Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The Privacy Act 1988 (Cth) (Privacy Act), which was enacted to give effect to Australia’s agreement to implement the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), governs how personal information is handled in Australia by the Commonwealth Government and private sector entities with an annual turnover of at least A$3 million (APP entities). Some small businesses (with a global aggregate group turnover of A$3 million or less) are also covered by the Privacy Act, including private health services providers that hold health information, businesses that sell or purchase personal information, credit-reporting bodies and contracted service providers for a Commonwealth contract.

‘Personal information’ is the conceptual equivalent of PII in other jurisdictions, and is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not. It is still unclear whether metadata, cookies and IP addresses fall within the definition of personal information. However, while it will ultimately depend on the circumstances, the better view is that they are likely to be personal information and best practice in Australia is to align with international practice (which is of course informed by the online behavioural tracking rules in the GDPR). The Privacy Act contains 13 Australian Privacy Principles (APPs), which set out the minimum standards for dealing with personal information and are the foundation of Australian privacy law. They cover the life cycle of the collection, use, storage, disclosure and destruction of personal information. The Privacy Act also includes credit-reporting obligations that govern the way in which personal credit information about individuals must be handled by credit-reporting bodies, credit providers and other third parties.

Further, each Australian state and territory has legislation broadly equivalent to the Privacy Act that regulates the handling of personal information by public sector agencies at the state and territory level.  Additionally, the Spam Act 2003 (Cth) (Spam Act), regulates electronic marketing and the Do Not Call Register Act 2006 (Cth) (Do Not Call Register Act) regulates unsolicited commercial calls to listed phone numbers.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The Office of the Australian Information Commissioner (Information Commissioner) is responsible for overseeing compliance with the Privacy Act.

The Information Commissioner has a legislative mandate to conduct education programmes, and can also conduct investigations in relation to a suspected or actual breach of the Privacy Act (whether in response to a complaint, or as an ‘own motion’ investigation that is made of its own volition), including by requiring a person to give information or documents, or to attend a compulsory conference and entering premises to inspect documents.

Additionally, the Australian Communications and Media Authority (ACMA) regulates telecommunications, spam and telemarketing, including industry-specific privacy-related rules discussed below. The ACMA is in charge of enforcing the Spam Act and the Do Not Call Register Act and may conduct investigations in order to exercise its enforcement powers.

Regulators under the various state-based laws for the public sector have similar powers, but these are generally not relevant for private sector entities in Australia.

Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

The Information Commissioner is not subject to any strict legal obligations to cooperate with other data protection authorities in other countries. However, the Information Commissioner participates in several forums and arrangements to promote best privacy practice internationally, address emerging privacy issues and cooperate on cross-border privacy regulation. These include:

  • the Asia Pacific Privacy Authorities Forum;
  • the Cross-border Privacy Enforcement Arrangement; and
  • the Global Cross Border Enforcement Cooperation Arrangement.

 

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Breaches of the Privacy Act can lead to administrative determinations of breach (which may or may not be accompanied by a compensation order), the acceptance of court-enforceable undertakings and, for serious or repeated interferences with privacy, a statutory penalty of up to A$2.1 million for corporations.

Criminal sanctions may also be imposed where an individual or corporation fails to comply with a request or direction given by the Information Commissioner in relation to any investigation run by the Information Commissioner, or any determination regarding a breach of data protection law.

Additionally, there is a mandatory data breach notification regime under the Privacy Act that applies to all government agencies and businesses that are subject to the Privacy Act. Under this regime, if a relevant agency or business suspects there has been a data breach that is likely to result in serious harm to any of the affected individuals (an ‘eligible data breach’), subject to some limited exceptions, it must:

  • carry out a ‘reasonable and expeditious’ assessment (and take all reasonable steps to complete it within 30 days of becoming aware) as to whether there has been an eligible data breach; and
  • if an eligible data breach has occurred, notify the Information Commissioner and affected individuals as soon as practicable.

 

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The Privacy Act and the Australian Privacy Principles (APPs) apply to all APP entities, which broadly speaking include all Commonwealth Government entities and private sector entities with an annual turnover of A$3 million or more. However, some specific types of businesses or areas of activities are specifically excluded from the application of the Privacy Act, such as public hospitals and healthcare facilities, most public universities and public schools, some media organisations acting in the course of journalism, registered political parties and most small businesses (with an annual turnover of less than A$3 million).

Additionally, employee records relating to current and former employment relationships are expressly excluded from the application of the Privacy Act and the APPs.

It is worth noting that in specific circumstances some small businesses may still be captured by the Privacy Act, including where they are a private-sector health provider, a service provider for the Commonwealth Government, a related entity to a business that is covered by the Privacy Act, or if they handle credit-reporting information or sell or purchase personal information.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The Privacy Act governs how personal information is collected, stored and used, regardless of the medium or material that contains or communicates that information. Generally speaking, the Privacy Act and the APPs will apply to any interception, marketing or surveillance activities that involve dealing with personal information.

