Federal Privacy Act 1988

Information of a personal nature can in some instances allow identification of an individual. It includes information such as a person's name, address, financial information, marital status or billing details(1) . Some personal information is sensitive such as:

• health information about an individual
• racial or ethnic origin
• political opinions
• membership of a political association
• religious beliefs or affiliations
• philosophical beliefs
• membership of a professional or trade association
• membership of a trade union
• sexual preferences or practices
• criminal record

As this information is highly sensisitive, the Federal Privacy Act provides higher protections in the private sector under the National Privacy Principles.

The Federal privacy Act 1988 is Australia's national law for the protection of personal information when handled by Federal and ACT Government Agencies and many private sector organisations. (Not all small businesses have to comply with the Act. Refer to information below), including providing rights for individuals to access and correct personal information about themselves.

The Privacy Commissioner can, and has, issued guidelines under the Privacy Act, and that the Privacy Commissioner administers the Act. The guidelines have been issued in relation to:

• the handling of personal information that is handled by Federal and ACT government agencies
• the collection, storage, use and security of personal tax file numbers used by individuals and organisations
• the handling of information about individuals credit details
• the handling of personal health information by health service providers in the private sector
• the handling of personal information held by some private sector organisations.

The Office of the Federal Privacy Commissioner is responsible for adsministering the Privacy Act 1988. The office provides information and advice, including matters of policy and complaints handling in relation to organisations and agencies that have obligations to protect privacy under the Privacy Act.

Those covered by the Privacy Act include:

• federal and ACT government departments and Ministers;
• credit providers and credit reporting agencies;
• any organisation or individual handling personal tax file numbers;
• any organisation or individual handling old minor criminal conviction information; and
• many private sector organisations.(2)

Generally, the Information Privacy Principles give people the right to:

• know why your personal information is being collected, any law authorising the collection and who it will be given to
• have access to your records
• have inaccurate information about you amended
• be sure that otherwise, information about you can only be used for particular reasons, such as threats to life or health
• be sure that otherwise, information about you can only be disclosed for particular reasons, such as threats to life or health.

The Privacy Act 1988 provides protection of personal information such as information about a person's disability. Privacy principles set the basic rules for handling peoples information, but their intent is also, and importantly, to encourage agencies and organisations to be open with people about how they handle their information and to develop trust relationships with them about this.

Back to top

Federal And ACT Government Services

The Privacy Act 1988 recognises the importance that individuals place on the way their personal information is treated by Federal and ACT government services and therefore sets the standards with which agencies must comply when handling such information.

Within the Act, 11 Information Privacy Principles have been developed to govern things such as the collection, storage, use and disclosure of personal information by Federal and ACT government agencies. The Principles also provide individuals with certain rights to access their personal information and correct any errors.

The 11 Information Privacy Principles (IPPs) cover things including;

• collection of information (IPP1)
• seeking information from individuals (IPP2)
• collecting information generally (IPP3)
• security and storage (IPP4), access to information (IPP5)
• keeping accurate, complete and up-to-date information (IPP8-10), and Disclosure (IPP11).

To access the Information Privacy Principles for Federal and ACT government agencies, refer to the following websites;

• Information Privacy Principles:
• Plain English version of Information Privacy Principles:
  

There are Privacy Contact Officers (PCOs) employed within Federal and ACT Government Agencies. If you have an enquiry about the personal information-handling practices of the agency, contact the PCO at the agency.

Back to top

Private Sector Organisations

The Privacy Act 1988 originally covered personal information handled by Commonwealth and ACT agencies. The Act was amended in December 2001 to include private sector organisations (with a turnover above $3 minllion) and health service providers. In December 2002 some **small businesses (with a turnover under $3 million), including non-profit organisations or unincorporated associations, became covered by the Act.

Within the Act, 10 National Privacy Principles have been developed with which organisations must comply. The Principles provide the information-handling standards for things such as collecting, using and disclosing personal information as well as keeping information secure, paying attention to data quality and accuracy, being open about the collection and information handling practices, providing access to personal information, providing anonymity where possible and providing protection when transferring personal information overseas.

