Privacy and Confidentiality Acts
Federal Privacy Act 1988
Information of a personal nature can in some instances allow identification of an individual. It includes information such as a person's name, address, financial information, marital status or billing details(1) . Some personal information is sensitive such as:
- health information about an individual
- racial or ethnic origin
- political opinions
- membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association
- membership of a trade union
- sexual preferences or practices
- criminal record
As this information is highly sensitive, the Federal Privacy Act provides higher protections in the private sector under the Australian Privacy Principles.
The Federal privacy Act 1988 is Australia's national law for the protection of personal information when handled by Federal and ACT Government Agencies and many private sector organisations. (Not all small businesses have to comply with the Act. Refer to information below), including providing rights for individuals to access and correct personal information about themselves.
The Privacy Commissioner can, and has, issued guidelines under the Privacy Act, and that the Privacy Commissioner administers the Act. The guidelines have been issued in relation to:
- the handling of personal information that is handled by Federal and ACT government agencies
- the collection, storage, use and security of personal tax file numbers used by individuals and organisations
- the handling of information about individuals credit details
- the handling of personal health information by health service providers in the private sector
- the handling of personal information held by some private sector organisations.
The Office of the Federal Privacy Commissioner is responsible for administering the Privacy Act 1988. The office provides information and advice, including matters of policy and complaints handling in relation to organisations and agencies that have obligations to protect privacy under the Privacy Act.
Those covered by the Privacy Act include:
- federal and ACT government departments and Ministers;
- credit providers and credit reporting agencies;
- any organisation or individual handling personal tax file numbers;
- any organisation or individual handling old minor criminal conviction information; and
- many private sector organisations.(2)
Generally, the Information Privacy Principles give people the right to:
- know why your personal information is being collected, any law authorising the collection and who it will be given to
- have access to your records
- have inaccurate information about you amended
- be sure that otherwise, information about you can only be used for particular reasons, such as threats to life or health
- be sure that otherwise, information about you can only be disclosed for particular reasons, such as threats to life or health.
The Privacy Act 1988 provides protection of personal information such as information about a person's disability. Privacy principles set the basic rules for handling peoples information, but their intent is also, and importantly, to encourage agencies and organisations to be open with people about how they handle their information and to develop trust relationships with them about this.
Federal and ACT Government Services
The Privacy Act 1988 recognises the importance that individuals place on the way their personal information is treated by Federal and ACT government services and therefore sets the standards with which agencies must comply when handling such information.
Within the Act, Australian Privacy Principles have been developed to govern things such as the collection, storage, use and disclosure of personal information by Federal and ACT government agencies. The Principles also provide individuals with certain rights to access their personal information and correct any errors.
The Australian Privacy Principles (APPs) cover things including;
- collection of information (APP 1)
- seeking information from individuals (APP 2)
- collecting information generally (APP 3)
- security and storage (APP 11), access to information (APP 12)
- keeping accurate, complete and up-to-date information (APP 10), and Disclosure (APP 6).
To access the Information Privacy Principles for Federal and ACT government agencies, refer to the OAIC website - Australian Privacy Principles
Private Sector Organisations
The Privacy Act 1988 originally covered personal information handled by Commonwealth and ACT agencies. The Act was amended in December 2001 to include private sector organisations (with a turnover above $3 million) and health service providers. In December 2002 some **small businesses (with a turnover under $3 million), including non-profit organisations or unincorporated associations, became covered by the Act.
Within the Act, Australian Privacy Principles have been developed with which organisations must comply. The Principles provide the information-handling standards for things such as collecting, using and disclosing personal information as well as keeping information secure, paying attention to data quality and accuracy, being open about the collection and information handling practices, providing access to personal information, providing anonymity where possible and providing protection when transferring personal information overseas.
The Australian Privacy Principles cover items such as collection of solicited personal information, use and disclosure of personal information, anonymity and pseudonymity and security of personal information.
To access the Australian Privacy Principles for private sector organisations, refer to the OAIC website - Australian Privacy Principles
Scenario: Mary was interviewed for a position of employment but was not successful. Mary has a disability. Mary would like to access the information that was collected about her for the interview, such as her referee reports, as she was not happy with the unsuccessful outcome.
Mary should be able to access the information that was collected about her such as referee reports. The Privacy Act gives Mary a general right to access and correct personal information about her that has been collected by the organisation. This however is not an unqualified right.
There are a limited number of situations where the organisation may deny Mary access to her personal information held by the organisation. Where such an exception applies to a request for access, the organisation would need to give Mary an explanation regarding why access was not given. Sometimes an exception may apply to the whole record, but where not, access to parts of the record ought to be accessible. Exemptions include when there is a threat to the person's health and safety or the health and safety of someone else or where another law prevents access.
Scenario: Bruce would like to access his personal records that are contained with the TAFE Disability Officer. Bruce would like to know what was recorded on his file in relation to the services he was entitled to.
Bruce has a general right to access the personal information that the TAFE holds. Bruce may choose to look over his records and make notes, take a copy of the records, or have them explained. Bruce would need to discuss the best way to access the records with the TAFE. The TAFE can however refuse to give Bruce access for other reasons, for example, a threat to his health and safety or the health and safety of someone else or where another law prevents access. Even then, the TAFE must consider giving Bruce limited access to the information such as giving access to the information or a summary of the information whilst blocking or excluding the information covered by the exemption.
The overwhelming majority of universities in Australia are not covered by Commonwealth law as most institutions are set up under state or territory statute. It is therefore important to access individual state privacy laws to determine specific processes required to access personal information.