caslon analytics elephant logoahrooogah!!title for Australian Privacy Regimes profile

home | about | site use | services | guides | briefings  | analysphere

Overview

-  Clth agencies

-  other aspects

-  private sector

-  State regimes

-  industry codes

-  chronology




related Guides:

Privacy


section heading icon     the Privacy Act and the private sector

The Privacy Amendment (Private Sector) Act 2000 (PDF) regulates the way many private sector organisations can collect, use, keep secure and disclose personal information.

Under the new legislation consumers will have a right to know why a private sector organisation is collecting their personal  information, what information it holds about them, how it will use the information and who else will have access to that data.

Apart from specific exceptions, consumers can ask to see their information and for the information to be corrected if it is wrong. Consumers can also make a complaint if they think their information is not being handled properly. A consumer could also apply to the Federal Court or the Federal Magistrate's court for an order to stop an organisation from engaging in conduct that breaches the NPPs.

subsection marker icon     Who's covered by the legislation?

The Act covers private sector 'organisations': an individual, body corporate, partnership, an unincorporated association or a trust.

That definition embraces:

  • businesses (including nonprofit organisations such as sports clubs, charitable organisations and unions) with a turnover of more than $3 million.
  • federal government contractors
  • health service providers that hold health information (even if their turnover is less than $3 million).
  • organisations that carry on a business that collects or discloses personal information for a benefit, service or advantage (even if their turnover is less than $3 million).
  • small businesses with a turn-over of less than $3 million that choose to opt-in
  • incorporated State Government business enterprises
  • any organisation that regulations say are covered

The new provisions will not apply to:

  • most State or Territory government entities (for example Ministers, departments, courts and local government councils) - they are generally covered by separate legislation identified on the following page of this profile
  • political parties and acts of political representatives in relation to electoral matters
  • most small businesses with an annual turnover of less than $3 million
  • employee records of an individual if the act or practice directly relates to a current or former employment relationship between the employer and the individual

  • media organisations in the practice of journalism

subsection marker icon     Implementation

Most organisations, including all health services holding health information, will have 12 months to get ready for the new scheme. The new provisions began to apply 21 December 2001. Small businesses (except health services) covered by the new provisions have an additional twelve months and the new provisions will apply in December 2002.

The National Privacy Principles set the base line standards for privacy protection. Organisations may have and enforce their own codes. These codes must be approved by the Privacy Commissioner as having obligations at least equivalent to the National Privacy Principles and meet other requirements. The code must have an independent code adjudicator to handle complaints. If the code does not provide for a complaints handling mechanism the Privacy Commissioner is the code adjudicator.

Organisations that do not have their own code must comply with the National Privacy Principles set out in the Privacy Amendment Act. The Privacy Commissioner handles complaints in these circumstances.

Only some of the NPPs will apply to information organisations already hold when the new provisions start to apply.

The NPPs relating to data security, data quality when information is used and disclosed, identifiers and transborder flow will apply regardless of when the information was collected. The principle relating to access and correction will apply to all information collected after the new provisions apply, and any already existing information that is used.  Those principles relating to collection, use and disclosure, data quality when it is collected, and sensitive information will not apply to information collected before the new provisions start to apply.

subsection marker icon     What information is covered?

The Act covers personal information. It has special protection for personal information that is sensitive information. The Privacy Act only applies to information that is recorded in some form, which can include in an electronic record.

Personal information is information or an opinion that can identify a person.

Sensitive information is information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, or health information.







icon for link to next page   next page (State/Teritory regimes)