Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional privacy framework

While privacy issues are now featured prominently in the daily news in Australia, the legal safeguards for personal information remain limited. Neither the Australian Federal Constitution nor the Constitutions of the six States and two Territories contain any express provisions relating to privacy

However, in 2004 the Australian Capital Territory (ACT) became the first jurisdiction to incorporate a bill of rights. Section 12 of the Human Rights Act 2004 (ACT) creates a right of "privacy and reputation."1 The Human Rights Act incorporates international human rights standards into local ACT law by requiring all ACT laws to be interpreted consistently with human rights "as far as possible." The ACT Human Rights and Discrimination Commissioner has functions including reviewing the effect of ACT laws on human rights, reporting to the Attorney General. The Commissioner’s reports must later be tabled in the Legislative Assembly. However, the Commissioner does not have power to handle complaints

The State of Victoria adopted a similar approach in 2006, with the public sector bound beginning January 2008 to observe a variety of civil and political rights, including the right to privacy, when they create laws, set policies and provide services. All new laws will require a Statement of Compatibility to tell Parliament whether they meet human rights standards. In exceptional circumstances Parliament may strike down a law that does not uphold human rights.2

The Australian Constitution limits the legislative power of the Australian (federal) government, with areas not expressly authorized being reserved for the States.3 The constitutionality of federal laws imposing privacy rules on the private sector has been questioned, but not so far challenged. Most commentators believe that the federal government could base any private sector privacy law on a "cocktail" of constitutional powers including those giving authority over telecommunications, corporations and foreign affairs (e.g., treaties).

Data protection framework

Privacy Law in Australia comprises several federal statutes covering particular sectors and activities, some State or Territory laws with limited effect, and the residual common law protections

In Australia there has until recently been no recognition of a general tort of protection of privacy. Very occasionally the common law been used in support of privacy rights through actions for breach of confidence, defamation, trespass or nuisance. The New South Wales Law Reform Commission was asked in 2006 to examine the desirability of developing a statutory tort of privacy.4 It is expected to report in 2008

An affirmation of this common law right was issued in a 2007 Victorian County Court case, in which the ABC media organization was ordered to pay a rape victim AUD 234,190 (149,000 EUR) in damages after she was named on air.5 The damages were awarded for breach of privacy and breach of confidence caused by the unjustified publication, and related to post-traumatic stress, loss of earnings and medical expenses, as well as for hurt and distress, embarrassment, humiliation and shame. The ABC has announced it will appeal the ruling on the basis that no such tort of privacy exists in Australian law.6

The principal federal statute is the Privacy Act of 1988,7 which has four main areas of application and which gives partial effect to Australia's commitment to the Organization for Economic Cooperation and Development (OECD) Guidelines and to the International Covenant on Civil and Political Rights (ICCPR), Article 17. It creates a set of 11 Information Privacy Principles (IPPs), based on those in the OECD Guidelines that apply to the activities of most federal government agencies. A separate set of rules about the handling of consumer credit information, added to the law in 1989, applies to all private and public sector organizations. The third area of coverage is the use of the government issued Tax File Number (TFN), where the entire community is subject to Guidelines issued by the Privacy Commissioner, which take effect as subordinate legislation. The fourth area of coverage, which only commenced in December 2001, is widespread private sector organizations regulated by the National Privacy Principles (NPPs). However, private companies can apply to the Privacy Commissioner for approval of a self-developed Code of Practice containing principles that are an "overall equivalent" to the NPPs. In addition, the Act provides for several broad exemptions for employee records; media organizations; political parties; and small businesses

According to the Federal Government the small business exemption will exempt about 94 percent of all Australian businesses but only 30 percent of total business sales, an exception that includes many Internet companies.8 The breadth of the exemption for political parties was demonstrated in March 2005 when the Privacy Commissioner had to decline a request to investigate complaints regarding telemarketing activities during the campaign period for the October 2004 federal election, including the use of spam,9 and allegations that the Liberal Party had accessed silent telephone numbers to make political canvassing calls.10 The exemption also excludes from view the increasing use of databases by political parties to track voter preferences and create customized marketing material for voters.11

There are also weaknesses in the enforcement regime including, for example, allowing privacy complaints to be handled initially by an industry-appointed code authority, although a right of appeal to the Privacy Commissioner was inserted by Opposition parties. The Act does, however, include an innovative principle of anonymity. However, the mere existence of the anonymity principle has not prevented the development of electronic road tolling systems that identify every vehicle, and the impact of this principle on the development of electronic health records, for example, remains to be seen

The Privacy Act of 1988 has been widely criticized as failing to meet international standards of privacy protection. The 2004 amendments to the Privacy Act included extending correction rights to non-Australians, extending the scope of the transborder data flow control (Principle 9) to data about non-Australians, and ensuring that the Privacy Commissioner could approve Codes of Practice that voluntarily covered otherwise exempt acts and practices.12 The third and latest attempt at a comprehensive review of the Privacy Act by the Australian Law Reform Commission (ALRC) is not due to report its findings until 2008.13

There are two other federal privacy-related laws for which the federal Privacy Commissioner is also the supervisory and complaint handling agency. The first one is Part VIIC of the Crimes Act,14 enacted in 1989, which provides some protection to individuals who have had criminal convictions in relation to so-called "spent" convictions (i.e., convictions for relatively minor offenses which they are allowed to "deny" or have discounted after a set period of time). The second one is the Data-Matching Program (Assistance and Tax) Act 199015 that provides detailed procedural controls over the operation of a major program of information matching between federal tax and benefit agencies.

Privacy regulator

The Office of the Federal Privacy Commissioner enforces the Privacy Act.16 The Office has wide range of functions, including handling complaints, auditing compliance, promoting community awareness, and advising the government and others on privacy matters. The Commissioner has so far approved three Codes of Practice under the private sector regime: for the General Insurance Industry, which has its own adjudicator for complaints, the Licensed Clubs in the state of Queensland, which defaults to the Privacy Commissioner for complaints, and the "Market and Social Research and Privacy Code" for the Association of Market Research Organisations.17 The Code provides some standards that are higher than the NPPs, including giving the data subject the right to choose whether to destroy or de-identify their information after use.18

As of 2006, the Office had 40 full-time staff and seven part-time staff divided into four sections: Compliance, Policy, Corporate and Public Affairs, and the Executive.19 The number of complaints received in the period from July 2005 to June 2006 totaled 1,183, slightly less than the previous year. 62% of the complaints concerned application of the NPPs to the private sector; 14% concerned credit reporting; and 13% concerned the information privacy principles.20 The largest categories of complaints concerned the financial industry (202); followed by the Australian Government (159); the debt/credit industry (131); health service providers (123); telecommunications and Internet service providers (83); landlords and real estate agents (59); insurance organizations (41); and retail (31).21 In 2005-06 the Commissioner’s office also received 19,150 telephone enquiries. 22

Section 52 of the Privacy Act provides that the Commissioner may make formal determinations in relation to complaints investigated. The determination by the Commissioner may dismiss the complaint, or may find the complaint substantiated and declare that the respondent should cease to breach the Act, take any reasonable steps to redress damage suffered by the complainant, or pay compensation to the complainant. Importantly, Section 52 determinations are not legally binding on the respondent. The Commissioner, the complainant, or the adjudicator for an approved privacy code can commence proceedings in the Federal Court or Federal Magistrates Court for an order to enforce a determination

In a rash of self-reporting of privacy breaches in mid-2006, Federal Government agencies Centrelink (the social security benefits agency), the Child Support Agency and the Australian Taxation Office each admitted they had found multiple cases of staff inappropriately accessing, amending, using and disclosing customer records. Centrelink found 600 staff over a two-year period had committed 790 breaches; of these, 19 were sacked and almost 100 resigned. The Child Support Agency discovered 405 breaches, including 69 cases where sensitive information including addresses was given to former spouses. At the Taxation Office, 16 of 27 offending staff were sacked or resigned.23

The Victorian State Police have also been subject to a series of embarrassing privacy breaches. In 2005 the Office of Police Integrity called for the Police’s LEAP database to be scrapped because of a series of security breaches. The Office of Police Integrity itself later mistakenly posted LEAP files on more than 400 people to a single complainant, and an IBM technician authorised to audit the LEAP system accidentally emailed files on up to 1,000 people to a whistleblower. Another case saw details of a person's criminal record wrongly attributed to another person after a routine records check for an employer.24