Data Privacy

Privacy is regulated primarily by Commonwealth legislation. The Privacy Act 1988 (Cth) applies to the management of personal information (including collection, use, disclosure, security and disposal) by most Commonwealth public sector entities, including Commonwealth ministers, as well as private sector entities (including not-for-profits) with annual turnover of more than A$3 million or meeting other specified criteria (eg, health services providers or credit reporting bodies). The Privacy Act contains:

• 13 Australian Privacy Principles (APPs);
• a mandatory notifiable data breach scheme;
• a regime for credit reporting; and
• recently introduced requirements applying to the COVIDSafe app, the Australian government’s COVID-19 contact tracing app.

The My Health Records Act 2012 (Cth) created a privacy regime for the Australian government’s digital health records scheme, My Health Record. There is an additional privacy regime applicable to data that is shared under the relatively new Consumer Data Right contained in Part IVD of the Competition and Consumer Act 2010 (Cth) (CCA). The Telecommunications Act 1997 (Cth) includes additional protections for certain personal information related to telecommunications services. Other legislation applies in limited cases, such as the Data-matching Program (Assistance and Tax) Act 1990 (Cth), which applies to certain government agency data matching.

All states and territories (other than Western Australia and South Australia) have privacy legislation that applies to the handling of personal information by the relevant state or territory public sector and, in certain cases, to private sector health service providers.

Part IIIA of the Privacy Act and the Privacy (Credit Reporting) Code 2014 (CR Code) impose additional obligations for the protection of credit information relating to individuals collected and used by credit reporting bodies and credit providers that apply in addition to the other Privacy Act obligations.

My Health Record is an online record of an individual’s health information created under the Australian government’s digital health records scheme. A breach of the privacy requirements of the My Health Records Act will also breach the Privacy Act.

Part IVD of the CCA provides protections for consumer data right (CDR) data and applies in addition to the Privacy Act. CDR currently applies in banking and will apply to other sectors over time.

Prudential standards issued by the Australian Prudential Regulatory Authority (APRA) impose information security and outsourcing requirements on APRA-regulated entities in the banking and insurance sectors.

Part 13 of the Telecommunications Act requires carriers and carriage service providers (CSPs) to protect the confidentiality of particular types of personal information. The information that must be protected is information that relates to the content of communications, carriage services provided and the affairs or personal particulars of persons. The Telecommunications Act and the Telecommunications (Interception and Access) Act 1979 (Cth) require carriers and CSPs (and others) to provide access to, or assistance in accessing, certain communications information, in particular cases for law enforcement and national security purposes.

Biometric information is ‘sensitive information’ and so subject to additional obligations under the Privacy Act (see question 3.1).

A well-known example of such an arrangement is the Agreement between the European Union and Australia on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the Australian Customs and Border Protection Service. This agreement authorises the transfer of PNR data to the Australian Department of Home Affairs from airlines that process PNR data in the European Union. The agreement also allows the department to provide that PNR data to other Australian and foreign government agencies, as long as safeguards in the agreement are complied with.

Australia is:

• a signatory to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules, which is a government-backed data privacy certification scheme that companies may join to demonstrate compliance with internationally recognised data privacy protections;
• a participant in the Global Privacy Assembly’s Global Cross Border Enforcement Cooperation Arrangement (GCBECA), with other participants including Canada, Germany and the United Kingdom. This provides a framework for privacy regulators to work together on cross-border enforcement of privacy laws; and
• a participant in the APEC Cross-Border Privacy Enforcement Arrangement which, like the GCBECA, provides a framework for the cross-border enforcement of privacy laws.

In 2020 the Office of the Australian Information Commissioner (OAIC) also entered into memorandums of understanding with Singapore’s Personal Data Protection Commission and with the UK Information Commissioner's Office. While each memorandum is non-binding, both provide commitments from the privacy regulators to work together in relation to data governance and cross-border movements of personal information.

The Information Commissioner, appointed under the Australian Information Commissioner Act 2010 (Cth) (AIC Act), is responsible for the enforcement of the Privacy Act, the My Health Record Act and the CDR privacy regime under the CCA. The commissioner also has regulatory responsibilities under the Crimes Act 1914 (Cth), the Data-matching Act, the National Health Act 1953 (Cth) and the Telecommunications Act. The commissioner is supported by the OAIC, which is also established under the AIC Act.

Under the Privacy Act, the commissioner (supported by the OAIC):

• must, subject to limited exemptions, investigate Privacy Act-related complaints received from individuals; and
• may investigate possible breaches of the Privacy Act on her own volition, under a Commissioner initiated investigation.

If the commissioner determines that a breach has occurred following an investigation, she may make certain declarations, including:

• requiring the entity in breach to take steps to ensure that the breach is not repeated or continued; and
• requiring the payment of compensation to affected individuals.

The commissioner may also:

• accept court enforceable undertakings requiring compliance with the Privacy Act;
• seek injunctions to prevent ongoing or potential breaches of the Privacy Act; and
• seek civil penalties for serious or repeated interferences with the privacy of individuals and specified breaches of the credit reporting provisions of the Privacy Act.

Enforcement proceedings must be taken in Australia’s Federal Court or Federal Circuit Court.

The commissioner has similar powers under the My Health Records Act and Part IVD of the CCA.

The OAIC has published the Australian Privacy Principles Guidelines (‘OAIC Guidelines’) under Section 28 of the Privacy Act. The OAIC Guidelines are not legally binding, but set out best practice for compliance with the Privacy Act and the APPs. The OAIC Guidelines are widely used by regulated entities.

Under Part IIIB of the Privacy Act, the Information Commissioner may register enforceable privacy codes developed by entities (either on their own initiative or when requested by the commissioner) or by the commissioner. Codes apply in addition to the requirements of the Privacy Act and a breach of a code will also be a breach of the Privacy Act. Currently, the most significant code is the CR Code, which applies to credit providers and credit reporting bodies.

The OAIC’s Privacy Regulatory Action Policy sets out the OAIC’s approach to using privacy regulatory powers. The OAIC’s regulatory approach is to facilitate voluntary compliance with privacy obligations and to work with entities to ensure best privacy practice and prevent privacy breaches. The goal of the OAIC in taking regulatory action is to promote and ensure the protection of personal information. The OAIC will take into account a number of other factors in determining whether to take action, including:

• to deter conduct in breach of the Privacy Act across a particular sector;
• to address systemic issues – that is, where there are underlying problems with particular practices, procedures or systems relating to privacy compliance; and
• instilling public confidence in the OAIC’s role as a privacy regulator.

The Privacy Act applies to ‘APP entities’, which may be either agencies or organisations.

Agencies are Commonwealth public sector entities, including government ministers and government departments and other bodies. Certain national security and law enforcement agencies are exempt, including the Australian Security Intelligence Organisation and the Australian Signals Directorate, and some of these agencies are exempt in relation to particular types of acts or practices.

An ‘organisation’ is defined as an individual, a body corporate, a partnership, an unincorporated association or a trust – in other words, any form of private sector legal entity. This is subject to exemptions for:

• ‘small business operators’ (ie, operating businesses with an annual turnover, including of related entities, of A$3 million or less);
• registered political parties;
• state or territory authorities; and
• prescribed instrumentalities.

These exemptions are not absolute. The small business exemption will not apply in certain circumstances, including if the relevant business:

• is a health service provider;
• trades in personal information;
• is a contracted service provider for the Commonwealth; or
• is a credit reporting body.

Although the Privacy Act does not generally apply to state and territory authorities, it applies to specified New South Wales energy authorities and South Australia’s Department for Health and Wellbeing and HomeStart Finance, which are considered to be organisations.

Other privacy-related legislation applies to a more limited set of entities – for example, the My Health Records Act applies to specific healthcare providers and the Telecommunications Act privacy provisions apply only to carriers and carriage service providers (CSPs).

Certain Commonwealth public sector entities are exempt in whole or part from the Privacy Act, as identified in question 2.1. Also, state and territory government agencies are generally exempt. Private sector businesses (including not-for-profits) are subject to the Privacy Act unless the small business exemption discussed in question 2.1.

The Privacy Act does not apply in other cases, including to:

• acts or practices of a private sector employer where related to the employment relationship (or former relationship) and an ‘employee record’. An employee record is a record of an employee’s (or former employee’s) personal information relating to the employment relationship. This does not apply to agencies or where the employee record is used for non-employment related purposes;
• acts or practices of individuals that are not related to the business (if any) carried on by the individual. In other words, an individual is not subject to the Privacy Act in relation to the collection, use and so on of personal information only for purposes related to his or her personal, family or household affairs; and
• acts or practices of media organisations relating to journalism, provided that the organisation is publicly committed to published privacy standards.

Registered political parties are exempt from the Privacy Act; as are ‘political representatives’ (ie, members of Parliament and local government councillors) and their contractors and volunteers when undertaking specific political activities, including in relation to elections. However, ministers retain obligations under the Privacy Act in relation to personal information.

The Privacy Act, and codes registered thereunder, have extraterritorial operation (section 5B), as follows:

• acts or practices of agencies, wherever performed; and
• acts or practices of organisations, where an Australian link exists. An ‘Australian link’ exists where an organisation is:
• • an Australian citizen or permanent resident;
  • a partnership or trust established in Australia;
  • a body corporate incorporated in Australia; or
  • an unincorporated entity with central management and control in Australia.
• If this requirement is not satisfied, then an act or practice of an organisation done or engaged in outside Australia will have an Australian link if both:
• • the organisation “carries on business” in Australia; and
  • the relevant personal information was collected or held by the organisation in Australia, either before or at the time of the act or practice.

Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307 considered the requirements for an Australian link in the context of the Information Commissioner’s case against Facebook Ireland and Facebook Inc arising from the Cambridge Analytica scandal. Although only a decision on an interlocutory application, where the commissioner needed only to establish a prima facie case, the Federal Court judge hearing the case found that Facebook Inc, even though it did not provide the Facebook app to Australian users, carried on business in Australia through services provided to Facebook Ireland in Australia and collected and held personal information in Australia, as it installed and operated cookies on Facebook and provided caching servers in Australia.

(a),(b),(c) There is no concept of “data processing” under the Privacy Act. The Privacy Act regulates the collection, holding, use, disclosure and destruction or de-identification of personal information. Each – APP entity that undertakes any of these activities is regulated in the same way. As a consequence, there is no concept of “data processor” or “data controller” under the Privacy Act.

(d) There is no concept of “data subject” under the Privacy Act. The Privacy Act applies to personal information of living natural persons.

(e) There is no definition of “personal data” in the Privacy Act. Instead “personal information” is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information is true or recorded in a material form.

(f) There is no definition of “sensitive personal data” in the Privacy Act. Instead “sensitive information” is a subset of personal information and includes:

1. information or an opinion about a person’s race, political stance, religion, trade union and other professional memberships, sexual preferences and criminal record provided this is also personal information;
2. health and genetic information about a person; and
3. biometric information used for verification or identification and biometric templates of a person.

(g) In the Privacy Act “consent” is defined to mean express or implied consent. The Office of the Australian Information Commissioner (OAIC) Guidelines require that an individual is adequately informed before giving consent, that consent is voluntary, current and specific and that the individual has the capacity to understand and communicate his or her consent. Consent is required only in limited cases under the Privacy Act, such as for the collection and use of sensitive information.

The application of the Privacy Act is triggered when an APP entity first ‘collects’ personal information, irrespective of how personal information is collected (or the purpose of the collection). ‘Collect’ means collect for inclusion in a record (whether a paper or electronic record) or a generally available publication (eg, a magazine or newspaper).

To be ‘de-identified’, information must be modified so that it no longer identifies a person or is reasonably likely to identify them. Additional protections may be required to prevent re-identification.

‘Disclosure’ is not defined in the Privacy Act. The OAIC interprets this in the OAIC Guidelines to mean providing access or visibility to an external person where the subsequent handling of the personal information is outside the discloser’s control.

To ‘hold’ means to possess or control a record (either physical or electronic) that contains personal information. ‘Control’ refers to the right or power to deal with the record.

