Privacy Law

Overview

  • Privacy law in Australia is a complicated area of law involving different levels of government and a mix of regulations (legislation, common law and law-based principles). Australian government agencies and most large organisations are subject to a set of national privacy principles. More specific laws also apply to certain industries or issues, like healthcare or consumer law.

Background

  • The Privacy Act 1988 (Cth) is the main privacy legislation in Australia, setting out principle-based laws that apply to federal government agencies, organisations with an annual turnover of more than $3 million, and some specific organisations like health service providers. The Act is largely focused on the collection and management of personal information.
  • In February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) took effect, requiring government agencies and businesses covered by the Privacy Act 1988 (Cth) to notify any individuals affected by a data breach that is likely to result in serious harm.
  • Most States and Territories in Australia have their own privacy or information management legislation that applies to state-based government agencies
  • As set out in the Commonwealth Government's 2023-2030 Australian Cyber Security Strategy, in 2022-23, the Mandatory Cyber Incident Reporting ("MCIR") regime reported 188 significant cyber incidents. The Government committed to minimal regulatory burdens while supporting industry, aligning with the Privacy Act.

Privacy Act 1988 (Cth)

Australian Privacy Principles

  • The Privacy Act 1988 (Cth) applies to Australian government agencies, organisations with an annual turnover of more than $3 million plus private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients).
  • These entities must not breach the 13 Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act 1988 (Cth). The APPs regulate: the collection, use and disclosure of personal information; an entity's governance and accountability; the integrity and correction of personal information; and the rights of individuals to access their personal information.
  • The APPs are principles-based law which gives entities flexibility to tailor their personal information handling practices to suit business needs. Some of the relevant APPs are:
    • APP 1 requires an entity to manage personal information in an open and transparent way, including by having an up-to-date privacy policy.
    • APP 6 requires an entity to only use or disclose personal information for the purpose for which it was collected, subject to limited exceptions.
    • APP 10 requires an entity to take reasonable steps to ensure the personal information it collects is accurate, up-to-date and complete.
    • APP 11 requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
  • See Australian Privacy Principle guidelines

Notifiable data breach scheme

  • Under Part IIIC of the Privacy Act 1988 (Cth), organisations with an annual turnover exceeding $3 million (plus private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients) are subject to the notifiable data breach scheme. These organisations must promptly inform individuals whose personal information has been affected in a data breach that is likely to cause serious harm.
  • A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost, and a reasonable person would determine this is likely to cause serious harm (or risk thereof) to affected entities.
  • An affected organisation must undertake a reasonable and speedy assessment and report its results to the Office of the Australian Information Commissioner within 30 days, and distribute these details to the people at risk of serious harm.
  • Part VIB Privacy Act 1988 (Cth) contains penalties for non-compliance and gives the Commissioner investigative powers.

Privacy laws of States and Territories

Other privacy-related legislation

Tort of privacy

Regulatory & Policy Framework

Relevant Organisations

Inquiries & Consultations

Industry Materials

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine