Data protection in Australia: overview
A Q&A guide to data protection in Australia.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
In Australia, the federal Privacy Act 1988 (Cth) (Privacy Act) regulates the collection, use and disclosure of personal data (referred to in the Act as "personal information").
Significant amendments to the Privacy Act came into effect in March 2014, including the introduction of the Australian Privacy Principles. These are a legally binding set of principles that are pivotal to privacy protection under the Privacy Act.
Various privacy laws also exist at state level. Generally, these regulate:
The handling of personal data by the public sector.
The handling of health-related personal data by both the public and private sectors.
Various other issues, such as surveillance and use of criminal record information.
However, this article will focus only on the federal Privacy Act.
The Privacy Act contains specific provisions for credit reporting bodies and credit providers, which place obligations on such entities in relation to the handling of consumer credit information. Specific rules also apply to the handling of tax file number information (these rules are set out in the Privacy (Tax File Number) Rule 2015, issued under the Privacy Act).
Other federal laws relevant to the handling of personal data include:
Taxation Administration Act 1953 (Cth). This prohibits the disclosure of certain taxpayer information and places strict obligations on taxation officers with respect to such information.
Telecommunications (Interception and Access) Act 1979 (Cth). This prohibits the interception of, and other access to, telecommunications except where authorised in special circumstances.
Telecommunications Act 1997 (Cth). This prohibits the unauthorised disclosure of personal data relating to customers of telecommunications or internet service providers.
Do Not Call Register Act 2006 (Cth). This prohibits telemarketing calls to telephone numbers listed on the national Do Not Call Register.
Spam Act 2003 (Cth) (Spam Act). This prohibits the sending of unsolicited commercial electronic messages (see Question 19).
Scope of legislation
The Privacy Act applies to "APP entities". These include:
Private sector organisations. These can include individuals, corporate bodies, partnerships and other unincorporated associations and trusts.
Federal government agencies. The following agencies are bound by the Privacy Act (among others):
Australian Securities and Investments Commission (that is, the regulator for corporate and financial services);
Australian Competition and Consumer Commission (that is, the regulator for competition and fair trading).
Importantly, the Privacy Act applies differently to "organisations" and "agencies".
This article will focus mainly on the obligations of organisations (although in many cases, the obligations of agencies will be the same or similar).
The Privacy Act regulates the handling of personal information. "Personal information" is any information that can identify an individual (for example, an individual's name and address, resume or photograph), regardless as to whether the information is true or the individual is named.
Where information is sufficiently specific to enable identification of the data subject, it will constitute personal information. De-identified data is not regulated by the Privacy Act.
The Privacy Act applies to acts or practices engaged in within Australia.
The Privacy Act also extends to acts or practices engaged in outside Australia by any entity with an Australian link. An entity has an "Australian link" if it was formed or incorporated in Australia. An entity that was formed or incorporated outside of Australia can also have an Australian link if both:
The entity carries on business in Australia.
The personal data was collected by the entity in Australia.
According to the Australian Privacy Principle Guidelines (that is, a non-binding set of guidelines issued by the Information Commissioner (Commissioner)), a foreign company that collects the personal data of Australians will have an Australian link if it has some activity in Australia that forms part of its business (for example, the company has a website which offers goods or services to countries including Australia).
In addition, in certain circumstances an entity can be held liable where it discloses personal data overseas and the overseas recipient breaches the Australian Privacy Principles in relation to that data (see Question 20).
The following entities are exempt from the operation of the Privacy Act:
Registered political parties.
State or territory authorities.
Individuals acting in a non-business capacity.
Employer organisations acting in respect of employee records.
Small business operators.
Small business operator exemption
In general, the small business operator exemption applies to businesses with an annual turnover of A$3 million or less for the previous financial year.
However, the small business operator exemption will not apply where the entity, for example:
Provides a health service and holds health information.
Discloses personal data to others for a benefit.
