Privacy

Contributed by CarolineHeskeOIC and current to February 2025

Privacy laws only apply to some organisations

Privacy laws regulate the way personal information should be collected, handled, or communicated. As an individual, you have a right to complain if a regulated organisation breaches your privacy.

NT Government bodies are bound to follow privacy laws set out in the Information Act 2002 (NT) ( NTIA). Government bodies mean public sector organisations ( NTIA s 5), and include Departments, Councils, as well as some other bodies created by legislation. If a private business is performing a service for the NT Government, then they are also bound to follow the NTIA privacy laws when they are handling personal information in providing that service. The private business is not otherwise bound to follow the NTIA.

Commonwealth Government bodies are bound to follow the Privacy Act 1988 (Cth) (Cth PA).

Many private businesses are also bound to follow the Cth PA, including:

• any business with an annual turnover of $3 million or more;
• health service providers and businesses that trade in personal information regardless of their turnover;
• credit providers.

Private individuals and small businesses that are not regulated by the Cth PA are not subject to particular privacy laws. If an individual breaches your privacy:

• by secretly recording you and then sharing the recording, this may be a breach of the Surveillance Devices Act 2007 (NT) ,
• by sharing information you have provided in confidence, this may be grounds to sue them for an equitable breach of confidence (see Wilson v Ferguson [2015] WASC 15 and ABC v Lenah Game Meats Pty Ltd [2001] HCA 63);
• in a way that results in sexual harassment in certain circumstances, this may be a breach of s 22 of the Anti-Discrimination Act (NT);

Conduct that breaches Privacy Principles

The privacy rules that organisations are required to adhere to are:

• under the NTIA, the Information Privacy Principles (IPPs);
• under the Cth PA, the Australian Privacy Principles (APPs).

Collecting unnecessary personal information

An organisation or agency should not collect your personal information unless they really need it in order to carry out their functions ( NTIA IPP 1; Cth PA APPs 3 and 4). An organisation should give you the option to enter into any transactions anonymously where practicable ( NTIA IPP 8; PA NPP 8), and should only collect 'sensitive information' in certain limited circumstances ( NTIA IPP 10; Cth PA APP 2). Sensitive information includes information about your racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, or health ( NTIA s 4; Cth PA s 6). The Commonwealth definition of sensitive information also specifically includes biometric data. Sensitive information should usually only be collected if you consent, if collection is required by law or for legal proceedings.

Sneaky or intrusive collection of personal information

Wherever possible, an organisation should only collect personal information about you directly from you with your knowledge ( NTIA IPP 1, Cth PA APP 3). It should do so lawfully and fairly ( NTIA IPP 1; Cth PA APP 3). At the time of collecting the information the organisation should make sure that you are aware why your information is being collected, the purpose for which it will be used, the consequences of not providing the information, who that information is likely to be disclosed to, and the fact that you have a right to access that information ( NTIA IPP 1; Cth PA APP 3). At any time, you should be able to contact an organisation and find out the kind of personal information they hold, as well as how to go about accessing personal information that was collected from you ( NTIA IPP 5; Cth PA APP 1).

Using your personal information for an unauthorised purpose

Organisations are supposed to only use and disclose your personal information for the purpose for which they collected it, which is known as the 'primary purpose' ( NTIA IPP 2; Cth PA APP 6). Information can be used or disclosed for a secondary purpose with your consent.

Information can also be used or disclosed for a secondary purpose if it is related to the primary purpose, and is the kind of purpose for which you would reasonably expect the organisation to use your information. If the information is sensitive information, the secondary purpose must be very closely or 'directly' related to the primary purpose.

Information can also be used or disclosed for a secondary purpose if it is required or authorised by law, to prevent serious harm, to investigate wrongdoing and to assist law enforcement agencies. APP 7 limits the use of personal information for direct marketing to when a list of pre-conditions are met.

Failing to take proper care of your information

An organisation must take reasonable steps to protect your personal information from misuse, loss, unauthorised access, modification or disclosure ( NTIA IPP 4; Cth PA APP 11). What constitutes 'reasonable steps' varies on a case-by-case basis, and can depend on the size and available resources of the organisation, and the sensitivity of the information. For any large or sensitive use of personal information or any significant procurement or upgrade or modification of a government computer system, a suitably thorough privacy impact assessment should be conducted. Appropriate user controls, password protocols, auditing, physical locked areas, data-life-cycle assessments, collection notices, records management practices, procedures, and training are all common safeguards that can and are expected to be implemented where reasonable to satisfy the privacy principles. Controls should be suitable to limit access and use of personal information to just the staff in the organisation who 'need to know', again to the extent this is reasonable given the organisation's resources and the cost of taking those measures.

Keeping information that is past its 'use-by date'

NT Government and private sector organisations are required to destroy information about you which is no longer needed ( NTIA IPP 4; PA APP 11). Government organisations usually have 'disposal schedules', which are guidelines for the disposal of old and obsolete information. An organisation can keep information if they de-identify it, which means removing your name and any other details that would reveal that the information is about you.