‘Purpose’ limits the use and disclosure by an APP entity of personal information. An APP entity must disclose its ‘primary purpose’ – typically in its privacy policy or otherwise – at the time of collection. APP entities may also use and disclose personal information for ‘secondary purposes’. For example, if, notwithstanding that an individual was not informed of a purpose, he or she would reasonably expect the information to be used or disclosed for a particular purpose that is related (or for sensitive information, directly related) to the primary purpose, this will be a permitted secondary purpose.

There is no requirement for any entity to register under the Privacy Act.

Not applicable.

Not applicable.

An agency (regulated Commonwealth public entity) may collect personal information that is not sensitive information if the information is reasonably necessary for, or directly related to, its functions or activities (Australian Privacy Principle (APP) 3.1). Personal information that is not sensitive information may be collected by private sector APP entities only if it is reasonably necessary for the entity’s functions or activities (APP 3.2).

In the case of all APP entities, consent must be obtained from the relevant individual to collect sensitive information (APP 3.3) other than in limited cases, such as where required by law.

To be ‘directly related to’ an agency’s functions or activities, there must be a clear and direct connection with the relevant function or activity. The Office of the Australian Information Commissioner (OAIC) Guidelines state that the term ‘reasonably necessary’ must be determined objectively, so that if reasonable alternatives are available such as the use of de-identified information, that test will not be satisfied. Further, in the view of the OAIC, it is not sufficient if the collection is simply helpful in some way or convenient.

Personal information may generally be used and disclosed only for the purposes for which it was collected, which will typically be set out in the APP entity’s privacy policy or disclosed at the time of collection (referred to as the ‘primary purpose’). The OAIC Guidelines note that context will help in identifying the primary purpose of collection of personal information. Use and disclosure for secondary purposes are permitted in limited circumstances (see question 3.2).

Each APP entity that collects, holds, uses, discloses or destroys/de-identifies personal information, under any type of arrangement, is subject to the Privacy Act.

The purposes for which personal information may be collected, used and disclosed are specified in question 5.1. Other key principles that apply to collection, holding, use, disclosure and destruction/de-identification include the following:

• Personal information may be collected only by lawful and fair means (APP 3.5) and collected directly from the relevant individual, unless a limited exemption applies (for private sector APP entities, only if it is unreasonable or impracticable to collect the personal information directly) (APP 3.6).
• APP entities must take reasonable steps to notify individuals of the collection of personal information and related matters (APP 5).
• If offshore disclosure of personal information occurs, the APP entity is responsible for breaches of the APPs by the recipient unless certain exemptions apply (see question 6.2).
• APP entities must take reasonable steps to ensure that personal information which is collected, used and disclosed is accurate, complete and up to date (APP 10). When an APP entity uses or discloses personal information, it must take reasonable steps to ensure that this is relevant (APP 10.2).
• APP entities must take reasonable steps to protect personal information, including from misuse and unauthorised disclosure (APP 11.1).
• Where an APP entity no longer needs personal information, unless it is required to retain it by law or in other limited cases, it must take reasonable steps to destroy or de-identify it (APP 11.2).

Each APP entity must maintain a privacy policy that sets out, among other things, the types of personal information it collects and holds and the purposes for which it collects, holds, uses and discloses that information (APPs 1.3 and 1.4). The privacy policy must be made available free of charge and in an appropriate form, which is typically satisfied by making the policy available on the APP entity’s website (APP 1.5).

In addition, either before or at the time personal information is collected or as soon as practicable thereafter, an APP entity must take reasonable steps to notify the relevant individual of (or to otherwise ensure that he or she is aware of) the details of the collecting APP entity and, among other things, the purposes for the collection and the persons to which the information would usually be disclosed, including whether cross-border disclosure is likely (APP 5).

The OAIC Guidelines state that the ‘reasonable steps’ required to notify or ensure awareness will depend on, among other circumstances:

• the sensitivity of the personal information;
• adverse consequences from collection;
• special needs of the relevant individual; and
• practicability (including time and cost).

The circumstances in which it may not be necessary to take any steps include where:

• the individual is otherwise aware of the collection, why the personal information is being collected and the other relevant matters; or
• if the information is collected from a third party, the APP entity will continue to hold, but may not actively use or disclose, that personal information.

Disclosure is interpreted by the Office of the Australian Information Commissioner (OAIC) to mean any positive act of disclosure, as well as accidental or unauthorised disclosure, such as when an email containing personal information is sent to the incorrect recipient. The key requirement is that further use be outside the control of the discloser.

Personal information may be used or disclosed only for the purposes for which it was collected or for permitted secondary purposes (APP 6). The OAIC Guidelines provide that, in describing to individuals the purposes for which personal information is collected, and therefore the primary purposes for which it may be used or disclosed, APP entities must not frame these purposes too broadly, such as ‘for carrying on [APP entity’s] business’. Whether a description is too broad will depend on all relevant circumstances. The OAIC has also stated that APP entities need not include in such descriptions ordinary internal business purposes, such as billing. Therefore, if an APP entity proposed to disclose personal information to a third party that provided its ordinary course business services, this would not need to be disclosed.

Other than where disclosure is made to offshore recipients, which is discussed in question 6.2, an APP entity is not liable for the acts or practices of a person to which that APP entity discloses any personal information, even though that APP entity may have liability in relation to the disclosure itself, if it is not for a permitted primary or secondary purpose.

If an APP entity discloses personal information to a person outside Australia which is not bound by the Australian Privacy Principles (APPs), it must take reasonable steps to ensure that the offshore recipient does not breach, and will be liable for that offshore recipient’s breaches of, the APPs (other than APP 1) in relation to that information, unless an exemption applies (APP 8.1).

The most relevant exemptions are as follows:

• The APP entity reasonably believes that the offshore recipient is subject to laws or a binding scheme similar to the APPs and the relevant individual(s) are entitled seek recourse under such law or scheme (APP 8.2(a)); or
• The relevant individual(s) expressly agree that the APP entity need not take steps to ensure compliance with the APPs by the offshore recipient (APP 8.2(b)).

