The Commonwealth Privacy Scheme

Contributed by Dr Bruce Baer Arnold, University of Canberra and current to February 2022.

At a glance

Readers of the preceding paragraphs in this chapter can draw three conclusions about the Commonwealth privacy regime, i.e. the body of national law regarding privacy.

The first conclusion is that the regime is complicated and dynamic. It will continue to change, arguably in ways that privilege bureaucratic convenience and claims of efficiency in public administration or enhanced national security at the expense of privacy of people who live in the Australian Capital Territory.

A second conclusion is that the Privacy Act 1988 (Cth) is the salient information privacy enactment but not the only enactment. It is, unfortunately, a statute that emphasises conciliation under the auspices of an under-resourced national regulator rather than providing people with strong enforceable privacy rights. That conciliation is discussed in Asserting Privacy Rights. The Act has been weakened over time. As of February 2022 its the subject of a review alongside fast-tracked enactments that appear to pre-empt what might be recommended by that review

The third conclusion is the regime is multi-faceted. Some law provides rights/protections. Some law, particularly regarding law enforcement, specifically removes rights by authorising official action that would otherwise be impermissible. That is unsurprising because privacy is a matter of balances rather than absolutes but it means there are ongoing legitimate disagreements, often under-valued by politicians and officials, regarding what is proportionate in policy-making and administration.

The following paragraphs in this part of the chapter accordingly offer an overview of the main information privacy enactment and then point to selected other statutes that are likely to be of concern to people in the ACT. The ACT Privacy Regime discusses some specific issues, both to answer common questions about privacy in the Territory and to illustrate the diversity of Commonwealth law affecting privacy.

Privacy Act 1988

For many people the Privacy Act 1988 (Cth) is the primary or even the sole privacy enactment. The Act is sometimes misunderstood as representing a first recognition of privacy in Australian law, ignoring the reality that respect for the personal sphere although often inadequate and idiosyncratic is evident in law prior to Federation.

The Act is solely concerned with information privacy, in essence information about a person. It does not enshrine a comprehensive right to privacy. Many activities that people in the ACT might consider to be unduly invasive of their privacy are not covered by the enactment. It was initially restricted to Commonwealth agencies, complementing the national Freedom of Information Act and Archives Act (both dealing with the records of national public administration). For many years it accordingly covered how those agencies handle the personal information of people who deal with the government. It had substantial exceptions. Most of those exceptions (for example relation to national security agencies) remain in place.

The Act has been amended several times and now includes coverage of many businesses – discussed below – rather than just Commonwealth agencies. The Act does not cover state government agencies and does not cover Australian Capital Territory government agencies. (The ACT regime is discussed in the following part of this chapter). A major development in 2017 was establishment of a data breach reporting regime under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), one step forward for privacy protection after the two steps backwards of mandatory metadata retention under the controversial Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) that is being extended as of 2022.

The process of amendment has resulted in an Act that is somewhat difficult to read. Users will often need to move backwards and forwards across several sections (and the Schedules) in order to make sense of what is/is not permitted, what is excluded and what remedies are available. The Act also needs to be read in conjunction with guidance statements from the Office of the Australian Information Commissioner (OAIC) that often embody a lowest-common denominator approach that favours public/private sector entities rather than individuals and thus has not caught up with the GDPR.

The Act is administered by a national Privacy Commissioner – initially a discrete agency but now part of the Sydney-based national OAIC, which on occasion has faced strong criticism for lack of expertise, ongoing under-resourcing (and consequent unresponsiveness to complaints by members of the public) and a permissiveness to misbehaviour in the public/private sectors. Two points of comparison for more activist, and arguably more effective regulatory bodies, are the Australian Competition & Consumer Commission (ACCC) and the Australian Communications & Media Authority (ACMA).

The Act centres on Australian Privacy Principles (APPs) – broad statements whose interpretation is guided by detailed but in places confusing Guidelines issued by the OAIC. The Guidelines have been criticised as representing a lowest common denominator approach to practice in government agencies and the private sector. The OAIC’s interpretation is evident in several hundred notes on its website regarding complaints. Those notes are typically very terse but provide some indication of how the OAIC understands the Act and accordingly its likely response to a complaint by someone in the ACT.

The Act also provides for industry codes, in practice developed by business and endorsed by the OAIC, to provide certainty for enterprises within a specific sector such as retail or consumer credit. Those codes potentially interact with other law, for example consumer protection under the Australian Consumer Law and insurance contracts law, and coexist with separate regimes regarding the Consumer Data Right and very broad scope for sharing of bulk personal information under the proposed Data Availability & Transparency regime oversighted by a National Data Commissioner. The latter body is independent of the OAIC and people in the Territory might wonder about the proliferation of Commonwealth agencies with overlapping or conflicting agendas.

As yet there is little case law regarding the APPs and the Act as a whole.