Provides a benefit to collect personal data.
Is a credit reporting body.
Employee record exemption
Employer organisations acting in respect of employee records are generally exempt from the operation of the Privacy Act. For the exemption to apply, all of the following elements must be present:
The employer is acting in its capacity as a current or former employer of a data subject.
The act or practice is directly related to a current or former employment relationship between the employer and the data subject.
The act or practice is directly related to an employee record (being any record generated in the course of a data subject's employment) held by the employer.
Entities commonly seek to comply with this requirement by providing privacy collection statements to data subjects when personal data is collected (see Question 12).
There is no requirement to notify the Office of the Australian Information Commissioner (OAIC) (that is, the regulator for the handling of personal data) when collecting and/or processing personal data.
Main data protection rules and principles
Main obligations and processing requirements
The key obligations on entities that handle personal data are set out in the Australian Privacy Principles (APPs). These are 13 legally binding principles that govern the collection, use and disclosure of personal information.
The Privacy Act does not distinguish between entities that "control" personal data and entities that "process" personal data. Therefore any handling of personal data is subject to the Privacy Act.
The APPs are summarised below:
APP 2: Anonymity and pseudonymity. Data subjects must have the option of not identifying themselves, or of using a pseudonym, when dealing with entities (except where impracticable).
APP 3: Collection of solicited personal information. This outlines when the collection of personal data is permitted, including when consent is required (for more information, see Question 9).
APP 4: Dealing with unsolicited personal information. If an entity receives unsolicited personal data, it must determine whether or not it could have collected the data itself under the APPs. If not, the entity must destroy or de-identify the data.
APP 5: Notification of the collection of personal information. Entities must take reasonable steps to notify data subjects of certain matters at the time personal data is collected, or as soon as is practicable afterwards. Such matters include:
the entity's contact details; and
the purpose for which the entity collected the data.
APP 6: Use or disclosure of personal information. Subject to certain exceptions, if an entity holds personal data collected for a particular purpose, it must not use or disclose that information for another purpose without the data subject's consent (for more information, see Question 9).
APP 7: Direct marketing. Entities must not use or disclose personal data for direct marketing unless an exception applies. Where direct marketing is permitted, entities must always provide a means for the data subject to opt out of direct marketing communications.
APP 8: Cross-border disclosure of personal information. Subject to certain exceptions, before an entity discloses personal data to a third party located outside of Australia, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs. In certain circumstances, the entity can be deemed liable for any breach of the APPs committed by the overseas recipient.
APP 9: Adoption, use or disclosure of government related identifier. Entities are restricted in the way they can use and disclose government-related identifiers (such as tax file numbers and Medicare numbers).
APP 10: Quality of personal information. Entities must take reasonable steps to ensure that the personal data they collect, use or disclose is accurate, up-to-date and complete.
APP 11: Security of personal information. Entities must take reasonable steps to protect the personal data they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Entities must also destroy or de-identify personal data if they no longer need it for any purpose for which it could be used or disclosed under the APPs.
APP 12: Access to personal information. Subject to certain exceptions, entities must provide data subjects with access to their personal data.
APP 13: Correction of personal information. Entities must take reasonable steps to correct personal data to ensure it is accurate, up-to-date, complete, relevant and not misleading.
Consent requirements when collecting personal data
Although there is no overarching requirement to obtain the data subject's consent before collecting personal data, entities can only collect personal data:
By lawful and fair means.
Directly from the data subject (where practicable).
If reasonably necessary for the entity's functions.
However, consent is required if the personal data is "sensitive information" (see Question 11). In certain limited circumstances, an entity may be able to collect sensitive information without consent (for example, where the collection is required by law).
Consent requirements when using or disclosing personal data
There is no need to obtain the data subject's consent to the use or disclosure of personal data if the:
Personal data was collected for a particular purpose (primary purpose).
Use or disclosure is for that primary purpose.