In a practical sense, this means that APP entities have lesser obligations where the offshore recipient is subject to the laws or binding rules of a jurisdiction that provide safeguards at least equivalent to the Privacy Act.

The reasonable steps required to ensure that an offshore recipient does not breach the APPs are typically to impose contractual obligations on that entity and to actively monitor and enforce compliance with those obligations.

In mid-2020 the Privacy Act was amended to include provisions regulating the collection, use and disclosure of information collected via the Australian government’s COVIDSafe app. That information is deemed to be personal information and any disclosure of that information outside Australia is an offence.

Although an APP entity will not be directly liable for breaches of the Privacy Act by a third party to which it discloses information where that third party is located in Australia (and the disclosure is for a permitted purpose), best practice dictates that the transferring APP entity should undertake due diligence to ensure that the third party will handle the personal information in accordance with the Privacy Act, and may also require that the APP entity imposes contractual obligations on such third parties to handle the personal information appropriately (and takes reasonable steps to monitor compliance with those obligations).

APP entities should consider the manner in which disclosures occur. Where, for example, personal information is transferred via the Internet, it would be appropriate to ensure that, at a minimum, the personal information is encrypted before that disclosure occurs, to prevent unauthorised interception during transfer.

There is a key legislative development that should also be considered in this context, which is the new CDR, as contained in Part IVD of the Competition and Consumer Act. This regime empowers an individual to direct a business in a sector subject to the regime to transfer his or her information to an authorised third party to enable the relevant individual to obtain alternative goods or services. CDR currently applies only in the banking sector, but will be implemented in other sectors as well. CDR has strict requirements for transferring CDR data (which is personal information when related to individuals), which may set benchmarks for other personal information disclosures.

Consent is generally not required under the Privacy Act for the collection, use and disclosure of an individual’s personal information, other than sensitive information.

This does not mean that individuals do not have rights under the Privacy Act in relation to the collection, use and disclosure of their information. The following in particular should be noted:

• Personal information is generally required to be collected directly from the individual (APP 3.1). Therefore, an individual has a choice as to whether to provide that information.
• Collection must be by lawful and fair means (APP 3.5). For example, an APP entity cannot seek to collect personal information by deception or from an individual who is impaired, such as where the person is in shock.
• Individuals may require access to, and correction of, their personal information held by an APP entity (APP 12); though – unlike in jurisdictions such as the European Union – the Privacy Act does not include a right to be forgotten.
• Individuals may complain if their personal information is used or disclosed for a purpose other than for which it was collected or for a permitted secondary purpose (Part V of the Privacy Act).

There are limited cases where personal information may be collected, used and disclosed outside of the general rules otherwise applicable under the Privacy Act. These apply when a “permitted general situation”, such as taking action regarding unlawful activities or mitigating a serious threat to life, or a “permitted health situation”, such as related to certain research purposes, exists.

An individual may not take direct action against an APP entity in the event that entity breaches the Privacy Act in relation to her personal information. Instead, the individual must first complain to the APP entity. Only if his or her complaint is not resolved satisfactorily by the APP entity may an individual complain to the Information Commissioner (noting representative complaints may be made by an individual on her own behalf and on behalf of other similarly impacted individuals). The commissioner is obliged to investigate all complaints other than as expressly provided in the Privacy Act, such as where the complaint is frivolous or vexatious.

Individuals have very limited rights to take action to protect their privacy outside of the complaint mechanism in the Privacy Act. There is no general law right to privacy in Australia. There is limited judicial authority that protects privacy, though in 2019 an innovative privacy class action was settled in New South Wales. In that case, the complainants alleged that the unauthorised disclosure of their personal information amounted to, among other things, a breach of contract and misleading and deceptive conduct.

The government has committed to reform Australia’s privacy law over 2020/21, which could see a direct right of action for individuals to seek compensation under the Privacy Act for interference with their privacy introduced into the Privacy Act, as well as – more controversially – the introduction of a statutory tort for serious invasions of privacy which would entitle individuals to take action outside the Privacy Act.

As mentioned in question 7.2, individuals cannot take direct action under the Privacy Act.

Where the Information Commissioner undertakes an investigation of a complaint (including a representative complaint) or undertakes an investigation of acts or practices that may be a breach of the Privacy Act on the commissioner’s own initiative (referred to as a commissioner initiated investigation) and determines that a breach has occurred, the commissioner may make a determination that includes particular types of remedies.

These remedies include not only declarations that specific steps must be taken by the breaching APP entity to ensure the breach is not repeated or continued, but also that compensation is payable to impacted individuals. The Office of the Australian Information Commissioner Guidelines state that any compensation awards should be “restrained but not minimal”. The commissioner will award compensation for hurt feelings, humiliation and expenses incurred by the complainant in connection with making the complaint. Aggravated damages may be awarded where the conduct of the respondent warrants this, for example, if it acts maliciously. To date, such awards have not been large.

In addition, when investigating a complaint, the commissioner may seek to conciliate it, which may result in direct remedies being provided to impacted individuals.

The commissioner also has the right to accept court enforceable undertakings and take proceedings in Australia’s Federal Court or Federal Circuit Court to seek injunctions and civil penalties in relation to specific breaches of the Privacy Act. These remedies are not directly available to individuals.

APP 1.2(a) requires APP entities to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs) (and any applicable APP codes). It is not a mandatory requirement of APP 1.2(a) to appoint a privacy officer, but the Office of the Australian Information Commissioner (OAIC) Guidelines suggest this is an appropriate governance mechanism.

Commonwealth government agencies, other than government ministers, must comply with the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth). The code sets out steps regulated agencies must take to comply with APP 1.2. The code requires agencies to have at least one privacy officer. The code also requires that agencies have a privacy champion: a senior official of the agency who promotes a privacy culture in the relevant agency and provides leadership on strategic privacy issues.

Even though private sector APP entities are not bound by the code, many would have a privacy officer as part of their practices and procedures to comply with the Privacy Act.

