Privacy legislation - coverage and exemptions

Entities covered by the Privacy Act

The private sector provisions in the Privacy Act (including the APPs) apply to any of the following 'organisations', subject to certain exceptions:

• an individual
• a body corporate (including companies)
• a partnership
• any other unincorporated association
• a trust.

Back to top

Entities not covered by the Privacy Act

A small business with an annual turnover of $3 million or less is a small business operator and not covered by the Privacy Act, unless it:

• is related to a business (that is, its holding company or any subsidiary company) that has an annual turnover of greater than $3 million
• provides a health service and holds health information other than in an employee record
• discloses personal information about another individual to anyone else for benefit, service or advantage (unless it does so with the consent of the individual concerned or is required or authorised to do so under legislation)
• provides a benefit, service or advantage to collect personal information about another individual from anyone else (unless it does so with the consent of the individual concerned or is required or authorised to do so under legislation)
• is a contracted service provider for a Commonwealth contract (even if it is not a party to the contract)
• falls within certain types of businesses specifically prescribed by the Act, including one that operates a residential tenancy database, or that is a credit reporting business
• is prescribed by regulation
• opts into the legislation.

Although the Privacy Act does not apply to many small business operators, an exempt small business operator may want to take advantage of the benefits that can flow from complying with the legislation. The benefits could include increased consumer confidence and trust in its operations. The Privacy Act provides a mechanism to allow an organisation that is an exempt small business operator to opt in to the Privacy Act. A small business operator that is covered by the Privacy Act, because it has opted in, remains covered until it specifically opts out.

Other entities not covered by the Privacy Act include registered political parties and certain government agencies and authorities.

Back to top

What is personal information?

Under the act, ‘personal information’ is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

The range of information/opinions coming within the definition is very broad and covers the person’s name, date of birth, email address, signature, home address and telephone number, and information relating to a person's physical description, place of work, certain business information, employment, occupation, investments and property holdings, relationships to other persons, recreational interests and political, philosophical or religious beliefs.

Back to top

Sensitive information

As part of the definition of 'personal information' a subset of 'sensitive information' attracts additional protection. Sensitive information means information or an opinion about an individual's:

• racial or ethnic origin
• political opinions
• membership of a political association
• religious beliefs or affiliations
• philosophical beliefs
• membership of a professional or trade association
• membership of a trade union
• sexual orientation or practices
• criminal record
• health information, defined as information or an opinion about: the health or disability (at any time) of an individual; an individual’s expressed wishes about the future provision of health services to him or her; a health service provided, or to be provided, to an individual; other personal information collected to provide, or in providing, a health service; other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances
• genetic information
• certain biometric information, and biometric templates.

Back to top

Activities not covered by the Privacy Act

Certain dealings in personal information are exempt from the act. For example, the sharing of personal information between ‘related bodies corporate’.

Furthermore, in some circumstances, the handling of employee records in relation to current and former employment relationships by a private sector employer is exempt from the APPs.

Private sector employers are encouraged to consider the privacy of their employee records even if their activities in relation to them are covered by this exemption.

To be exempt, an activity relating to an employee record must be directly related to the employment relationship. This means that an activity of an employer that is outside the scope of the employment relationship is not exempt. For example, an employer could not sell a list of the names of employees to another organisation for marketing purposes.

Back to top

Current or former employment relationship

The activity of an employer must be directly related to a current or former employment relationship, not a future employment relationship. This means that personal information collected from prospective employees who are subsequently not employed by an organisation, such as unsuccessful job applicants, will not be covered by the employee records exemption.

However, once an employment relationship is formed with an individual, the records the employer holds relating to that individual's pre-employment checks become exempt.

Back to top

Employee record

An 'employee record' means a record of personal information relating to the employment of the employee. It includes health information about an employee and personal information relating to:

• the engagement, training, disciplining, resignation or termination of employment of an employee
• the terms and conditions of employment of an employee
• the employee's performance or conduct, hours of employment, salary or wages, personal and emergency contact details
• the employee's membership of a professional or trade association or trade union membership
• the employee's recreation, long service, sick, maternity, paternity or other leave
• the employee's taxation, banking or superannuation affairs.

Employers should not assume that all the information they hold that relates to an individual employee would be an employee record. For example, emails that an employee has received from third parties outside the organisation may not necessarily be an employee record. Depending on the circumstances, the exemption may also not cover the content of many other employee emails.

Back to top

Contractors of employers

This exemption does not cover contractors and subcontractors when they handle the personal information of the employees of another organisation, notwithstanding those contractual arrangements. In many circumstances, the employee records exemption may not apply to organisations that provide recruitment, human-resource management services, medical, training or superannuation services under contract to an employer.