The primary purpose is the specific function or activity for which the entity collects the personal data, depending on the circumstances (for example, to provide a service to the data subject).
Consent is required for any use or disclosure for another purpose (secondary purpose). However, this is subject to certain exceptions. For example, the rule will not apply where both:
The data subject would reasonably expect the information to be used or disclosed for the secondary purpose.
The secondary purpose is related to the primary purpose (or in the case of sensitive information, is directly related to the primary purpose).
An entity must generally obtain a data subject's consent to both:
Collect personal data that is sensitive information.
Use or disclose personal data for a secondary purpose (unless an exception applies).
There is no way to avoid the requirement to obtain consent in these circumstances.
In the Commissioner's view, consent may reasonably be inferred in the circumstances from the conduct of the data subject and the entity (Australian Privacy Principle Guidelines).
The Australian Privacy Principles place more stringent obligations on entities when they handle sensitive information. For example, an entity must generally obtain a data subject's consent to collect personal data that is sensitive information. "Sensitive information" includes:
Information relating to race.
Information on any membership of political, professional or trade organisations.
Information on sexual orientation.
Information on religious and political beliefs.
Rights of individuals
Entities must take reasonable steps to provide data subjects with certain information at the point of collection (or as soon as is practicable after).This includes providing:
The entity's contact details.
How the data was collected (if unclear to the data subject).
The purposes for which the entity collected the data.
The types of entities to which the entity usually discloses personal data of the kind collected.
Whether the entity is likely to disclose the personal data to overseas recipients (and, if so, to which countries).
Right to access personal data
Subject to certain exceptions, if an entity holds personal data about a data subject it must provide the data subject with access to the data on request. Entities must respond to requests for access within a reasonable period after the request is made.
Right to seek correction of personal data
Data subjects have a right to have their personal data corrected. Entities must therefore take reasonable steps to correct personal data when either:
The data subject requests the data to be corrected.
The entity is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If the entity refuses to correct the personal data, it must provide the data subject with written notice setting out:
The reasons for its refusal.
The mechanisms available to the data subject to complain about the refusal.
Right to complain to the Commissioner
Data subjects can complain to the Commissioner about the handling of their personal data by entities bound by the Privacy Act. The enforcement powers of the Commissioner and the sanctions and remedies for non-compliance with the Privacy Act are discussed in Questions 25 and 26.
Data subjects do not have the right to request the deletion of their personal data. However, entities must:
Take reasonable steps to correct personal data when the data subject requests data to be corrected (see Question 13, Right to seek correction of personal data).
Destroy or de-identify the personal data if they no longer need it for any purpose for which it may be used or disclosed under the Australian Privacy Principles.
Entities must take reasonable steps to protect the personal data they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Entities must also destroy or de-identify personal data if they no longer need it for any purpose for which it may be used or disclosed under the Australian Privacy Principles.
The OAIC's Guide to securing personal information provides guidance on these obligations. The Australian Privacy Principle Guidelines suggest that what is "reasonable" will depend on the circumstances, taking into account, for example:
The nature of the entity.
The sensitivity of the personal data.
The possible adverse consequences for data subjects in the case of breach.
The practical implications of implementing certain security measures.
There is no express obligation to notify personal data security breaches to the OAIC or to the affected data subjects. However, non-binding guidance issued by the OAIC states that entities should notify the affected data subjects of a breach if there is a real risk of serious harm resulting from the breach.
The Federal Government has indicated it is committed to enacting a mandatory data breach notification scheme. The exposure draft of the proposed legislation was released in late 2015, and (at the time of writing) is now open for public comment, with submissions closing on 4 March 2016. The exposure draft indicates that companies will be required to:
Notify the OAIC and affected data subjects of serious data breaches.
Put processes in place to allow them to quickly determine when a data breach has occurred and whether they have a notification obligation in respect of the breach.
