- The Privacy Act 1988 (Privacy Act) was passed by the Australian Parliament at the end of 1988 and commenced in 1989. The Act gave effect to Australia’s agreement to implement the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as to its obligations under Article 17 of the International Covenant on Civil and Political Rights
- The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney GeneralSenator the Hon. George Brandis QC’s portfolio and is responsible for privacy functions that are conferred by the Privacy Act and other laws.
- One of the functions of the OIAC is to promote an understanding and acceptance of the Australian Privacy Principles (APPs) and the objects of those principles. The APPs, which are contained in schedule 1 of the Privacy Act, outline how Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information.
- Under the Notifiable Data Breach Scheme, agencies and organisations regulated under the Privacy Act are required to notify affected individuals and the OAIC when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.
The Privacy Act 1988 (Privacy Act) regulates the handling of personal information about individuals.
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.
The Privacy Act includes thirteen Australian Privacy Principles (APPs). The APPs set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information (including sensitive information).
Office of the Australian Information Commissioner (OAIC)
The Office of the Australian Information Commissioner (OAIC) is an independent Australian Government agency established to:
- promote access to government information, including your right to access documents under the Freedom of Information Act 1982 (FOI Act)
- ensure your personal information is handled in accordance with the Privacy Act 1988 and other laws
- advise the Australian Government on information policy.
The OAIC functions include conducting investigations, reviewing decisions made under the FOI Act, handling complaints, monitoring agency administration and providing advice to the public, government agencies and businesses.
The OAIC is headed by the Australian Information Commissioner Angelene Falk, who is supported by the Freedom of Information Commissioner (this position has been left vacant by the government since December 2014), the Privacy Commissioner (currently also Ms Falk) and staff.
Australian Privacy Principles (APPs)
The Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act, outline how most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information.
While the APPs are not prescriptive, each entity covered by the Privacy Act needs to consider how the principles apply to its own situation. The principles cover:
- an individual having the option of transacting anonymously or using a pseudonym where practicable
- the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
- how personal information can be used and disclosed (including overseas)
- maintaining the quality of personal information
- keeping personal information secure
- right for individuals to access and correct their personal information
There are also separate APPs that deal with the use and disclosure of personal information for the purpose of direct marketing (APP 7), cross-border disclosure of personal information (APP 8) and the adoption, use and disclosure of government related identifiers (APP 9).
- For a summary of the APPs, see the APP quick reference tool or for more detail, see the full text of the APPs.
- Additional information on complying with the APPs can be found in the APP guidelines.
- The OAIC also provides a training webinar on the APPs, aimed at people who are unfamiliar with the Privacy Act
Notifiable Data Breach (NDB) Scheme
Coming into effect in February this year, the Notifiable Data Breach (NDB) scheme applies to all agencies and organisations (including Intuit) that are regulated under the Privacy Act. All agencies and organisations with existing personal information security obligations under the Privacy Act are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.
The scheme includes an obligation to notify individuals whose personal information is involved in a data breach that is ‘likely to occur’ in ‘serious harm’. The notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (OIAC) must also be notified of eligible data breaches.
‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).
Agencies and organisations are expected to be prepared to conduct a quick, objective assessment of a suspected data breach to determine whether it is likely to result in serious harm, and require notification.
Notifications to the Commissioner should be lodged through the Notifiable Data Breach form.