Caslon Analytics elephant logo title for Aust Privacy profile
home | about | site use | resources | publications | timeline   spacer graphic   Ketupa





1988 Act

other law

2000 Act
















cases 1

cases 2


related pages icon



related pages icon


& Cyberspace




100 Points


section heading icon     the 2000 Privacy Act

This page considers the the 2000 Commonwealth privacy legislation, the main national privacy legislation dealing with the private sector.

It covers -

subsection marker icon     Introduction

The Privacy Amendment (Private Sector) Act 2000 (PDF) regulates the way many private sector organisations can collect, use, keep secure and disclose personal information.

Under the new legislation consumers will have a right to know why a private sector organisation is collecting their personal† information, what information it holds about them, how it will use the information and who else will have access to that data.

Apart from specific exceptions, consumers can ask to see their information and for the information to be corrected if it is wrong. Consumers can also make a complaint if they think their information is not being handled properly.

A consumer could also apply to the Federal Court or the Federal Magistrate's court for an order to stop an organisation from engaging in conduct that breaches the NPPs.

The Act does not establish a tort of privacy.

subsection heading icon     precursors

As noted earlier in this profile, prior to the December 2000 amendments the national Privacy Act applied to the wider community (including the private sector and state/local government agencies) only in relation to specific categories of information: tax file number information and consumer credit information.

In 1989, the Commissioner was given functions in relation to spent convictions information. In 1990 two major additions were made in the areas of credit reporting and data matching -  the first major extension to private sector activity. In 1991 amendments to the National Health Act embraced guidelines for the operation of the eligibility checking system between pharmacists and the Health Insurance Commission. The Telecommunications Act 1997 added oversight of self-regulation by telecommunications carriers and service providers.

The Privacy Act provides safeguards for individuals in relation to consumer credit reporting (discussed in more detail here), in particular the handling of credit reports by credit reporting agencies and credit providers. 

It is meant to ensure that use of the data is restricted to assessing applications for credit and other legitimate activities relating to personal finance. It does not directly affect commercial credit information.

The Commissioner issues a legally binding Code of Conduct (PDF) for credit reporting, along with determinations that deal with such matters as identification of credit providers and the particulars permitted to be included in a credit information file.

subsection marker icon     coverage

The Act covers private sector 'organisations': an individual, body corporate, partnership, an unincorporated association or a trust.

That definition embraces:

  • businesses (including nonprofit organisations such as sports clubs, charitable organisations and unions) with an annual turnover of more than $3 million
  • all health service providers, regardless of turnover
  • federal government contractors
  • health service providers that hold health information (even if their turnover is less than $3 million).
  • organisations that carry on a business that collects or discloses personal information for a benefit, service or advantage (even if their turnover is less than $3 million).
  • small businesses with a turn-over of $3 million or less that choose to opt-in
  • incorporated State Government business enterprises
  • any organisation that regulations say are covered

The new provisions do not currently apply to:

  • most State or Territory government entities (for example Ministers, departments, some statutory authorities, courts and local government councils) - they are generally covered by separate legislation identified on the following page of this profile
  • political parties and acts of political representatives in relation to electoral matters, discussed below and here
  • employee records of an individual if the act or practice directly relates to a current or former employment relationship between the employer and the individual
  • some small businesses
  • media organisations in the practice of journalism

subsection marker icon     implementation

Most organisations, including all health services holding health information, had 12 months to get ready for the new scheme. The new provisions began to apply 21 December 2001.

Small businesses (except health services) covered by the new provisions had an additional twelve months and the new provisions apply from December 2002.

The National Privacy Principles set the base line standards for privacy protection. Organisations may have and enforce their own codes, discussed here. These codes must be approved by the Privacy Commissioner as having obligations at least equivalent to the National Privacy Principles and meet other requirements. The code must have an independent code adjudicator to handle complaints. If the code does not provide for a complaints handling mechanism the Privacy Commissioner is the code adjudicator.

Organisations that do not have their own code must comply with the National Privacy Principles set out in the Privacy Amendment Act. The Privacy Commissioner handles complaints in these circumstances.

Only some of the NPPs will apply to information organisations already hold when the new provisions start to apply.

The NPPs relating to data security, data quality when information is used and disclosed, identifiers and transborder flow will apply regardless of when the information was collected.

The principle relating to access and correction will apply to all information collected after the new provisions apply, and any already existing information that is used.†Those principles relating to collection, use and disclosure, data quality when it is collected, and sensitive information will not apply to information collected before the new provisions start to apply.

subsection marker icon     what information is covered?

The Act covers personal information. It has special protection for personal information that is sensitive information.

Personal information is information or an opinion that can identify a person.

Sensitive information is information about an individualís racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, or health information.

The Privacy Act only applies to information that is recorded in some form. That recording need not involve paper: it can include data in an electronic record.

icon for link to next page   next page (state privacy law)

this site
the web


version of November 2005
© Caslon Analytics