Processing by third parties
There are no specific rules governing the handling of personal data by third parties. The disclosing entity and third party recipient both have their own obligations under the Privacy Act (to the extent each are bound by the Act). For example, each party must comply with the Australian Privacy Principles in relation to the entity's collection, use and disclosure of personal data.
In addition, an entity's obligation to take reasonable steps to secure personal data requires the entity to take reasonable steps to ensure that any third party handling personal data on their behalf also takes adequate steps to protect the data.
The Spam Act regulates the sending of unsolicited commercial electronic messages. Broadly, a "commercial electronic message" is an email, SMS, MMS or instant message that offers, advertises or promotes the supply of goods or services or a supplier of goods or services.
An unsolicited commercial electronic message can only be sent where:
The data subject gives consent (either express or inferred).
The message clearly identifies the sender.
The message contains a functional unsubscribe facility.
In certain circumstances, consent can be inferred through an existing business relationship between the sender and the data subject.
The Privacy Act does not apply to communications that are subject to the provisions of the Spam Act.
International transfer of data
Transfer of data outside the jurisdiction
The general rule is that before an entity discloses (a term that is broader than "transfers") personal data to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles (Australian Privacy Principle 8).
However, this requirement does not apply if any of the following applies:
The entity obtains the consent of the relevant data subjects in the way stipulated by the Australian Privacy Principles (informed consent).
The overseas recipient is bound by a similar overseas law that the Australian data subject can enforce.
Another exception applies (for example, the disclosure of personal data is required by Australian law).
Obtaining informed consent is difficult, and in most cases the overseas recipient will not be subject to a similar overseas law that is enforceable by the relevant data subjects. Accordingly, in most cases entities must take "reasonable steps" to ensure the overseas recipient does not breach the Australian Privacy Principles prior to disclosing that information to the overseas recipient. Entities commonly seek to comply with this requirement by obtaining a contractual commitment from the overseas recipient that it will handle all personal data in accordance with Australian privacy law.
In certain circumstances an entity can be held liable when it discloses personal data overseas and the overseas recipient breaches the Australian Privacy Principles in relation to that data.
There is no legislative requirement to store personal data in Australia, but personal data can only be disclosed to overseas recipients if the requirements of Principle 8 are met (see Question 20).
Data transfer agreements
The concept of a data transfer agreement does not exist in Australian law. Therefore, entities usually require a third-party recipient of personal data to enter into a binding agreement on the handling of the personal data (Data Handling Agreement). This is done to comply with:
The obligation to actively take reasonable steps to implement practices, procedures and systems that will ensure that the entity complies with the Australian Privacy Principles (APPs) (APP 1.2).
The obligation to ensure the security of personal data (APP 11).
The obligation to take reasonable steps to ensure that overseas recipients handle personal data in accordance with the APPs (APP 8).
There is no requirement for a Data Handling Agreement to take a particular form.
The concept of a data transfer agreement does not exist in Australian law. The execution of a Data Handling Agreement (see Question 22) is also not enough to legitimise the transfer or disclosure of personal data to a third party. An entity disclosing personal data to a third party must ensure that the disclosure complies with the requirements of Australian Privacy Principle (APP) 6 (for example, that the disclosure was made for the primary purpose of collection, unless an exemption applies) (see Question 9, Consent requirements when using or disclosing personal data, Consent requirements when using or disclosing personal data).
In certain circumstances, however, the execution of an appropriate Data Handling Agreement may go some way to demonstrate that the entity has met its other obligations under the Privacy Act in relation to the disclosure. For example, the entity's obligations to:
Actively take reasonable steps to implement practices, procedures and systems that will ensure that the entity complies with the APPs (APP 1.2).
Ensure the security of personal data (APP 11).
Take reasonable steps to ensure that overseas recipients handle personal data in accordance with the APPs (APP 8).
The concept of a data transfer agreement does not exist in Australian law. There is no requirement for the OAIC to approve the form of Data Handling Agreement (see Question 22).