The code is a registered APP code under the Privacy Act. Section 26A of the Privacy Act requires compliance with registered APP codes, meaning that the consequences for an agency of not appointing a privacy officer will be the same as for any other breach of the Privacy Act. For other APP entities, a failure to have a privacy officer is not of itself a breach, but is likely to be taken into consideration by the OAIC in assessing compliance with APP 1.2.

Neither the Privacy Act nor the Privacy (Australian Government Agencies – Governance) APP Code mandates specific qualifications or other criteria privacy officers must meet. However, the OAIC has issued a Privacy Officer Toolkit for agencies. This outlines the skills and knowledge the OAIC expects agency privacy officers to have, as follows:

• unsurprisingly, an in-depth knowledge of the Privacy Act (and the code) and an ability to operationalise those requirements;
• an understanding not only of the relevant agency’s strategic priorities and key projects involving the collection and use of personal information, but also of the agency’s systems and processes to handle personal information;
• strong communications and stakeholder management skills; and
• an understanding of privacy dispute resolution and complaint handling processes.

Although, as mentioned in question 8.1, the code is not binding on private sector APP entities, the Privacy Officer Toolkit is a useful resource for such APP entities in considering the qualifications that a privacy officer should have. In the case of a private sector APP entity, a privacy officer should have not only a good understanding of the requirements of the Privacy Act (and any applicable APP codes), but also the ability to operationalise those requirements. In addition, such a privacy officer will need the skills to work with both internal and external stakeholders, act as an advocate for good privacy practices and assist in relation to the resolution of privacy complaints. Often this means that an appointed privacy officer has legal qualifications or regulatory or governance related skills.

Section 10 of the Privacy (Australian Government Agencies – Governance) APP Code specifies the functions that a privacy officer of a regulated agency must perform. These are:

• acting as the agency’s primary contact for privacy advice;
• handling privacy enquiries, complaints and requests for access to, and correction of, personal information (whether internal or external);
• maintaining records of personal information holdings;
• assisting in the preparation of privacy impact assessments for high privacy risk projects and keeping a register of the agency’s privacy impact assessments; and
• assessing compliance with the agency’s plan for taking reasonable steps to implement practices, procedures and systems to comply with the APPs and manage enquiries and complaints (ie, its plan for compliance with APP 1.2) and documenting assessments.

The role of an agency privacy officer, as mandated by the code, is very compliance focused. These are minimum requirements only and it would be expected that an agency’s privacy officer(s) would have a broader role. For example, privacy officers (including privacy officers for private sector APP entities) would typically also be required to:

• develop and operationalise not only an APP entity’s privacy policy, but also its internal policies, procedures and systems to ensure compliance with all applicable privacy regulation (including by updating these for changes in the law);
• monitor compliance with policies, procedures and systems;
• undertake training of the APP entity’s employees and other staff;
• be a key member of the data breach response team; and
• report to senior management and/or the board on privacy issues.

An agency may outsource the role of privacy officer to another agency, but not to a private sector entity (see Section 10(2) of the Privacy (Australian Government Agencies – Governance) APP Code). For private sector APP entities, where privacy officers are not mandated, it is possible to outsource this role.

Before an APP entity (whether in the public or private sector) decided to outsource this role, it should consider whether this would satisfy its obligations under APP 1.2 to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs (and applicable codes) and to manage privacy enquiries and complaints. The OAIC Guidelines set out the factors that an APP entity needs to consider in determining the reasonable steps it should take to comply with APP 1.2:

• An APP entity may consider factors such as its size, resources and business model. Where an entity has a small number or staff or limited internal resources, it may be appropriate to outsource at least some part of the role of a privacy officer (eg, relating to development of processes and policies, training and the like).
• The nature of the personal information held by an APP entity is also relevant. For example, where an APP entity handles large volumes of sensitive information, outsourcing may not be appropriate.
• Practicability is taken into account. An entity which handles very little personal information may determine outsourcing is the best option, taking into consideration time and cost.

The Privacy Act does not impose specific record-keeping and documentation requirements. However, the OAIC Guidelines and the Privacy (Australian Government Agencies – Governance) APP Code assist in determining the types of records and documents that should be kept to demonstrate compliance with the Privacy Act.

The OAIC Guidelines state compliance with APP 1.2 will typically require that an APP entity puts in place:

• risk identification and management processes, including for conducting privacy impact assessments for new projects that involve handling personal information;
• security systems to protect personal information and procedures for identifying and responding to privacy breaches;
• staff policies, including for training and for supervision of staff who handle personal information on a regular basis;
• processes and systems for proactive management of agents and contractors that handle the personal information of the APP entity; and
• governance mechanisms and a programme for the review and audit of the APP entity’s privacy policy and its internal privacy policies, procedures and systems.

These policies, procedures and systems should be appropriately documented and records kept of compliance.

Section 9 of the code requires that each regulated agency have a documented privacy management plan. The purpose of the plan is to assist in promoting a good privacy culture, and a privacy-by-design approach, in in the agency. The plan must set out specific and measurable privacy targets and how the agency will meet its obligations under APP 1.2. The privacy officer must assess the agency’s performance against that plan at least annually and document those assessments.

The OAIC’s regulatory priorities, as announced in May 2020, focus on online platforms and social media, particularly looking at privacy policies, default settings and issues of consent. Personal information security and data breaches are also areas targeted by the OAIC. These priorities highlight compliance issues for all APP entities, whether operating in an online or offline environment.

A privacy policy set out the types of personal information an APP entity collects, as well as how it holds, protects uses and discloses that information. As such, it is a cornerstone of an APP entity’s compliance framework. The Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry, conducted over 2018 and 2019, concluded digital platforms privacy policies are often long, complex, vague and difficult to understand. Although the ACCC’s analysis was limited to digital platforms, given its findings, the government has accepted the ACCC’s recommendation that changes are made to the Privacy Act to strengthen notification and consent requirements. Each APP entity should therefore give careful consideration to whether its privacy policy is not only compliant with APP 1.4 (which states the minimum information a privacy policy must contain), but is also clear and straightforward for individuals to understand.

