Private Sector Organisations
The Privacy Act 1988 originally covered personal information handled by Commonwealth and ACT agencies. The Act was amended in December 2001 to include private sector organisations (with a turnover above $3 million) and health service providers. In December 2002 some **small businesses (with a turnover under $3 million), including non-profit organisations or unincorporated associations, became covered by the Act.
Within the Act, 10 National Privacy Principles have been developed with which organisations must comply. The Principles provide the information-handling standards for things such as collecting, using and disclosing personal information as well as keeping information secure, paying attention to data quality and accuracy, being open about the collection and information handling practices, providing access to personal information, providing anonymity where possible and providing protection when transferring personal information overseas.
The National Privacy Principles (NPPs) cover the;
- collection of information (NPP 1)
- use and disclosure (NPP 2)
- data quality (NPP 3), data security (NPP 4)
- openness (NPP 5), access and correction (NPP 6)
- identifiers (NPP 7)
- anonymity (NPP 8)
- transborder data flows (NPP 9) and
- sensitive information (NPP 10) .
To access the National Privacy Principles for private sector organisations, refer to the following websites;
- National Privacy Principles:
- Plain English version of National Privacy Principles:
- Scenario: Mary was interviewed for a position of employment but was not successful. Mary has a disability. Mary would like to access the information that was collected about her for the interview, such as her referee reports, as she was not happy with the unsuccessful outcome.
Mary should be able to access the information that was collected about her such as referee reports. The Privacy Act gives Mary a general right to access and correct personal information about her that has been collected by the organisation. This however is not an unqualified right.
There are a limited number of situations where the organisation may deny Mary access to her personal information held by the organisation. Where such an exception applies to a request for access, the organisation would need to give Mary an explanation regarding why access was not given. Sometimes an exception may apply to the whole record, but where not, access to parts of the record ought to be accessible. Exemptions include when there is a threat to the person's health and safety or the health and safety of someone else or where another law prevents access.
Scenario: Bruce would like to access his personal records that are contained with the TAFE Disability Officer. Bruce would like to know what was recorded on his file in relation to the services he was entitled to.
Bruce has a general right to access the personal information that the TAFE holds. Bruce may choose to look over his records and make notes, take a copy of the records, or have them explained. Bruce would need to discuss the best way to access the records with the TAFE. . The TAFE can however refuse to give Bruce access for other reasons, for example, a threat to his health and safety or the health and safety of someone else or where another law prevents access. Even then, the TAFE must consider giving Bruce limited access to the information such as giving access to the information or a summary of the information whilst blocking or excluding the information covered by the exemption.
The overwhelming majority of universities in Australia are not covered by Commonwealth law as most institutions are set up under state or territory statute. It is therefore important to access individual state privacy laws to determine specific processes required to access personal information.