Australian Privacy Principles (APPs)

Until a few years ago the Act differentiated between National Privacy Principles and Information Privacy Principles, i.e. separate principles covering the national government and private sector. Those NPP and IPP have been consolidated in thirteen Australian Privacy Principles, which are articulated in Schedule 1 of the Privacy Act 1988 (Cth). As of February 2022 it is unclear whether they will be expanded or consolidated as part of the review noted above.

The APPs are structured in five parts, which need to be read together rather than in isolation. Part One articulates principles that require APP entities (public and private) to consider the privacy of ‘personal information’, including management of that information in an open and transparent way. Part Two articulates principles dealing with the collection of that information, including unsolicited personal information. Part Three articulates principles about how APP entities deal with personal information and government related identifiers, such as the ubiquitous Tax File Number. Part Four provides principles about the integrity (for example security and quality) of personal information. Part Five articulates complementary principles regarding requests for access to and correction of personal information.

As noted above, the APPs feature substantial exceptions, e.g. for law enforcement, defence or location of missing persons (‘permitted general situations’) or public/private health (‘permitted health situations’). Importantly, the APPs expressly refer to ‘reasonable belief’ and ‘reasonable action’, which as interpreted by the OAIC foster a lowest common denominator approach in contrast to practice in Europe under the GDPR.

In summary, APP 1 provides for ‘open and transparent management of personal information’. That means the entity must take reasonable steps in the circumstances to implement ‘practices, procedures and systems’ to ensure compliance with the APPs and any registered APP code. In particular the entity must have a clear and accessible privacy policy statement regarding its management of personal information, including the kinds of personal information collected and held, the purposes for which the information is held and disclosed, how the individual may access that information, complaint processes, whether the entity is likely to disclose personal information to overseas entities (and their location).

APP 2 relates to ‘anonymity and pseudonymity’ and is multifaceted. It specifies that an individual must have the option of not identifying themselves (or of using a pseudonym) when dealing with an APP entity except where there is a requirement under law for identification (e.g. opening a bank account or a mobile phone account) or where it is impracticable for the entity to deal with anonymous or pseudonymous people. For some readers of this chapter it is a reminder that businesses and government agencies may lawfully require you to provide ID, something highlighted below.

APP 3 deals with ‘collection of solicited personal information’. The Principle covers both non-sensitive solicited personal information (collection prohibited ‘unless the information is reasonably necessary for, or directly related to, one or more of the entity's functions or activities’) and sensitive information (collection prohibited unless the individual consents to the collection and the information is reasonably necessary for one or more of the entity's functions or activities).

The requirement for consent is lawfully disregarded in a range of circumstances, e.g. collection is required by law or by a court order, or there is a ‘permitted health situation’, or a government agency ‘reasonably believes’ that collection is ‘reasonably necessary for, or directly related to’ one of its functions or activities. The entity must ‘collect personal information only by lawful and fair means’. APP is thus the Principle highlighted by many complainants.

APP 4 relates to ‘dealing with unsolicited personal information’. If an APP entity receives unsolicited personal information it must, within a reasonable period, determine whether it could have collected the information under APP 3. If it could not have relied on APP 3 and the information is not in a ‘Commonwealth record’ it must as soon as practicable (if it is lawful and reasonable to do so) de-identify or destroy the information.

APP 5 deals with ‘notification of the collection of personal information’. The expectation is that individuals who are properly notified may choose not to provide information and will have scope for action if information has been misused. The Principle provides that during, before or as soon as practicable after personal information is collected the entity must take reasonable steps to notify the individual about its identity and contact details, the purpose of collection, any other entity to which the information is usually disclosure overseas is likely.

APP 6 deals with ‘use or disclosure of personal information’, again a focus of complaints. An APP entity holding personal information collected for a particular purpose must not use or disclose that information for another purpose (‘the secondary purpose’) unless there was consent for the use /disclosure or the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose related to the primary purpose, there is requirement under law, a ‘permitted general situation’ or ‘permitted health situation’, or the entity ‘reasonably believes’ that use/disclosure is ‘reasonably necessary’ for enforcement related activities.

APP 7 deals specifically with ‘direct marketing’. The APP provides that an entity holding personal information must not use/disclose that information for the purpose of direct marketing. There are however significant exceptions. The entity may use/disclose non-sensitive personal information if it collected that information from the individual and the person would reasonably expect that use/disclosure and has a simple means to easily opt out of direct marketing communications.

Sensitive personal information may be used/disclosed for the purpose of direct marketing with the person’s consent. Commonwealth agencies and their proxies have broader freedoms. Note that the APP sits alongside the Do Not Call Register Act 2006 (Cth) and the Spam Act 2003 (Cth).

APP 8 deals with ‘cross-border disclosure of personal information’. The Act makes special provision regarding movement and processing offshore of personal information, given that Australian law does not extend to other jurisdictions. APP 8 provides that an entity must take reasonable steps to ensure that an overseas recipient does not breach the APPs other than APP 1.

Exceptions include provision for express consent by individuals, disclosure being required by law or under an international agreement regarding information sharing (for example national security), or reasonable belief by the entity that disclosure is ‘reasonably necessary’ for enforcement related activities.