An organisation that collects employee records about a person from the organisation employing that person will have to comply with the notice requirements of APP 5. This exemption does not cover a workers' compensation insurer that is not the employer of an individual.

Back to top

Activities related to a state or territory contract

The Privacy Act exempts the activities of contracted service providers for a state or territory contract when those activities are directly or indirectly related to meeting obligations under the contract.

Back to top

The Australian Privacy Principles

A summary of the 13 APPs is set out below.

The Office of the Australian Information Commissioner has issued guidelines on the APPs. The guidelines are advisory and are not legally binding. A copy of the guidelines is available at www.privacy.gov.au.

APP 1 – Open and transparent management of personal information

Personal information must be managed in an open and transparent way. This includes a business:

• having a clearly expressed and up to date APP privacy policy about how it manages personal information
• taking reasonable steps to implement practices, procedures and systems that will ensure it complies with the APPs and any binding registered APP code, and is able to deal with related inquiries and complaints
• taking reasonable steps to make its APP privacy policy available free of charge and in an appropriate form (usually on its website)
• upon request, taking reasonable steps to provide a person or body with a copy of its APP privacy policy in the particular form requested.

APP 2 – Anonymity and pseudonymity

A business must give individuals who deal with the business the option of not identifying themselves, or of using a pseudonym, subject to certain exceptions.

APP 3 – Collection of solicited personal information

A business may only collect personal information that is solicited (ie, if it explicitly requests another to provide personal information, or it takes active steps to collect personal information):

• where it is reasonably necessary for the business’s functions or activities
• by lawful and fair means
• from the individual concerned, unless this is unreasonable or impracticable.

The principle applies higher standards to the collection of sensitive information.

APP 4 – Dealing with unsolicited personal information

Unsolicited personal information that could not have been collected by a business under APP 3 (see above) must be destroyed or de-identified as soon as practicable, if it is lawful and reasonable to do so. Otherwise, the business may retain the personal information but must deal with it in accordance with APPs 5 to 13 (refer below).

Different rules apply to information contained in ‘Commonwealth records’ (broadly, certain Commonwealth government records). These different rules generally apply to government agencies.

APP 5 – Notification of the collection of personal information

A business that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters, or to ensure the individual is aware of those matters, including:

• the business’s identity and contact details
• the fact and circumstances of collection
• whether the collection is required or authorised by law
• the purposes of collection
• the consequences if personal information is not collected
• the business’s usual disclosures of personal information of the kind collected by the business
• information about the business’s APP privacy policy
• whether the business is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

APP 6 – Use or disclosure of personal information

A business may only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies. The exceptions include where:

• the individual has consented to a secondary use or disclosure
• the individual would reasonably expect the business to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection or, in the case of sensitive information, directly related to the primary purpose
• the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order
• a permitted general situation or permitted health situation exists in relation to the secondary use or disclosure
• the business reasonably believes that the secondary use or disclosure is reasonably necessary for one or more law enforcement related activities.

APP 7 – Direct marketing

A business must not use or disclose personal information it holds for the purpose of direct marketing, unless an exception applies. The most common exceptions require a business to provide a simple means by which an individual can request not to receive direct marketing communications (also known as ‘opting out’).

Different rules apply to sensitive information.

APP 8 – Cross-border disclosure of personal information

Before a business discloses personal information to a recipient in a foreign country, the business must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. The business is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs.

There are exceptions to the above:

• where the business reasonably believes that the disclosed personal information will be protected by a law or scheme in a substantially similar way to the APPs, and the individual to whom it relates will be able to enforce those protections
• the relevant individual expressly consents to the disclosure after the business has expressly informed the individual that if he or she consents, APP 8 will not apply.

APP 9 – Adoption, use or disclosure of government related identifiers

Generally, a business must not adopt, use, or disclose an identifier that has been assigned by a Commonwealth, state or territory government agency.

APP 10 – Quality of personal information

A business must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. It must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

APP 11 – Security of personal information

A business must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. It also has obligations to destroy or de-identify personal information in certain circumstances.

APP 12 - Access to personal information

A business has certain obligations when an individual requests to be given access to personal information held about them by the business, including a requirement to provide access unless a specific exception applies.

APP 13 - Correction of personal information

A business must take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading.

Back to top

Enforcement

An individual can make a complaint to the Australian Information Commissioner. A breach of the act may result in a determination by the Australian Information Commissioner to restrain an action, undertake an action or (in certain cases) to pay monetary compensation. The Federal Court and the Federal Circuit Court also have power to impose civil penalties for certain breaches of the act, and to award compensation.

The Australian Information Commissioner’s decision can be appealed in the Federal Court of Australia or the Federal Circuit Court.

Back to top