Home The Firm The People Employment Events Legal Updates Newsletters Articles Contact

Privacy Act 1988 - Business Information Sheet [21 Dec 2001 - 11 March 2014]

[Please Note: This Information Sheet provides information on the Privacy Act's Information Privacy Principles (IPP) and National Privacy Principles (NPP) that continue apply to breaches of the Act which occurred up to 11 March, 2014. 

For information on the Australian Privacy Principles that came into operation on and apply from 11 March, 2014, please see the Stephens Lawyers & Consultants Private Sector Privacy Information Sheet - Privacy Act 1988– From 11 March 2014

Privacy Laws - up to 11 March, 2014

The Australian privacy laws regulate the handling, storage, use and disclosure of personal information by Commonwealth, State and local government and its agencies and private organisations.

The Information Privacy Principles (“IPP”) contained in the Federal Privacy Act 1988 (Cth) specified the standards that the Federal Government and its agencies had to comply with when handling personal information during the period up to 12 March 2014. The National Privacy Principles (NPP) outlined in Schedule 3 of the Act applied to the handling of personal information by private sector organisations during the period 21 December 2001 to 11 March 2014. In addition, the privacy laws of each Australian State and Territory regulated the handling of personal information by State and Territory government agencies and local government. 

As of 12 March 2014, the NPP and the IPP were replaced by the Australian Privacy Principles (“APP”) which apply to the handling of personal information by both Federal government,  its agencies and private organisations covered by the Privacy Act, and referred to as “APP” entities in the Act.  State and Territory privacy laws continue to apply to State and Territory government agencies and local government/councils.  

For Information on the Australian Privacy Principles that came into effect on and apply from 12 March, 2014 please refer to the Stephens Lawyers and Consultants Private Sector Privacy Information Sheet - Privacy Act 1988 – From 11 March 2014 

Implications for your Business

For information on the Australian privacy laws which apply for breaches of the Act occurring from 12 March, 2014 please refer Stephens Lawyers and Consultants Privacy Act 1988 - Australian Privacy Principles Information Sheet - November, 2014.The Privacy Law establishes national standards for the handling of personal information by private sector organisations and aims to ensure that personal information held by private sector organisations will be stored, used and disclosed in a fair and appropriate way.
The Privacy Law gives Individuals the right to:

  • Know if their personal information is being collected by private sector organisations.
  • What personal information is held about them.
  • How the personal information is being used and who is given the personal information.
  • Correct the personal information if it is wrong.

Who does the Privacy Act 1988 apply to?

The Privacy Law applies to the acts and practices of 'organisations' in the private sector, including individuals, corporations, partnerships, trusts, and other unincorporated associations.
The Privacy Laws apply to:

  • Businesses with an annual turnover of $3 million or more.
  • Businesses with an annual turnover of less than $3 million which are related to organisations with an annual turnover of more than $3 million.
  • Health service providers or other organisations that hold health information.
  • Organisations that collect, disclose and provide personal information for a benefit, service or advantage.
  • Organisations that are contracted service providers to the Federal Government.
  • Charitable and other not-for-profit organisations.
  • Unions.

What type of information is covered by the Privacy Act 1988?

The Privacy Law applies to personal and/or sensitive information being collected by an organisation if the organisation collects it for inclusion in a 'record' or 'generally available publication'.

'Personal information' is information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion.

'Sensitive information' is defined as:

  • information or an opinion about an individual's:
    • racial or ethnic origin; or
    • political opinions; or
    • membership of a political association; or
    • religious beliefs or affiliations; or
    • philosophical beliefs; or
    • membership of a professional or trade association; or
    • membership of a trade union; or
    • sexual preferences or practices; or
    • criminal record
    • that is also personal information.
  • health information about an individual; or
  • genetic information about an individual that is not otherwise personal information

A 'generally available publication' is defined in the Privacy Act 1988 as a magazine, book, newspaper or other publication (however published) that is or will be generally available to members of the public. This definition covers documents published through both traditional means and electronic means.
Examples of personal and/or sensitive information, which may be collected by organisations include:

  • Employee records (including health records).
  • Health records.
  • Customer and supplier lists.
  • Customer financial information/credit reports.
  • Customer complaints.
  • Client details including personal information relating to treatments, services and products purchased.
  • Electronic databases recording transactions with individuals.
  • Direct marketing databases.
  • Research and development data and test results.

Application to acts and practices overseas

Where an Australian organisation deals with personal and/or sensitive information about Australians, the Privacy Law will apply to information held both within Australia and overseas. Where Australian organisations send personal information about Australians to foreign organisations, they will also have to ensure that the foreign organisation complies with the Privacy Laws.

An organisation must comply with the National Privacy Principles as contained in the Privacy Act 1988 or develop its own 'Privacy Code' to regulate the handling of personal information.

  1. The National Privacy Principles deal with:
  2. The collection of personal information and limitations on collection.
  3. The use and disclosure of personal information.
  4. The quality of data collected.
  5. The security of data collected.
  6. Openness and accessibility to policies on the management of personal information.
  7. Rights to access personal information and have inaccurate information corrected.
  8. Non-use of government record numbers to identify individuals.
  9. The rights of individuals to anonymity.
  10. The transfer of personal information from Australia to someone in a foreign country.
  11. Limitations on collection of sensitive information.

Effect of Non-Compliance

The Privacy Law gives the Privacy Commissioner the power to investigate complaints and issue determinations, which are enforceable by the Federal Court or the Federal Magistrates Court.

An organisation that develops its own Privacy Code, must appoint an independent adjudicator to investigate complaints and issue determinations; the Privacy Commissioner may be appointed as the independent adjudicator under a Privacy Code. The independent adjudicator has the same powers as the Privacy Commissioner to make determinations.

The Privacy Commissioner or the independent adjudicator may make the following determinations that:

  • the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct;
  • the respondent make an appropriate correction, deletion or addition to a record;
  • the complainant is entitled to payment of compensation including amounts for injury to feelings or humiliation suffered;
  • the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered.

© Stephens Lawyers & Consultants, March 2007

Contact: Katarina Klaric Principal Further information Further information about privacy and the National Privacy Principals can be obtained from the Australian Federal Privacy Commissioner website at www.privacy.gov.au

Stephens Lawyers & Consultants
Level 3, 530 Lonsdale Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: stephens@stephens.com.au
Website: www.stephens.com.au
All Correspondence to:
PO Box 13286
Melbourne Law Courts
Melbourne VIC 8010

To register for newsletter updates and to send your comments and feedback, please email stephens@stephens.com.au
Disclaimer : This newsletter is not intended to be a substitute for obtaining legal advice.

[1] As amended by the Privacy Amendment (Privacy Sector) 2000 Act which came into operation on 21 December 2001

LEAP Website | Powered by LEAP Legal Software | Legal practice management software