Businesses operating in Australia are required to comply with
federal and state/territory privacy statutes and, in particular,
the Privacy Act 1988 (Cth) which is administered by the
Office of the Australian Information Commissioner.
The Privacy Act regulates the way that businesses can
collect, use, retain, secure and disclose personal information and
also regulates credit providers and credit reporting agencies. The
Privacy Act establishes 10 National Privacy Principles
(NPPs) which apply to most private sector
organisations. The NPPs cover standards for the collection, use,
disclosure, data quality and security, openness, access,
correction, identification, anonymity, storage and data flow of
personal information. The Commissioner may also authorise
businesses in the private sector to create and uphold their own
privacy codes. Once approved, those codes become binding on the
Organisations to which the Privacy Act applies must
take reasonable steps to make individuals aware that they are
collecting personal information about them and inform them of the
purposes for which they are collecting the information. There are
restrictions on how an organisation deals with personal information
that it collects and when it can disclose or transfer personal
Each state and territory in Australia has similar privacy
legislation to the Privacy Act.
In addition, most states and territories have legislation which
set privacy standards for handling health information in both the
public and private sectors in the particular state/territory.
Further information can be found at www.privacy.gov.au.
Following a recent review of Australia's privacy laws, the
Privacy Amendment (Enhancing Privacy Protection) Act 2012
has been passed by the Australian Parliament. When it comes into
force in March 2014, it will:
create a harmonised set of privacy principles, the Australian
Privacy Principles (APPs). The APPs will replace
the NPPs and the Information Privacy Principles
(IPPs), which apply to the Commonwealth public
modernise credit reporting arrangements;
improve health sector information flows, and give individuals
new rights to control their health records, contributing to better
health service delivery;
prohibit the use of personal information for direct marketing
purposes unless specific criteria are met first;
require both public and private sector organisations to ensure
that personal information will continue to be protected if sent
overseas (with the organisations being liable for any breach of the
APPs by the overseas recipients); and
strengthen and expand the Privacy Commissioner's powers. In
particular, the Privacy Commissioner will be able to, among other
matters, obtain court enforceable undertakings from an organisation
and apply to a court for a civil penalty order against an
organisation (which for a private sector organisation may range
from $10,000 to $1.1 million for serious and repeated breaches of
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).