APP 9 deals with ‘adoption, use or disclosure of government related identifiers’. Under the APP a nongovernment entity must not adopt a government-related identifier of an individual (for example the Tax File Number or Medicare Number) for its own identification of the person unless that is required by law.

An entity must not use/disclose the identifier unless that is ‘reasonably necessary’ for verification of the person’s identity for the purposes of the entity’s activities or obligations to a Commonwealth agency or State/Territory authority, or required by law.

APP 10 deals with ‘quality of personal information’. APP entity must take reasonable steps circumstances to ensure that personal information it entity collects is ‘accurate, up-to-date and complete’. Further, in relation to use/disclosure reasonable steps must be taken to ensure the information is ‘accurate, up-to-date, complete and relevant’. The ‘relevant’ is significant.

APP 11, reinforced through the data breach reporting scheme introduced through the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), deals with the ‘security of personal information’. There is increasing recognition that much personal information in public/private sector entities is insecure.

Entities are thus required to take ‘reasonable steps’ to protect the information from misuse, interference, loss, unauthorised access, modification or disclosure. When information is no longer required for any purpose under the APPs or by law the entity must take reasonable steps to destroy or de-identify the information. Readers should note increasing concerns within the privacy and information technology communities regarding the ineffectiveness of both destruction and de-identification of health, financial and other sensitive data.

APP 12 deals with ‘access to personal information’. An entity must, on request, give an individual access to the personal information about that person which is held by the held by the entity. APP 12 is thus a foundation for keeping the national government accountable.

Exceptions provide that access might be provided under the Freedom of Information Act (Cth) or another statute rather than under the Privacy Act and – more contentiously – that there might be restrictions for a range of reasons. They include refusal of access on the basis that there is a reasonable belief access would pose a serious threat to the life, health or safety of any individual or to public health or public safety, would have an unreasonable impact on the privacy of other individuals, the request is frivolous or vexatious, the information relates to existing or anticipated legal proceedings between the entity and the individual outside the process of discovery, would prejudicially reveal the entity’s intentions in negotiations with the individual, would be unlawful, is required under an Australian law or would prejudice investigation/enforcement action.

An agency must provide access within 30 days after the request is made; a non government entity has ‘a reasonable period’ after the request is made. Access must be given in the manner requested by the individual, if it is reasonable and practicable to do so. Any charges for access must not be ‘excessive’. A decision to refuse access must be communicated in writing, with the reasons for the refusal and identification of the complaint mechanism (discussed in Asserting Privacy Rights).

APP 13 deals with ‘correction of personal information’. As discussed later in this chapter, Australia does not have a comprehensive ‘right to be forgotten’ (strictly speaking that ‘right’ in the European Union is a limited right of obscurity rather than something empowering individuals to suppress embarrassing information from print/online media).

Where an APP entity holds personal information and is either satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading or the person requests correction the entity must take reasonable steps to ensure the information is accurate, up-to-date, complete, relevant and not misleading. The person may request the entity to notify third parties of that correction. If an entity refuses correction it must give the person a written notice that, for example, identifies the reason for refusal and identifies complaint mechanisms.

The person may seek to require a statement that is associated with the information – in essence a note or flag – indicating that the person considers the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

Other Commonwealth legislation

The delivery/funding of services (in particular health, education, disability, unemployment and aged-person support), obligations (eg taxation and elections), justice, defence and law enforcement mean that the patchwork of privacy law at the national government level features a wide range of enactments and associated administrative tribunal/court decisions regarding privacy.

Much of that law is specific to information privacy outside the Privacy Act 1988, e.g. the national population census, health identifiers and use of the taxation file number – a ubiquitous personal identifier – in everyday transactions such as claiming Commonwealth health entitlements or entering into employment contracts. People are required to provide proofs of identity, which may be recorded, when seeking a mobile phone account, a passport or the security card that is a prerequisite for work in the private sector at maritime and aviation facilities. People are also required to provide personal information that may be published in relation to positions under the Corporations Act.

The Commonwealth has power regarding telecommunications (including criminalisation of privacy invasions that involve the internet) and aviation (including restrictions on the use of drones). Some of that law is articulated through regulations under particular statutes and often features substantial exemptions from the restrictions assumed by many members of the community.

Space precludes a detailed itemisation in this chapter of those statutes and their implementation. Readers should seek advice from a specialist or from the websites of national government agencies in particular sectors such as telecommunications. Those sites sometimes provide both guidance and reports on decision-making, for example by ACMA, regarding privacy breaches.

It is important to note that law enforcement and national security agencies in Australia have substantial authorisations under law to collect, process and share personal information or otherwise erode communication, bodily and other privacy. Examples include scope for body searches of people entering Australia and covert surveillance of suspected terrorists. Some of those agencies are specifically exempt from the Privacy Act 1988. Readers should thus be conscious of the cautions provided in Making Sense of Privacy Law in the ACT regarding claims of comprehensive enforceable privacy rights.