Australian and regional regulatory responses to the key challenges of consumer protection in electronic commerce (March 2008)
3.3. Privacy and data protection
3.3.1. Current privacy protection
Australia has the following general privacy legislation (or guidelines) in place:
Jurisdiction |
Legislation / Standard |
Regulator |
Cth |
Privacy Act 1988 (Cth) |
Federal Privacy Commissioner |
ACT |
Privacy Act 1988 (Cth) |
Federal Privacy Commissioner |
NSW |
Privacy and Personal Information Protection Act 1998 (NSW) |
NSW Privacy Commissioner |
NT |
Information Act 2002 (NT) |
NT Information Commissioner |
Qld |
Information Standard 42 |
Queensland Ombudsman |
SA |
Cabinet Administrative Instruction 1/89 |
Privacy Committee of South Australia |
Tas |
Personal Information Protection Act 2004 (Tas) |
Department of Justice |
Vic |
Information Privacy Act 2000 (Vic) |
Victorian Privacy Commissioner |
WA |
Not yet enacted[31] |
– |
The State and Territory legislation in this list generally applies to the activities of State and Territory public sector agencies.
The key legislation for privacy in e-commerce is the current Commonwealth privacy legislation – the Privacy Act.[32] The Act sets out the Information Privacy Principles (IPPs), which regulate the collection, use and disclosure of personal information by Australian government agencies. The Act also includes a complaints, audit and enforcement regime.
The Commonwealth legislation applies to both the Australian Government public sector, and significant parts of the private sector. However two different standards of privacy protection exist in the Commonwealth legislation:
- Information Privacy Principles (IPPs)
Eleven IPPs that apply to Commonwealth and ACT government agencies. - National Privacy Principles (NPPs)
The Privacy Act was amended in 2001 to include ten NPPs that apply to parts of the private sector (those that earn more than $3 million annually and all health service providers).[33]
The NPPs cover:
- Principle 1 – Fair Collection
Collection of personal information is only allowed if it is necessary for the function or activity of the organisation. Organisations must explain their information practices to individuals at the time when they collect their personal information. - Principle 2 – Use and disclosure
Personal information should generally not be used or disclosed for the purpose other than for which it is collected without the consent of the individual concerned. - Principle 3 – Data quality
Organisations must take reasonable steps to ensure that personal information collected, used or disclosed by them is accurate, complete and up to date. - Principle 4 – Data security
Organisations must take reasonable steps to protect personal information they hold from unauthorised access, and must not hold data longer than needed. - Principle 5 – Openness
Organisations must clearly express and make available their policies about how they collect, hold, use and disclose personal information. - Principle 6 – Access and correction
Organisations must provide individuals with access to information they hold about them on request and must correct that information if it is not accurate, complete and up to date. - Principle 7 – Identifiers
An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by an agency or Commonwealth provider. - Principle 8 – Anonymity
Where lawful and practical, individuals must be given the option of remaining anonymous when entering into a transaction with an organisation. - Principle 9 – Transborder data flows
An organisation in Australia may transfer personal information about an individual to someone who is in a foreign country only if they believe the organisation upholds similar principles of fair data handling or it is for the benefit of the individual. - Principle 10 – Sensitive information
An organisation must not collect sensitive information about individuals unless the individual consents, or if the organisation is required to do so by law.
3.3.2. Potential Privacy Law Reform
Commonwealth privacy legislation is currently the subject of a review by the Australian Law Reform Commission (ALRC). The ALRC review builds on earlier work by a Senate Committee and by the Office of the Privacy Commissioner. It is likely that significant changes to the IPPs and NPPs may result from this review.
- Office of the Privacy Commissioner (OPC) Review (2005)[34]
The OPC Review focused on the private sector provisions of the Privacy Act. A final report was published in May 2005 and included several important recommendations for achieving greater consistency in Australian privacy legislation. The Government has not responded to these recommendations. - Australian Law Reform Commission (ALRC) Review (2006-2008)[35]
The ALRC has been given broad terms of reference to review all aspects of Australian privacy law, including the matters raised in the earlier OPC review. This review will also cover the public sector provisions of the Privacy Act.
The ALRC is now due to report at the end of May 2008, and the Government’s response to the report may take several months after this to prepare. The implementation of any recommendations will take longer.
[31] Information Privacy Bill 2007 (WA), <http://www.parliament.wa.gov.au/parliament/bills.nsf/B76E4F86BE5ACCADC82572AB002D2C7F/$File/Bill+193-1.pdf>.
[32] Privacy Act 1988 (Cth), <http://www.comlaw.gov.au/>.
[33] Privacy Amendment (Private Sector) Act 2000 (Cth), <http://www.comlaw.gov.au>.
[34] Office of the Privacy Commissioner, The Review of the Private Sector Provisions of the Privacy Act 1988, March 2005, <http://www.privacy.gov.au/act/review/review2005.htm>.
[35] Australian Law Reform Commission, Review of Privacy, <http://www.alrc.gov.au/inquiries/current/privacy/index.htm>.