Data breaches may happen even where entities have strong and robust security systems to protect personal information. Given the OAIC’s focus on this area, it is important from a compliance perspective that data breach policies are fully documented and regularly tested so that, in the unfortunate case that a breach occurs, these policies may be efficiently implemented.

Under APP 11.1, each APP entity must take reasonable steps to protect the personal information that it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

The Office of the Australian Information Commissioner’s view is that the reasonable steps required will depend on the relevant circumstances. These circumstances include:

• the nature of the APP entity (eg, size, complexity);
• the amount and sensitivity of the information;
• the potential adverse consequences for impacted individuals if there is a breach;
• the practical implications of implementing security measures; and
• whether any proposed measure is privacy invasive.

Reasonable steps include not only putting in place ICT and access security arrangements but also implementing steps and strategies regarding:

• governance, culture and training;
• the conclusion of binding contractual arrangements with service providers that access personal information;
• processes for dealing with data breaches; and
• policies for dealing with personal information that is no longer required to be held (noting that APP11.2 imposes a separate obligation on APP entities to destroy or de-identify such personal information).

The Information Commissioner has taken regulatory action in numerous cases where APP entities have not complied with APP 11.1. For example, in 2019 she accepted an enforceable undertaking from Commonwealth Bank of Australia in relation to breaches of APP 11.1 which involved the loss of data tapes holding customer personal information and an absence of appropriate policies and procedures to restrict employees from accessing personal information of customers when this was not required to perform their roles.

Part IIIC of the Privacy Act contains the notifiable data breach regime, which applies to “eligible data breaches”.

A data breach is unauthorised access or disclosure of personal information or loss of personal information where unauthorised access or disclosure is likely to occur. However, a data breach must satisfy the following additional criteria before it is considered to be an eligible data breach:

• The data breach is likely to result in “serious harm” to the relevant individual(s); and
• The relevant APP entity has been unable to take steps to prevent that likely risk of serious harm.

Section 26WG of the Privacy Act sets out factors that need to be considered in determining whether serious harm is likely from a data breach, including:

• the sensitivity of the information;
• the persons who have obtained (or may obtain) the information; and
• the nature of the harm that may result.

Financial harm would be serious harm, but this is a broader concept and could include physical, emotional or psychological harm.

If there are reasonable grounds to believe that an eligible data breach has occurred, an APP entity must notify the Information Commissioner as soon as practicable (Section 26WK of the Privacy Act). The notification must include:

• the name and contact details of the entity (and of any other entities involved in the breach);
• a description of the breach;
• the type of information involved; and
• recommended steps for protection from the consequences of the breach.

The My Health Records Act has a separate data breach notification regime.

When the Information Commissioner is notified of an eligible data breach, as set out in question 9.2, individuals impacted by that eligible data breach must also be notified (Section 26WL of the Privacy Act) and provided with the same information the commissioner receives. Where more than one APP entity is involved in an eligible data breach, only one of those entities is required to notify the commissioner and the impacted individuals.

If it is practicable to notify each individual whose information has been disclosed or each individual at risk of serious harm, the APP entity must take reasonable steps to do this. If an entity usually communicates with an individual using a particular communication method, that method may be used, but this is not obligatory. Email, phone, text or similar may be appropriate, depending on the circumstances. If it is not practicable to directly notify individuals, the entity must publish the notification statement on the entity’s website (if it has one) and take reasonable steps to ensure that impacted individuals are aware of that statement.

Care should be taken in considering whether to make notifications in cases where this is not required under Part IIIC of the Privacy Act. The Information Commissioner has warned that unnecessary notifications may cause distress as well as potentially resulting in ‘notification fatigue’, creating a risk that individuals will ignore all notifications and not take protective action in cases where they truly are at serious risk from a data breach.

An APP entity requires appropriate policies and procedures not only to ensure that it notifies eligible data breaches, but also to detect and assess data breaches and to take action either to prevent or to limit the risk of harm arising from any data breach.

APP entities should bear in mind that although the majority of data breaches reported under Part IIIC of the Privacy Act since it commenced in early 2018 arose from malicious or criminal attacks, approximately one-third of reported incidents were caused by human error. Therefore, it is critical that data breach policies and procedures include appropriate training for an APP entity’s staff that will limit the risk of such errors. Also, not all breaches arise from cyber incidents and, depending on the nature and operations of an APP entity, physical security may be as, or more, important than security for ICT systems.

An APP entity must promptly assess any event which it has reasonable grounds to suspect is an eligible data breach (see Section 26WH of the Privacy Act). Prompt assessment is required not only to ensure that an APP entity complies with its notification requirements, but also to ensure that it may take steps to mitigate or eliminate the impacts of a data breach. Taking such action is important to protect the individuals who may be impacted from harm. In addition, where steps may be taken to prevent serious harm, the relevant data breach need not be notified under the Part IIIC regime.

The Privacy Act does not apply to any act or practice of an organisation regarding an individual’s employee record where this directly relates to an existing or former employment relationship with that individual (Section 7B(3) of the Privacy Act). An employee record is a record of personal information relating to employment and includes, for example, the employee’s health information and personal information regarding matters such as taxation and banking, membership of a trade union and terms and conditions of employment (Section 6(1) of the Privacy Act). This exemption does not apply to non-employees (eg, contractors or volunteers), and does not apply to employee records of Commonwealth public sector agencies.

Although only a decision of the Fair Work Commission Full Bench, which does not have jurisdiction regarding Privacy Act matters, Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 is authority for a narrow construction of this employee records exemption. That case concerned whether an employee had been unfairly dismissed for not agreeing to use a fingerprint scanner to sign in at work. The Full Bench found that the exemption does not apply to the actual collection of personal information from any employee, but only to acts or practices once information was within an employer’s custody or control.

The Information Commissioner has also made clear that there must be a close connection between the act or practice and the employment relationship for the exemption to apply (see QF v Spotless Group Limited (Privacy) [2019] AICmr 20).

At a federal level, the Telecommunications (Interception and Access) Act 1979 (Cth) prohibits the interception of communications, including phone calls, emails and text messages, unless a specific exemption applies. ‘Interception’ of a communication refers to listening to or recording a communication passing over a telecommunications system as it is passing over that system without the knowledge of the person making the communication. Employee surveillance is not a permitted exemption, although recording of calls made by an employee in connection with her employment requires the knowledge of the employer, not the employee (as the employee is effectively the agent of the employer).