Collecting and keeping inaccurate information

The organisation must take reasonable steps to ensure your information is accurate, complete and up to date ( NTIA IPP 3; Cth PA APP 10). Reasonable steps means what is reasonable in all the circumstances. You can ask an organisation to correct information they hold about you. If they refuse, they should provide you with reasons for that refusal ( NTIA IPP 6; Cth PA APP 13).

Whether information is 'complete' and 'up to date' will be judged according to the purpose or purposes for which the information is kept or is to be used or disclosed. For example, what is required of an organisation to act to ensure accuracy may be greater if the information comprises a record of serious criminal conduct than if it relates to your eye colour. And, it is likely to be greater if the organisation is about to make a decision to your detriment, than if the information is merely historical information that remains on a closed file.

Refusing to let you access your personal information

An organisation should provide you with access to your personal information ( NTIA IPP 6; Cth PA APP 12). Exceptions to this rule include where providing access would: be unlawful, prejudice the health and safety of an individual or the public in general, prejudice an investigation into unlawful behaviour, or prejudice the organisation if it is currently negotiating with you.

Note that for the NT scheme, IPP 6 provides an alternative scheme for accessing information to FOI (see Freedom of Information ). Like the FOI access scheme exemptions, there are a series of reasons why an organisation can refuse access to information. Many of the exceptions are similar to FOI exemptions but there are some differences. One of the exceptions arises if 'denying access is required or authorised by law'. This allows refusal of access to information based on any of the FOI access exemptions. In general terms, the requirements for, and procedures involved in, the FOI access scheme are more concrete, and spelled out in more detail, than the Privacy access scheme. Similar considerations apply in relation to access to information held by Federal agencies.

Giving you a number

Creating a number or code-name for you is known as giving you a 'unique identifier'. Examples include your tax file number or driver's licence. NT Government and private sector organisations are significantly limited in the creation, adoption and use of unique identifying numbers or codes ( NTIA IPP 7; Cth PA APP 9).

Letting your information leave the NT

An NT Government organisation should not transfer your information outside the Territory without your consent unless they are required to by law, or unless they are satisfied that the foreign recipient is bound to comply with rules similar to the NTIA IPPs ( NTIA IPP 9). Private sector organisations should not transfer your information outside Australia without your consent unless they are required to by law, or unless they are satisfied that the foreign recipient is bound to comply with rules similar to the APPs ( Cth PA APP 8). Any system that involves cloud computing on servers outside the NT needs to comply with IPP 9.

Exceptions to privacy laws

Please note that there are some exceptions to the IPPs. These include certain functions of courts and tribunals ( NTIA s 69), and law enforcement agencies ( NTIA s 70).

There are some information sharing schemes operational in the NT which effectively override many privacy protections that might otherwise be expected to apply:

• Part 5.1A of the Care and Protection of Children Act 2007 (NT) authorises an 'Information Sharing Framework' that allows information 'about a child' which means it 'relates to the safety or wellbeing of the child' (s 293B) to be shared between any 'information sharing authority' (ISA) (s 293C). The persons who are information sharing authorities are very broad and includes a wide range of government and law enforcement organisations, as well as any non-government organisations that receives funding to 'provide a service or perform a furnction for or in connection with children', and any foster carers. It does not permit sharing information with parents. The information may be shared without request if the ISA reasonably believes that the informaton may assist the recipient to do various things that relate to the safety or wellbeing of the child or children, including simply provide to arrange or provide a service (s 293D). If an ISA receives a request from another ISA, the information must be provided unless it meets the list of refusal reasons set out in s 293E(5). An ISA is not permitted to further use or disclose the information for any purpose not related to the safety and wellbeing of a child to whom the information relates or in a manner otherwise contrary to a law in force in the Territory (s 293G). Section 293J provides that the Part has effect despite the operation of any other law of the Territory the prohibits or restricts the disclosure of information. Further information about this scheme is available from the Northern Territory Government.
• Part 5.1 of the Care and Protection of Children Act 2007 (NT) authorises digital information sharing between the Agency responsible for that Act, a Commonwealth agency, or an operator of child-related services for the purpose of matters related to the safety and wellbieng of children and must be likely to substantially contribute ot the Agency's capacity to improve outcomes for child safety and wellbeing. These require data access agreements to be prepared in consultation with the NT Information Commissioner, subject to public consultation, then approved by the Minister and published. The NT Department of Children and Families has data access agreements in place with some departments under the '360 Degree View of the Child' system, which are published on their website here. The data shared relates to children who ar ein the care of or at the attention of the Agency and their close connections.
• Chapter 5A of the Domestic and Family Violence Act 2007 (NT) authorises information sharing between Information Sharing Entities in relation to family and domestic violence. The scheme is more consent-based than the scheme for sharing information about children, but still permits sharing information without consent if this relates to serious risks to a person from domestic violence.

