We live in a world shaped by technology and fuelled by information. In an age marked by technology devices such as smart phones, computers and the internet, we have seen a revolution in our ability to capture information about the world and to communicate with each other.
In Australia, our governments collect vast quantities of this personal data, such as information about your birth, marriage, divorce, property, vehicles and criminal history. Similarly, the private sector also amasses large databases of personal information for marketing or credit history purposes.
The rise of information collection naturally raises a significant challenge for the protection of our privacy. In Australia, information privacy is protected through a combination of Commonwealth and state laws.
Whilst there are no common law actions for breach of privacy in Australia, privacy interests are protected through legal principles such as trespass, nuisance, defamation and passing off. Notwithstanding, this article will purely focus on the privacy law pertaining to federal and state legislation.
What is ‘Personal Information’?
To establish what personal information is protected under Australia’s privacy legislation, we must first define what ‘Personal Information’ is. The Privacy Act 1998 (Cth) describes ‘Personal Information’ as:
“Any information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.”
In particular, this includes information about your name, address, contact details, date of birth, gender, sexuality and race. ‘Sensitive Information’ is a special category of Personal Information and is subject to stricter conditions under the Privacy Act; these include your race, political associations, religious beliefs, trade and union associations, sexual preference and criminal record. ‘Health Information’ is also afforded a higher level of protection under the Privacy Act; this includes your physical and mental health, disability, health service information, donations and genetic data.
Other types of protected information include details of spent convictions, Tax File Number, electoral information, surveillance and credit history.
At the Federal level, the Privacy Act 1998 (Cth) (Privacy Act) regulates information gathering at the national public and private sector. It covers Personal Information, Sensitive Information and Health Information.
Contained within Schedule 1 of the Privacy Act are the Australian Privacy Principles (APPs), which impose legal obligations that apply to every Australian organisation and Federal government agency that meets the criteria. Organisations, as defined within the Privacy Act, include individuals, operations, partnerships and trusts. These set of rules set obligations on the collection, use, disclosure, storage and disposal of “personal information about individuals.
For the APPs to apply, agencies and organisations need to meet one or more of the following criteria:
- Has an annual turnover of $3 million or more;
- Provides a health service;
- Trades in Personal Information sharing;
- Is a service provider under a Commonwealth contract;
- Is a credit reporting body; or
- Has voluntarily opted into the privacy Act.
Therefore, the APPs will usually apply to any federal government agency and most organisations which include individuals and corporations, with an annual turnover of $3 million or more.
There are some exceptions to the above criteria, however. One exemption is to employers who handle information that is part of an employee’s record that is directly related to a person’s current or former employment relationship, including discipline, resignation, termination, terms of employment, contact details, wages and performance. Nevertheless, these records may still be subject to requirements under the Fair work Act 2009 (Cth) and other state legislation.
Aside from the Privacy Act, there is also other federal and state legislation prohibiting certain types of surveillance. The Telecommunications (Interceptions) Act 1974 (Cth) for example concerns the privacy of communications over telecommunication systems such as computers, video surveillance, geographical tracking and listening devices. Generally speaking, the use of surveillance and listening devices requires consent and notification of the parties.
Summary of the Australian Privacy Principles
1. Open and Transparent Management of Personal Information:
The entity must implement privacy practices, procedures and systems to ensure compliance with the other APPs and that enable them to deal with inquiries and complaints. It also requires them to develop and make readily available a policy about its management of personal information.
2. Anonymity and Pseudonymity:
The entity must give individuals the option of not identifying themselves, or of using a pseudonym unless a listed exception applies.
3. Collection of Solicited Personal Information:
The entity is permitted to collect personal information only where reasonably necessary for one or more of its valid functions or activities. It requires that personal information be collected directly from the individual to whom it relates,
4. Dealing with unsolicited personal information:
Requires that the entity only receives voluntary personal information to determine whether it would otherwise have had grounds on which to collect it. Where the entity does have grounds, it is to ensure compliance with the remaining APPs. Where it does not have grounds, it is to destroy the personal information.
5. Notification of the collection of personal information
The entity is to make the individual aware that at or before the time of collection of the personal information, usually through a collection statement, of whether the individual’s personal information is to be collected from any third parties, the purpose of collection, and the processes through which an individual can seek access or make a complaint about their personal information.
6. Use or disclosure of personal information
The entity is prohibited from using or disclosing any personal information obtained for a purpose other than the purpose for which it was collected unless the individual consents.
An exception to this is when disclosure is necessary to protect someone’s health or safety or is otherwise in the public interest.
7. Direct marketing
The entity is prohibited from disclosing personal information to be used for direct marketing purposes unless the individual reasonably expects it, or consents to it, and prescribed ‘opt-out’ processes are in place.
8. Cross-border disclosure of personal information
If an entity discloses personal information to an overseas entity, they are required to take reasonable steps to ensure the recipient does not breach the APPs, usually imposed through contractual obligations.