In New South Wales, the Workplace Surveillance Act 2005 regulates camera, computer and tracking surveillance of employees (but not listening device surveillance). ‘Employee’ has an expanded definition, including a person employed by a particular employer or any related corporations, and may also extend to volunteers and other persons engaged through a labour hire company. This act applies when an employee is at the workplace of the employer (or its related entities) or when the employee is actually performing work, even if not at such a workplace. In addition, the Surveillance Devices Act 2007 (NSW) regulates surveillance generally (ie, not limited to the surveillance of employees), including listening device surveillance.

Each other state and territory has legislation that regulates surveillance activities. However, only New South Wales, the Australian Capital Territory and (to a limited extent) Victoria have surveillance legislation that specifically regulates surveillance by employers of employees.

Although requirements differ between Australian jurisdictions, typically employee surveillance will require notice to be given to, or the consent of, employees. For example, under the New South Wales Workplace Surveillance Act, except in limited cases where covert surveillance is permitted, camera surveillance of employees in the workplace is prohibited unless 14 days (or a shorter agreed period) prior written notice is given to the employee. Where surveillance is already in place before an employee is engaged (or will commence earlier than 14 days after engagement), the employer must give notice to the employee before she starts work. In addition, closed-circuit television surveillance must not be carried out, unless the cameras used for the surveillance are clearly visible in the place where the surveillance is taking place and signage stating that surveillance may be undertaken is visible at all entrances to the relevant place.

Therefore, best practice dictates that employers have clear policies for when employee surveillance will be undertaken, which are easily accessible by employees; and that the surveillance be undertaken in an overt, rather than a covert, manner.

In addition:

• if the personal information of non-employees is also collected by an APP entity via employee surveillance, the Privacy Act will apply to that collection (and the subsequent processing of that information); and
• the employee records exemption in the Privacy Act does not apply to Commonwealth public sector entities, meaning that those APP entities must fully comply with the Privacy Act in relation to employee personal information, including that collected via surveillance.

No Australian data protection regulation specifically governs the use of either first-party or third-party cookies.

A first-party cookie is used by a website owner to track a user only on that website. It is a convenient way for the website to retain information on user preferences and the like. When user information is collected through use of a first-party cookie, if the website owner retains it with other information about a user known to it (eg, because accessing the website requires the creation of an account), then that information is likely to be personal information and the Privacy Act will apply to the collection and ongoing use, disclosure and so on of that information.

Third-party cookies are predominantly used for targeted online advertising and to track users across the Internet. Information collected by third-party cookies may not be personal information under the Privacy Act. ‘Personal information’ means information or an opinion about an identified individual or an individual who is reasonably identifiable. If information collected by a third-party cookie cannot be linked to an individual, but only to a cookie ID, that information may not be personal information and the Privacy Act requirements may not apply.

The Australian Competition and Consumer Commission recommended in its recent Digital Platforms Inquiry that the Privacy Act definition of ‘personal information’ be extended to include technical data such as IP addresses. Implementation of this proposed amendment, which the government has suggested will occur in 2020/21, may change the Privacy Act treatment of third-party cookies.

There are no general regulatory requirements in relation to cloud computing services that apply across all sectors of the Australian economy.

However, using a third-party cloud computing service provider for personal information storage brings with it additional considerations under the Privacy Act. An APP entity will first need to determine where the personal information held by the provider is located. If the physical location of the provider’s data storage facilities is outside Australia, then the APP entity will need to consider whether storing personal information using those facilities amounts to a ‘disclosure’ of that personal information to the service provider, or whether the information remains under the control of the APP entity. If the information is in fact disclosed offshore, APP 8 applies (see questions 6.2 and 6.3). APP 11 continues to apply (see question 9.1), which is likely to bring unique challenges for cloud storage.

There are also some sector specific rules and guidance, such as for banking and financial services. The Australian Prudential Regulatory Authority’s (APRA) “Outsourcing involving cloud services” paper outlines how compulsory prudential standards and non-binding APRA guidance apply to APRA-regulated entities (eg, banks, insurers and superannuation funds) that use cloud computing services. For example, the risks associated with using cloud computing services must be identified, assessed, managed and reported on under Prudential Standard CPS 231 Outsourcing. APRA must be notified of any cloud computing services material outsourcing arrangement to ensure that APRA may assess the solution and the impact that it has on the regulated entity’s risk profile.

Regulatory change relating to the collection and use of personal information for targeted digital advertising is likely to occur in the short to medium term, which businesses need to consider in their future plans.

The Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry raised concerns regarding the collection and use of personal information by digital platforms, including Google, for targeted advertising. The ACCC’s recommendations for strengthening privacy protections were largely accepted by the Australian government. These, including strengthening notification and consent requirements, will be implemented over the next few years.

In addition, the government accepted the ACCC’s Digital Platforms Inquiry recommendation to establish another inquiry looking specifically at digital advertising related issues, the Adtech Inquiry. The ACCC’s Issues Paper, published as part of its consultation processes, indicates the ACCC is looking at whether the collection and other practices of certain advertising technology services providers, which enable the accumulation of significant amounts of personal information about Australians, result in anti-competitive outcomes in the adtech services markets. The interim report from the Adtech Inquiry is due to be released by the ACCC in December 2020, with the final report due in mid-2021.

The ACCC has also commenced two legal proceedings against Google, alleging that its practices in relation to the collection and use of personal information are misleading and deceptive. If the ACCC is successful in these proceedings, this is likely to require a new approach to the collection and use of location data for advertising purposes – not only by Google, but also by others.

Before a privacy complaint may be made to the Information Commissioner, a complainant must typically first raise the issue with the relevant APP entity (Section 36 of the Privacy Act). As a consequence, although statistics are not available to support this conclusion, it is likely many disputes are resolved directly between complainants and APP entities.