Additionally:

  • the interception of communications is governed by the Telecommunications (Interception and Access) Act 1979 (Cth). Under this Act, a person must not intercept any communication passing through the telecommunications network without the knowledge of the persons issuing or receiving the communication;
  • the use of monitoring and surveillance devices is governed by various legislation at a federal level as well as at the state and territory level. Generally speaking, the surveillance legislation prohibits the tracking and audio or video recording of any person or activity without the consent of that person or of the person involved in the activity;
  • specific workplace surveillance laws exist in New South Wales, the Australian Capital Territory and, to some extent, in Victoria;
  • commercial electronic messages that are sent to an email address or a phone number accessed in Australia are regulated by the Spam Act; and
  • the practices of telemarketers and fax marketers must comply with the Do No Call Register Act.

 

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

In August 2019 a legal framework for a data portability right known as the ‘Consumer Data Right’ (CDR) came into effect.  It is intended that the CDR will apply on an economy wide basis but it has been first introduced in the banking sector (with other sectors to follow).

Under the banking sector CDR Rules, certain financial services providers will be required to share product reference data, consumer data relating to credit and debit cards, deposit accounts, transaction accounts and mortgage and personal loan data with individuals to whom that data relates and other accredited data recipients.  

Importantly, the legislation include 13 ‘privacy safeguards’ which are supplemented by the CDR Rules which set out the privacy rights and obligations for users of the CDR scheme, including the requirement to obtain informed consent from individuals to collect, hold, use and disclose their CDR data.

Consumer credit reporting is regulated by the Privacy Regulation 2013 and the Privacy (Credit Reporting) Code 2014, in addition to Part IIIA of the Privacy Act.

There are also specific data protection rules for the health sector in Australia, including:

  • the My Health Records Act 2012 (Cth), My Health Records Rule 2016 (Cth) and My Health Records Regulation 2012 (Cth), which create the legislative framework for the Australian government’s My Health Record System;
  • the Healthcare Identifiers Act 2010 (Cth), which regulates the use and disclosure of healthcare identifiers; and
  • state and territory health privacy legislation in the Australian Capital Territory, New South Wales, and Victoria, that covers health service providers (including private sector providers) in those jurisdictions:
    • the Health Records (Privacy and Access) Act 1997 (ACT);
    • the Health Records and Information Privacy Act 2002 (NSW); and
    • the Health Records Act 2001 (Vic).

 

The telecommunications sector is subject to specific data protection rules, including the Telecommunications Act 1997 (Cth), which imposes restrictions on the use and disclosure of telecommunications and communications-related data, and the Telecommunications (Interception and Access) Act 1979 (Cth), which, among other things, regulates the interception of and access to the content of communications transiting over telecommunications networks, and stored communications (eg, SMS and emails) on carrier networks with enforcement agencies.

The following laws apply to monitoring and surveillance, in some cases, specifically to workplace monitoring and surveillance: the Telecommunications (Interception and Access) Act 1979 (Cth);

  • the Surveillance Devices Act 2004 (Cth);
  • the Workplace Privay Act 2011 (ACT);
  • the Listening Devices Act 1992 (ACT);
  • the Workplace Surveillance Act 2005 (NSW);
  • the Surveillance Devices Act 2016 (SA);
  • the Listening Devices Act 1991 (Tas);
  • the Surveillance Devices Act 1999 (Vic);
  • the Surveillance Devices Act 1998 (WA); and
  • the Surveillances Devices Act 2007 (NT).

 

PII formats

What forms of PII are covered by the law?

The Privacy Act covers all personal information, whether it is true or not, and whether it is recorded in a material form or not.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The reach of the law is not limited to companies based, or operating, in Australia.

The Privacy Act and the APPs will apply to any APP entity that is established in Australia, carries on business in Australia or collects personal information in Australia. This is quite broad and will capture, for example, any APP entity based outside of Australia that collects personal information about an individual located in Australia through a website hosted outside of Australia.

The Spam Act may also potentially apply in relation to any commercial electronic communication sent to an email address or a phone number accessed in Australia.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Although the Privacy Act does not refer to ‘processing’ personal information, it governs the collection, holding, use, disclosure, access to and correction of personal information (which in effect are all treated as a form of processing).

Unlike in other jurisdictions, where there is a clear distinction between data controllers and data processors, the Australian regime does not distinguish between those who control or own personal information and those who process personal information. Instead, the Privacy Act applies to any APP entity that collects, uses or holds personal information (ie, any APP entity that has possession or control of any record or other material that contains personal information).

In practice, this leads to parties who would usually consider themselves to be data processors to have additional obligations under the Privacy Act beyond those that they would not normally expect to have.

Law stated date

Correct on

Give the date on which the information above is accurate.

14 May 2020.