Making a privacy complaint

You should first contact the organisation or agency who you believe has breached your privacy and ask to speak to the person responsible for privacy matters. Explain what you want or what you are unhappy with and see if the matter can be resolved at this level.

Northern Territory matters

If your concern is not resolved, you can complain to the Information Commissioner. Your complaint must be made within 12 months of becoming aware of the issue. There is no fee for making a complaint about a breach of privacy either to the organisation or to the Information Commissioner.

If you have a basis for concerns but are not yourself the person whose privacy has been breached, you can report your concerns to the Information Commissioner, who has powers to audit NT public sector organisations for compliance or to serve a compliance notice if the contravention is serious or repetitive.

Federal matters

If your concern relates to a Federal Government agency or a private sector organisation that is bound by the Cth PA, you can complain to the Office of the Australian Information Commissioner. You should send a copy of your letter or any other written contact you have had with the organisation and a copy of any response you received from them with your complaint. You should lodge this complaint within 12 months of becoming aware of the issue. Upon lodging the complaint you should think about how you want the matter resolved and make this clear to the Commissioner.

The Commissioner will then investigate your complaint and attempt to resolve the matter by communicating with the organisation and you. This is the process of conciliation. The Commissioner may also make a decision if the matter cannot be resolved informally.

Unlawful access of data offences

Unlawful access to or modification of data in a computer system is a serious criminal offence where there was an intention to cause loss or harm to someone or to gain a benefit or advantage for the person or a third party (see Part VIIA Division 1 of the Criminal Code (NT)).

Use of surveillance

The use of surveillance devices by persons in the NT is covered by the Surveillance Devices Act 2007 (NT) (SDANT).

Law enforcement officers such as police have strict rules to follow when using surveillance devices under SDANT, with aome additional procedures for law enforcement officers are set out in the Surveillance Devices Act 2004 (Cth) or under specific legislation.

For person who are not law enforcement officers, use of surveillance devices by individuals is limited but not prohibited.

• Covert use of a listening device by a person who is a party to the conversation is permitted under s 11, or if the device is used in an emergency to record a matter of serious public interest (s 43) but if the emergency use provision s relied upon the person must give a written report to a Supreme Court Judge within two business days after starting to use the device (s 45). Covert use of listening devices by law enforcement officers is only authorised with a warrant or other specific legal safeguards.
• Installation and use of an optical surveillance device (eg. a security camera) is permitted in locations where it is only recording activity that is not private activity (see s 12). A private activity or conversation is one carried out in circumstances which indicate that the people involved desire it to be observed only by themselves. A private conversation can be private even if it is carried on in a public place. On the other hand, an activity or conversation where the parties ought reasonably to expect that they may be observed or overheard is not private (see s 4). For example, installing a camera to show persons coming to a front door would be permitted, but installing a camera in a toilet or to spy on a person behind closed doors would be prohibited. There is an exception to permit recording a matter of serious public interest in an emergency (s 44) but if the emergency use provision s relied upon the person must give a written report to a Supreme Court Judge within two business days after starting to use the device (s 45).
• Use of a tracking device to determine a person's geographical location without the person's express or implied consent of a person is an offence (s 13). A tracking device means an electronic device that may be used to determine the geographical location of a person or thing, and so could include unauthorised access to and use of geolocation functions on a person's phone or smart device.
• Possessing a surveillance device that is intended for unlawful use is an offence (s 66).

Under SDANT, use, communication or publication of information collected by surveillance devices is limited except for particular situations. Using or communicating the information is permitted to prevent or reduce risk of serious violence to a person or substantial damage to property, disclosed for a proceeding in open court, and some other purposes ( SDANT s 15).

However, under s 7 of the Telecommunications (Interception and Access) Act 1979 (Cth) it is an offence to intercept phone calls and internet transmissions. A surveillance device that operates by intercepting phone calls or internet transmissions will be unlawful even if it could otherwise operate lawfully under SDANT. Courts may also be reluctant to admit evidence of covert recordings, and may exercise a discretion to reject this kind of evidence unless they are satisfied that the recording is reliable and complete, and of significant probative value. In general, it is better to seek someone's consent before you record them, or at least draw the fact you are recording them to their attention. Being in possession of a surveillance device that is an 'interception device' (for example, for tapping a phone) is a Federal offence ( Criminal Code (Cth) s 474.4).

Stalking and harassment

If someone is keeping you under surveillance and not necessarily using a surveillance device, other applicable offences may include unreasonably disrupting your privacy (Summary Offences Act 1923 (NT) s 47(f), and unlawful stalking ( Criminal Code (NT) s 189).

Unlawful capture or use of intimate images

Recording or capturing an intimate image without consent is an offence under the Criminal Code (NT) s 208AAB, and distribution of an intimate image without consent to the distribution is an offence under the Criminal Code (NT) s 208AB. Intimate images include images which depicts or appears to depict a person in a manner or context that is sexual, depicts the genital or anal region whether bare or covered by underwear, or a breasts of a female person or a transgender or intersex person who identifies as female (Criminal Code (NT) s 208AA)