax) Act 1990 (Cth)
• Healthcare Identifiers Act 2010 (Cth)
• My Health Records Act 2012 (Cth)
• Personal Property Securities Act 2009 (Cth)
• Telecommunications Act 1997 (Cth)

Tort of privacy

• In Australia, the tort of privacy is not recognised at common law or under statute, although the availability and principles of the potential tort have been considered by the High Court and Australian Law Reform Commission.
• See Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63
• See Serious Invasions of Privacy in the Digital Era - Final Report, Australian Law Reform Commission (June 2014)
• See Digital Platforms Inquiry - Final Report, Australian Competition and Consumer Commission (June 2019)
• See Groundhog Day for Privacy Tort, Gilbert + Tobin (6 September 2019)
• See Megan Richardson et al, 'Would a Statutory Privacy Tort in Australia Harm Valuable Free Speech?' (15 February 2021, SSRN)

Regulatory & Policy Framework

Relevant Organisations

• Australian Office of the Information Commissioner
  • Australian Privacy Principle guidelines
  • Notifiable Data Breaches scheme
  • Data Breach Preparation and Response: A Guide to Managing Data Breaches in accordance with the Privacy Act 1988 (Cth) (July 2019)
• Australian Attorney-General's Department
  • Privacy
• State and Territory privacy agencies
  • Australian Capital Territory - Office of the Australian Information Commissioner on behalf of ACT
  • New South Wales - NSW Information and Privacy Commission
  • Northern Territory - Office of the Information Commissioner Northern Territory
  • Queensland - Queensland Office of the Information Commissioner
  • South Australia - South Australia privacy committee
  • Tasmania - Tasmania Ombudsman
  • Victoria - Office of the Victorian Information Commissioner
  • Western Australia - Office of the Information Commissioner (WA)

Inquiries & Consultations

• Serious Data Breach Notification Consultation (2015-16)
  • Discussion Paper
  • Submissions
• Privacy Amendment (Re-identification Offence) Bill 2016 (Cth) - Bills Digest
  • Report of Senate Legal and Constitutional Affairs Legislation Committee Inquiry into Privacy Amendment (Re-identification Offence) Bill 2016
• Review of the Privacy Act 1988 (2019-20)
  • Terms of Reference
  • Issues Paper

Industry Materials

• Chris Culnane and Kobi Leins, 'Misconceptions in Privacy Protection and Regulation' (2020) 36(2) Law in Context 1
• Strategies to Mitigate Cyber Security Incidents - Mitigation Details, Australian Cyber Security Centre (February 2017)

Related Topics

• Consumer Rights
• Directors' Duties
• Healthcare
• Security of Critical Infrastructure
• Telecommunications