The National Privacy Principles (NPPs) cover the;

• collection of information (NPP 1)
• use and disclosure (NPP 2)
• data quality (NPP 3), data security (NPP 4)
• openness (NPP 5), access and correction (NPP 6)
• identifiers (NPP 7)
• anonymity (NPP 8)
• transborder data flows (NPP 9) and
• sensitive information (NPP 10) .

To access the National Privacy Principles for private sector organisations, refer to the following websites;

• National Privacy Principles:
• Plain English version of National Privacy Principles:

  Scenario:
  Mary was interviewed for a position of employment but was not successful. Mary has a disability. Mary would like to access the information that was collected about her for the interview, such as her referee reports, as she was not happy with the unsuccessful outcome.

Mary should be able to access the information that was collected about her such as referee reports. The Privacy Act gives Mary a general right to access and correct personal information about her that has been collected by the organisation. This however is not an unqualified right.

There are a limited number of situations where the organisation may deny Mary access to her personal information held by the organisation. Where such an exception applies to a request for access, the organisation would need to give Mary an explanation regarding why access was not given. Sometimes an exception may apply to the whole record, but where not, access to parts of the record ought to be accessible. Exemptions include when there is a threat to the person's health and safety or the health and safety of someone else or where another law prevents access.

Scenario:
Bruce would like to access his personal records that are contained with the TAFE Disability Officer. Bruce would like to know what was recorded on his file in relation to the services he was entitled to.

Bruce has a general right to access the personal information that the TAFE holds. Bruce may choose to look over his records and make notes, take a copy of the records, or have them explained. Bruce would need to discuss the best way to access the records with the TAFE.
.
The TAFE can however refuse to give Bruce access for other reasons, for example, a threat to his health and safety or the health and safety of someone else or where another law prevents access. Even then, the TAFE must consider giving Bruce limited access to the information such as giving access to the information or a summary of the information whilst blocking or excluding the information covered by the exemption.

The overwhelming majority of universities in Australia are not covered by Commonwelath law as most institutions are set up under state or territory statute. It is therefore important to access individual state privacy laws to determine specific processes required to access personal information.

Back to top

State Privacy Legislation

The Office of the Federal Privacy Commissioner does not regulate state or territory agencies, except for the ACT. New South Wales, Northern Territory and Victoria have specific privacy laws whilst other states have implemented Principles, Schemes or Instructions, except for Western Australia (Recently the Western Australian Attorney General announced plans for the state government to legislate for privacy). For some general information about state Privacy, refer to the 'Office of the Federal Privacy Commissioner State Privacy Laws' website:
http://www.privacy.gov.au/privacy_rights/laws/

Contact Details: The Office of the Federal Privacy Commissioner

Federal Privacy Commissioner
Address: Level 8, Piccadilly Tower, 133 Castlereagh Street Sydney NSW 2000.
Postal: GPO Box 5218
Sydney NSW 2001
Telephone: 1300 363 992 (for the cost of a local call anywhere in Australia)
TTY: 1800 620 241
Fax: 02 9284 9666
Email: privacy@privacy.gov.au

** A small business is covered by the Privacy Act if it is one is one with an annual turnover of $3 million or less but it also:

• trades in personal information eg buying/selling mailing lists
• is related to a larger business or
• is a contractor that provides service under a Commonwealth contract to a Commonwelath agency.
  

Footnotes

(1) Office of the Federal Privacy Commission (2002) Information Sheet 1 - Overview of the Private Sector Provisions http://www.privacy.gov.au/publications/IS1_01.doc
(2) Office of the Federal Privacy Commission website: http://www.privacy.gov.au/about/index.html
(3) Office of the Federal Privacy Commissioner (2001) Guidelines to the National Privacy Principles 'Access and Correction' http://www.privacy.gov.au/publications/nppgl_01.html#npp6

Back to top