Enforcement and sanctions
The Commissioner is the key player in the enforcement of the Privacy Act. The Commissioner has a range of powers to investigate breaches and promote compliance, including the power to:
Audit an entity's compliance.
Accept written undertakings (and commence proceedings to enforce them).
Register binding codes of practice.
Make determinations in relation to own-motion investigations.
In response to a complaint made by a data subject, the Commissioner can:
Attempt, by conciliation, to settle the complaint between the parties.
Make a determination in response to the complaint.
The Commissioner can also commence proceedings to:
Enforce undertakings and determinations.
Seek injunctive relief.
Apply for a civil penalty order. For serious or repeated breaches, the court can impose fines of up to:
A$360,000 for individuals; and
A$1.8 million for corporations.
The Commissioner must make a reasonable attempt to conciliate complaints made by data subjects if it is reasonably possible to do so.
The Australian Communications and Media Authority (that is, the regulator of the Spam Act) has separate enforcement powers.
The OAIC actively enforces the Privacy Act. In the 2014-15 financial year, the OAIC (source: OAIC 2014-15 annual report):
Finalised 1976 privacy complaints.
Commenced four Commissioner-initiated investigations.
Commenced 12 privacy assessments involving 85 entities.
Issued seven privacy determinations.
Non-compliance with the Privacy Act can result in the following sanctions:
Determinations. The Commissioner can make determinations that:
an act or practice constitutes an interference with privacy;
the entity must take specified steps to ensure that the act or practice is not repeated or continued;
the affected data subject is entitled to compensation or other redress (the Commissioner can award compensation for "loss or damage", which includes injury to the data subject's feelings or humiliation suffered by the data subject).
If a determination is made in response to an investigation conducted by the Commissioner on its own motion, the Commissioner can commence proceedings to enforce the determination. If a determination is made in response to a data subject's complaint, the Commissioner or the data subject can commence proceedings to enforce the determination. If proceedings to enforce a determination are commenced, the court will consider whether the offending entity has breached the Privacy Act by way of a fresh hearing of the case.
Injunctions. The Commissioner, the data subject or any other person has the right to commence proceedings to seek injunctive relief where an entity has engaged, or is proposing to engage, in any conduct that would constitute a breach of the Privacy Act.
Penalties. The Commissioner can apply to the court for a civil penalty order. For serious or repeated breaches of the Privacy Act, these can be:
A$360,000 for individuals; or
A$1.8 million for corporations.
These penalties are regulatory fines and cannot be used to compensate data subjects.
Separate sanctions apply for breaches of the Spam Act.
Office of the Australian Information Commissioner (OAIC)
Main areas of responsibility. The OAIC is an independent statutory agency which is responsible for conducting investigations, handling complaints and providing information to the public and industry to facilitate privacy compliance. In addition to its privacy functions, the OAIC is responsible for oversight of the government freedom of information legislation.
Australian Communications and Media Authority (ACMA)
Main areas of responsibility. The ACMA is an independent statutory authority which enforces the Spam Act. More broadly, it is responsible for regulating broadcasting, the internet, radio communications and telecommunications.
Description. The ComLaw website is administered by the Attorney-General's Office and provides current and previous versions of legislation, including the Privacy Act and the Spam Act.
Description. The OAIC website provides information and resources on the Privacy Act, including the Australian Privacy Principle Guidelines issued by the Commissioner.
Australian Communications and Media Authority (ACMA)
Description. The ACMA website provides information and resources on the Spam Act.
Michael Morris, Partner
Professional qualifications. LLB (Hons) BBus; Solicitor, Queensland, Australia
Areas of practice. Communications; technology; intellectual property; data protection.
Emily Cravigan, Senior Associate
Professional qualifications. LLB (Hons) BA; Solicitor, Queensland, Australia
Areas of practice. Communications; technology; intellectual property; data protection.