In the digital age, privacy, data protection, good governance, as well as data rights and ownership, and freedom of information are more important than ever.
In Australia, the Commonwealth Privacy Act 1988 (Privacy Act) gives individuals rights in relation to their personal information and imposes corresponding responsibilities on businesses with a turnover of or related to an entity with a turnover of A$3 million or more (subject to some exceptions). There are also State and Territory based information (including health and surveillance) privacy laws. In addition, Freedom of Information laws enable businesses and individuals to seek access to government information, promoting transparency and accountability. Where businesses hold information on behalf of a government agency that is the subject of a Freedom of Information (FOI) request (eg if the business provides services to a government agency), they may also be required to produce this information in response to the FOI request.
The Privacy Act is the primary means of privacy protection in Australia. It applies to the handling of personal information and also has specific requirements for handling credit and tax file number information. Compliance with the Privacy Act is regulated by Australian Information Commissioner (Commissioner) and their office (the OAIC).
Australian privacy laws are principles based. The Privacy Act contains 13 Australian Privacy Principles (APPs) that set out how both private sector organisations and public sector agencies must collect, use, disclose and store personal information.
The APPs also give individuals certain information privacy rights: the right to access the personal information an entity holds about them, a right to correct that information and a right to make a complaint and have it dealt with.
There are restrictions on using personal information for direct marketing purposes and other laws will apply if direct electronic marketing (eg emails, texts) or telemarketing is being conducted. While personal information may be disclosed overseas, certain steps must first be taken and entities generally remain acocuntable for the handling of the information by the overses recipient. Employers' handling of personal information about their current or former employees is exempt from the Privacy Act.
The Privacy Act gives the Commissioner functions and powers, including the power to recieve and investigate privacy complaints, make determinations (including payment of compensation), conduct own motion investigations, seek enforceable undertakings from an entity and apply to court for civil penalties of up to A$2.1 million for serious or repeated interferences with privacy.
The Privacy Act also includes a notifiable data breach scheme, which requires reguleted entities to notifiy eligible data breaches (ie where a person is likely to suffer serious harm from a privacy data breach) to the Commissioner and affected individuals. Entities must also assess suspected eligible data breaches.
Consumer data right
The Commonwealth Government is currently introducing new laws that will create a Consumer Data Right for consumers (individuals and businesses) in Australia. The purpose of the right is to:
- give consumers greater control over access to, and direct sharing of, their consumer data; and
- increase competition in a sector by making it easier for consumers to compare product offerings.
The Consumer Data Right will apply in the banking sector first and is proposed to be implemented subsequently on a sector-by-sector basis.
Freedom of information
The Commonwealth Freedom of Information Act and State and Territory FOI legislation grants the right to every person to access information in the possession of government departments and their agencies. The legislation requires government agencies to publish information about their operations and powers affecting members of the public as well as manuals and other documents used in making decisions and recommendations affecting the public.
Government departments and agencies must provide access to documents in their possession on receipt of an FOI request unless the document is exempt from release under the legislation.
There are a range of exemptions. These include documents subject to legal professional privilege and documents disclosing trade secrets or commercially valuable information, the unreasonable disclosure of personal information, or information that would or could reasonably be expected to adversely affect an organisation in respect of its lawful business or commmercial affairs.