9. Adoption, use or disclosure of government related identifiers
The entity is prohibited from adopting, using or disclosing a government-related identifier unless it is required by law or necessary to verify an individual’s identity. Government-related identifiers are identifiers that have been assigned by a government agency including an individual’s licence number, Medicare number, passport number and tax file number.
10. Quality of personal information
The entity is required to take reasonable steps to ensure the personal information that is collected, disclosed, holds or otherwise used, is accurate and complete. Further, any personal information gathered can only be used or disclosed so far that it is relevant to the purpose of the disclosure.
11. Security of personal information
The entity is required to take reasonable steps to protect information from misuse, interference, destruction and loss and from unauthorised access, modification or disclosure.
12. Access to personal information
The entity is required to provide the individual, upon request, with access to their personal information unless an exception applies.
13. Correction of personal information
The entity is required to take reasonable steps to correct personal information it holds upon request from an individual or where the entity is satisfied, having regard to the purpose for which it holds the personal information, that the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
International application of the Privacy Act
If the entity is outside Australia, it will still need to comply with the Privacy Act if the organisation has an ‘Australian link’. The link is met if the organisation was formed in Australia, has central management or control in Australia or collects or holds personal information in Australia. This also includes Australia subsidiaries operating overseas.
NSW Privacy Law
In NSW the Privacy and Personal Information Protection Act 1998 (PIPPA) regulates the collection of private information collected by NSW Government agencies, including the NSW Police.
The PIPPA contains 12 Information Protection Principles (IPPs) which all state government agencies must follow. The IPPs include the following:
Agencies must ensure that all information obtained must be for a lawful purpose.
Agencies must ensure that they only collect personal information directly from the person concerned, unless authorised from someone else, or if the person is under the age of 16 and the information has been provided by a parent or guardian.
Agencies must inform the person they are collecting the information from as to why they are collecting it, what they will do with it and who else might see it. Further, they must tell the person how they can view and correct their personal information if the information is required by law or voluntary, and any consequences that may apply if they decide not to provide their information.
They must ensure that the personal information is relevant, accurate, complete, up-to-date and not excessive and that the collection does not unreasonably intrude into the personal affairs of the individual.
Agencies must store personal information securely, keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use, modification or disclosure.
Agencies must explain to the person what personal information about them is being stored, why it is being used and any rights they have to access it.
Agencies must allow people to access their personal information without excessive delay or expense.
Agencies must allow people to update, correct or amend their personal information where necessary.
Agencies need to make sure that the personal information is relevant, accurate, up to date and complete before using it.
Agencies must ensure that they only use personal information for the purpose it was collected unless the person has given their consent, or the purpose of the use is directly related to the purpose for which it was collected, or to prevent or lessen a serious or imminent threat to any person’s health or safety.
Agencies can only disclose personal information with a person’s consent or if the person was told at the time that it would be disclosed if disclosure is directly related to the purpose for which the information was collected and there is no reason to believe the person would object, or the person has been made aware that information of that kind is usually disclosed, or if the disclosure is necessary to prevent a serious and imminent threat to any person’s health or safety.
Agencies cannot disclose sensitive personal information without a person’s consent, for example, information about ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or trade union membership. They can only disclose sensitive information without consent to deal with a serious and imminent threat to any person’s health or safety.
As mentioned, Health Records do not fall within the PIPPA and are regulated by the Health Records and Information Privacy Act 2002 (HRIP), which applies to any public or private organisation in NSW that collect, hold, use and disclose a person’s health information. The HRIP contains 15 Health Privacy Principles (HPPs) which public and private health organisations must follow. These can be found here:
Additionally, in NSW there is additional legislation that deals with observation and surveillance, for example, the Workplace Video Surveillance Act 2005 (NSW) regulates the use of covert video surveillance in the workplace.
Penalties for breach of the Privacy Act
In NSW, breaches of the PIPPA can be reported to the NSW Privacy Commissioner at the Office of the Australian Information Commissioner.
At the Federal Level, the Australian Information Commissioner, which is an independent agency within the Department of the Attorney General, can conduct investigations, review decisions, handle complains and provide guidance and advice regarding breaches of the Privacy Act.
If upon investigation, an entity that is found to have engaged in a serious, or repeated, interference with an individual’s privacy, the entity may face penalties of up to:
- $1.8 million for corporate bodies and/or
- $360,000 for non-corporate bodies (including government departments/agencies, sole-traders, partnerships, trusts, unincorporated associations).
An entity will interfere with an individual’s privacy if it:
- breaches an APP;
- breaches an APP code that is binding on the relevant entity (noting that the Australian Information Commission may impose an APP code on a particular organisation or industry);
- breaches the credit reporting provisions of the Privacy Act;
- breaches the CR Code;
- breaches a provision of a Commonwealth contract for which it is to provide services; and/or
- handles a tax file number contrary to the Tax File Rule (which has been issued by the Australian Information Commissioner pursuant to the Privacy Act).
Citilawyers is well placed to advise on privacy law compliance and any other issues arising from the handling of personal information.