The Privacy Act allows the Information Commissioner to recognise external dispute resolution (EDR) schemes (Section 35A). Schemes that are recognised include the Australian Financial Complaints Authority, the Telecommunications Industry Ombudsman and various state-based energy and water ombudsmen. It is not obligatory for an individual to use an appropriate EDR scheme; however, the Information Commissioner may decide not to investigate a complaint if she determines that it would be more effectively or appropriately dealt with by an EDR scheme (Section 41(1)(dd) of the Privacy Act).

As individuals do not have direct rights to take action under the Privacy Act, in the event that a dispute is not resolved directly with the APP entity or through an EDR scheme, this will typically be resolved by an investigation under Part V of the Privacy Act. As part of an investigation under Part V, the commissioner may seek to resolve complaints by conciliation, which is a process that the Office of the Australian Information Commissioner (OAIC) often uses. In 2018-19 the commissioner received 3,306 complaints and resolved 2,920 complaints, many of these through conciliation and the use of the OAIC’s early resolution process.

The commissioner rarely takes enforcement action in court (see question 12.3).

The OAIC’s 2018-19 Annual Report revealed that, in that financial year, just over 70% of complaints received by the OAIC related to breaches of the Australian Privacy Principles (APPs) and the most common issues related to:

• use or disclosure of personal information (APP 6);
• security of personal information (APP 11); and
• access to personal information (APP 12).

Only approximately 10% of the complaints received in 2018-19 related to the credit reporting provisions of the Privacy Act, which the OAIC attributes to the effectiveness of EDR schemes in resolving credit reporting complaints.

The top three complained-about sectors in 2018-19 were:

• finance (including pension schemes);
• the Australian government; and
• health service providers.

The above list reflects the trends that the OAIC has observed in recent years.

The primary remedies for conciliated complaints in 2018-19 were amending records of, or providing access to, personal information, apologies and compensation (though compensation rarely exceeded A$10,000).

During 2018-19, few investigations moved beyond an agreed conciliated resolution. This is reflected in the fact that the Information Commissioner made only three privacy determinations in 2018-19. This increased to four during 2019-20. The 2019-20 determinations all provided for compensation to be paid to the complainant(s), with amounts ranging from A$1,500 to just over A$13,000. In 2018-19, the commissioner accepted three court enforceable undertakings in relation to breaches of the Privacy Act. No enforceable undertakings were accepted in 2019-20. Court proceedings were commenced only once over the two-year period, as discussed in question 12.3.

Over 2015 and 2016, the Information Commissioner conducted a joint investigation with the Privacy Commissioner of Canada relating to a data breach involving the Ashley Madison website, under the Asia-Pacific Economic Cooperation Cross-border Privacy Enforcement Arrangement.

In March 2020 the commissioner commenced Federal Court proceedings against Facebook for breaches of Section 13G of the Privacy Act relating to Cambridge Analytica. Section 13G creates a civil penalty contravention for serious or repeated interferences with privacy. The commissioner claims that Facebook breached certain APPs from 12 March 2014 to 1 May 2015, when personal information of Australian users was collected by the “This is Your Digital Life” app, impacting approximately 300,000 Australian Facebook users.

Each contravention, if proven, could attract a penalty of up to A$1.7 million. In theory, Facebook could be ordered to pay over A$500 billion in fines, though such a significant penalty is unlikely. Facebook is strongly contesting the proceedings, even forcing the commissioner to seek leave from the court to serve documents on the two offshore Facebook companies.

Recently, the commissioner announced a joint investigation with the UK Information Commissioner’s Office into the practices of Clearview AI, which may ultimately lead to court proceedings. Clearview AI is the controversial provider of a facial recognition app, which claims to have collected over 3 billion images from the Internet for use in the provision of the app. The commissioner is likely to be concerned that both the collection of the images and the operation of the app itself breach the Privacy Act.

Australians are increasingly aware of, and concerned about, personal information collection, use and disclosure practices. This is evidenced by the reaction of Australians to the Australian government’s COVID-19 tracing app. To gain public acceptance of that app, the government needed to legislate for significant privacy protections. There is also growing recognition of the value of personal information across the economy – not only in use for targeted advertising, but also in areas such as the Internet of Things sector and for artificial intelligence technologies.

Australia’s data protection regulatory framework is changing to reflect these prevailing trends, by providing greater levels of protections for personal information and also by enabling individuals to have greater control over permitted uses. The government has announced short-term amendments to the Privacy Act, as well as a more comprehensive medium-term review of the Privacy Act to reflect current data usage trends. At the same time, the government is working to allow greater use of this data, with appropriate protections. This is evidenced in, for example, the consumer data right (CDR) legislation. This legislation empowers individuals to obtain value from their personal information. Under the regime, a customer will be able to require businesses in sectors to which the regime applies to transfer their transaction and related data to trusted third parties to allow the customer to obtain goods and services that are more suited to his or her own needs. Further enhancement of the CDR is expected on completion of a government inquiry at the end of 2020.

Australians care about privacy, and businesses which demonstrate that they have good personal information practices and systems will benefit from an increased levels of customer trust.

In the current environment, businesses will need to have a particular focus on personal information security practices. The increasing prevalence of employees working remotely has meant that there is more scope for ICT-related data breaches than may previously have been the case. As a consequence, effective security practices, as well as data breaches policies that ensure that breaches may be detected quickly and mitigation action taken, are important for Privacy Act compliance.

Businesses should also remember that the Office of the Australian Information Commissioner is not the only regulator with responsibility for personal information protection. The Australian Competition and Consumer Commission has an economy-wide consumer protection remit, and has shown its willingness to take action under the Australian Consumer Law, including to enforce prohibitions against misleading and deceptive conduct, in the event that it considers the privacy practices of businesses fall short of consumer expectations. This means that businesses should ensure that their privacy policies, and other information they provide to customers regarding their data collection practices, are accurate, clear, concise and easy to interpret.

A likely sticking point will be the need to ensure that businesses keep up with regulatory change – not only in Australia, but also in other jurisdictions where they operate. Businesses need to be prepared to move quickly so that their policies, practices and systems remain compliant as foreshadowed changes are implemented.