The Australian Privacy Act 1988
Data privacy and protection in Australia are regulated by several federal, state and territory laws.
The broadest in scope is the Australian Privacy Act 1988.
What is the Australian Privacy Act 1988?
The Privacy Act is a federal law that regulates the use of personal information.
It sets out 13 APPs (Australian Privacy Principles) that apply to Australian and Norfolk Island government agencies, and businesses and not-for-profit organisations with an annual turnover of more than AU$3 million – with some exceptions. These are collectively known as ‘APP entities’.
The Act also applies to some types of small business (with a turnover of AU$3 million or less), as well as applying extraterritorially in certain circumstances.
For full information about the APPs’ applicability, please consult the Act itself.
The APPs are listed below, and summarised here >>
Australian Privacy Act definitions
Personal information
The Act defines personal information as:
“information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not”.
(Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5‑1A of that Act.)
Sensitive information
Sensitive information is defined as information or an opinion – that is also personal information – about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record. ‘Sensitive information’ also covers individuals’ health, genetic or biometric information.
Individuals’ rights under the Privacy Act
Individuals have a number of rights in relation to how their personal information is processed, including the right to:
- Know why their personal information is collected, how it is used and to whom it is disclosed;
- Not identify themselves or use a pseudonym in certain circumstances;
- Access their personal information;
- Stop receiving unwanted direct marketing;
- Ask for incorrect personal information to be corrected; and
- Complain about entities covered by the Act if they have mishandled their personal information.
Australian Privacy Principles
Schedule 1 of the Act lists 13 APPs, which give individuals greater rights about how APP entities (organisations in the Act’s scope) handle their personal information:
- Part 1 – Consideration of personal information privacy
- Part 2 – Collection of personal information
- Part 3 – Dealing with personal information
- Part 4 – Integrity of personal information
- Part 5 – Access to, and correction of, personal information
Find out more about the APPs >>
Notifiable Data Breaches scheme
The Privacy Act was amended on 22 February 2017 to include the NDB (Notifiable Data Breaches) scheme, which applies to organisations with personal information security obligations under the Act.
Under the scheme, individuals must be informed of incidents in which unauthorised access to, or loss or disclosure of, their personal information is likely to result in serious harm to them that cannot be prevented with remedial action. These are referred to as ‘eligible data breaches’. There are some exceptions to the notification obligations.
The OAIC (Office of the Australian Information Commissioner) must also be informed.
The Commissioner has a number of enforcement powers under the Privacy Act to ensure that organisations meet their obligations under the NDB scheme, including:
- Accepting an enforceable undertaking and bringing proceedings to enforce an enforceable undertaking;
- Making a determination and bringing proceedings to enforce a determination;
- Seeking an injunction to prevent ongoing activity or a recurrence; and
- Applying to court for a civil penalty order for a breach of a civil penalty provision, which includes a serious or repeated interference with privacy.
The Commissioner is also required, in most circumstances, to investigate complaints made by individuals relating to interference with their privacy, including failing to notify them of an eligible data breach where required.
Managing data breaches
The OAIC’s 2018 guide to managing data breaches in accordance with the Privacy Act 1988 contains guidance on data breaches, preparing and implementing a breach response plan, and the requirements of the NDB scheme.
It cautions that it “does not provide detailed information about the systems or processes an entity may put in place to manage data breaches”. You can, however, find such information in international best practice, such as ISO 27001, the international standard for information security management.
Other relevant laws in Australia
Most states and territories also have their own data protection laws:
Other laws that relate to privacy include:
Help complying with the Privacy Act
The APPs aim to reduce the risk of a personal data breach by reducing or removing risks at each stage that personal data is processed – including when it is collected, stored, used, disclosed, anonymised and destroyed.
ISO 27001 sets out the specification for a best-practice ISMS (information security management system), an organisation-wide approach that encompasses people, processes and technology. Organisations can be independently audited and certified against the Standard.
If you need more guidance or advice on implementing ISO 27001, please contact us by following the button below.
Speak to an expert
Please contact us for further information or to speak to an ISO 27001 expert.