THE MAIN data protection law in Australia in relation to privacy is the Privacy Act 1988 (Cth). It has been amended by the Privacy Amendment (Private Sector) Act 2000 (Private Sector Act), which came into operation in December 2001 and effectively extends the operation of the 1988 act to the private sector.
The regime introduced by the Private Sector Act has far-reaching consequences for both the business community and consumers in Australia. The stated aim is to reduce obstacles to the development, take-up and use of electronic commerce and other new technologies resulting from concerns about the possible mishandling of personal information by the private sector, while at the same time avoiding excessive red tape and minimising the cost of compliance on business.
The 2000 Act creates a co-regulatory legislative framework through the development of self-regulatory codes of practice by organisations that must achieve certain minimum standards of privacy protection set out in 10 National Privacy Principles (NPPs) in the act. The NPPs are the core of the private sector regime and establish minimum standards in relation to the collection, holding, use, disclosure, management, access, correction and disposal of personal information about natural persons. The NPPs also include special measures with regard to certain types of personal information defined as sensitive. In the absence of a relevant self-regulatory code, the NPPs themselves will apply.
The requirements of the Private Sector Act have affected, directly or indirectly, all businesses in Australia. Organisations subject to regulation under the act have been required to implement changes to transactional documents, internal and external information handling and security procedures, information technology requirements, customer communications and training of staff in order to comply with the new regime. Maintaining compliant information-handling practices is a continuing challenge.
It is important to note that the Private Sector Act does not stand alone. Regulation of information-handling practices in Australia intended to protect individuals' privacy has existed in a number of forms prior to the Private Sector Act, although these existing regimes will not be considered in any detail in this article.
A number of state and territory governments have enacted legislation affecting their governments' dealings with individuals' personal information--for example, the Privacy and Personal Information Act 1998 in New South Wales. Other existing forms of regulation of information-handling practices affecting the private sector include (1) common law obligations of confidentiality; (2) a number of statutory mechanisms affecting specific industry sectors; and (3) voluntary codes of conduct adopted by industry groups--for example, the Insurance Council of Australia, the Australian Direct Marketing Association, and the Australian Bankers Association.
The 1988 Act required federal government agencies to act in accordance with 11 Information Privacy Principles (IPPs), which are broadly similar to the NPPs. The Privacy Act applies these to private sector organizations (1) in relation to the collection, storage, use and security of tax file number information; and (2) in relation to the information-handling practices of credit reporting agencies, credit providers and associated persons.
SCOPE OF PRIVATE SECTOR REGIME
The Private Sector Act introduced a new regime, termed the "the private sector regime," which operates within the existing structure of the 1988 Privacy Act. References in this paper to sections are, unless otherwise stated, references to sections of the Privacy Act 1988, as amended by the Private Sector Act.
The 2000 act extends regulation of handling of all forms of personal information across the private sector, and it introduces new provisions and modifies a number of existing provisions, while leaving the preexisting obligations on private sector organisations regarding tax file number information and credit reporting practices in place. …