the 2000 Privacy Act
This page considers the the 2000 Commonwealth privacy
legislation, the main national privacy legislation dealing
with the private sector.
The Privacy Amendment (Private Sector) Act 2000
regulates the way many private sector organisations can
collect, use, keep secure and disclose personal information.
the new legislation consumers will have a right to know
why a private sector organisation is collecting their
personal† information, what information it holds about
them, how it will use the information and who else will
have access to that data.
Apart from specific exceptions, consumers can ask to see
their information and for the information to be corrected
if it is wrong. Consumers can also make a complaint if
they think their information is not being handled properly.
A consumer could also apply to the Federal Court or the
Federal Magistrate's court for an order to stop an organisation
from engaging in conduct that breaches the NPPs.
The Act does not establish a tort of
As noted earlier in this profile, prior to the December
2000 amendments the national Privacy Act applied to the
wider community (including the private sector and state/local
government agencies) only in relation to specific categories
of information: tax file number information and consumer
In 1989, the Commissioner was given functions in relation
to spent convictions information. In 1990 two major additions
were made in the areas of credit reporting and data matching
- the first major extension to private sector activity.
In 1991 amendments to the National Health Act embraced
guidelines for the operation of the eligibility checking
system between pharmacists and the Health Insurance Commission.
The Telecommunications Act 1997 added oversight
of self-regulation by telecommunications carriers and
The Privacy Act provides safeguards for individuals in
relation to consumer credit reporting (discussed in more
detail here), in particular
the handling of credit reports by credit reporting agencies
and credit providers.
It is meant to ensure that use of the data is restricted
to assessing applications for credit and other legitimate
activities relating to personal finance. It does not directly
affect commercial credit information.
The Commissioner issues a legally binding Code of Conduct
for credit reporting, along with determinations that deal
with such matters as identification of credit providers
and the particulars permitted to be included in a credit
Act covers private sector 'organisations': an individual,
body corporate, partnership, an unincorporated association
or a trust.
That definition embraces:
(including nonprofit organisations such as sports clubs,
charitable organisations and unions) with an annual
turnover of more than $3 million
health service providers, regardless of turnover
service providers that hold health information (even
if their turnover is less than $3 million).
that carry on a business that collects or discloses
personal information for a benefit, service or advantage
(even if their turnover is less than $3 million).
businesses with a turn-over of $3 million or less that
choose to opt-in
State Government business enterprises
organisation that regulations say are covered
new provisions do not currently apply to:
State or Territory government entities (for example
Ministers, departments, some statutory authorities,
courts and local government councils) - they are generally
covered by separate legislation identified on the following
page of this profile
parties and acts of political representatives in relation
to electoral matters, discussed below and here
records of an individual if the act or practice directly
relates to a current or former employment relationship
between the employer and the individual
organisations in the practice of journalism
Most organisations, including all health services holding
health information, had 12 months to get ready for the
new scheme. The new provisions began to apply 21 December
Small businesses (except health services) covered by the
new provisions had an additional twelve months and the
new provisions apply from December 2002.
National Privacy Principles set the base line standards
for privacy protection. Organisations may have and enforce
their own codes, discussed here.
These codes must be approved by the Privacy Commissioner
as having obligations at least equivalent to the National
Privacy Principles and meet other requirements. The code
must have an independent code adjudicator to handle complaints.
If the code does not provide for a complaints handling
mechanism the Privacy Commissioner is the code adjudicator.
that do not have their own code must comply with the National
Privacy Principles set out in the Privacy Amendment Act.
The Privacy Commissioner handles complaints in these circumstances.
some of the NPPs will apply to information organisations
already hold when the new provisions start to apply.
The NPPs relating to data security, data quality when
information is used and disclosed, identifiers and transborder
flow will apply regardless of when the information was
The principle relating to access and correction will apply
to all information collected after the new provisions
apply, and any already existing information that is used.†Those
principles relating to collection, use and disclosure,
data quality when it is collected, and sensitive information
will not apply to information collected before the new
provisions start to apply.
what information is covered?
Act covers personal information. It has special protection
for personal information that is sensitive information.
Personal information is information or an opinion that
can identify a person.
information is information about an individualís racial
or ethnic origin, political opinions, membership of a
political association, religious beliefs or affiliations,
philosophical beliefs, membership of a professional or
trade association, membership of a trade union, sexual
preferences or practices, criminal record, or health information.
The Privacy Act only applies to information that is recorded
in some form. That recording need not involve paper: it
can include data in an electronic record.
page (state privacy law)