Businesses operating in Australia are required to comply with federal and state/territory privacy statutes and, in particular, the Privacy Act 1988 (Cth) which is administered by the Office of the Australian Information Commissioner.

The Privacy Act regulates the way that businesses can collect, use, retain, secure and disclose personal information and also regulates credit providers and credit reporting agencies. The Privacy Act establishes 10 National Privacy Principles (NPPs) which apply to most private sector organisations. The NPPs cover standards for the collection, use, disclosure, data quality and security, openness, access, correction, identification, anonymity, storage and data flow of personal information. The Commissioner may also authorise businesses in the private sector to create and uphold their own privacy codes. Once approved, those codes become binding on the business.

Organisations to which the Privacy Act applies must take reasonable steps to make individuals aware that they are collecting personal information about them and inform them of the purposes for which they are collecting the information. There are restrictions on how an organisation deals with personal information that it collects and when it can disclose or transfer personal information overseas.

Each state and territory in Australia has similar privacy legislation to the Privacy Act.

In addition, most states and territories have legislation which set privacy standards for handling health information in both the public and private sectors in the particular state/territory. Further information can be found at www.privacy.gov.au.

Following a recent review of Australia's privacy laws, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 has been passed by the Australian Parliament. When it comes into force in March 2014, it will:

  1. create a harmonised set of privacy principles, the Australian Privacy Principles (APPs). The APPs will replace the NPPs and the Information Privacy Principles (IPPs), which apply to the Commonwealth public sector;
  2. modernise credit reporting arrangements;
  3. improve health sector information flows, and give individuals new rights to control their health records, contributing to better health service delivery;
  4. prohibit the use of personal information for direct marketing purposes unless specific criteria are met first;
  5. require both public and private sector organisations to ensure that personal information will continue to be protected if sent overseas (with the organisations being liable for any breach of the APPs by the overseas recipients); and
  6. strengthen and expand the Privacy Commissioner's powers. In particular, the Privacy Commissioner will be able to, among other matters, obtain court enforceable undertakings from an organisation and apply to a court for a civil penalty order against an organisation (which for a private sector organisation may range from $10,000 to $1.1 million for serious and repeated breaches of privacy).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.