All images are of AAR staff and partners
Allens Arthur Robinson
Privacy homeOverviewNPPs & codesComplyingLegislation & linksIndustriesNews
Home »  Legislation & links »  
Print Version
Or use advanced search
Introduction
State legislation
 Feedback
 Contacts
 Glossary


State legislation

New South Wales

State legislation

The operative privacy law in New South Wales is the Privacy and Personal Information Protection Act 1998 (NSW). This Act provides for a set of privacy standards (Information Protection Principles) for the New South Wales public sector which regulate the way public sector agencies handle personal information and also created the Office of NSW Privacy Commissioner. The Privacy Commissioner has powers to investigate complaints about both public sector organisations as well as other organisations and individuals about those privacy issues the Commissioner thinks appropriate. Complainants concerning the public sector can further appeal to the Administrative Appeals Tribunal.

The Health Records and Information Privacy Act 2002 commenced on 1 September 2004. This Act provides a right of access to health information held by both public and private sector organisations in NSW, and sets up a framework for resolving complaints about the handling of health information. The Act applies to:

(a) health service providers; and

(b) organisations that collect, hold or use health information.

Workplace Surveillance Act 2005 seeks to prohibit covert surveillance of an employee without appropriate notice. Three key aspects of surveillance are covered:

  • camera surveillance;
  • computer surveillance (surveillance of an employee's use of a work computer); and
  • tracking surveillance (surveillance of the location or movements of an employee).

The Act will also enable Magistrates to authorise covert surveillance operations to determine whether or not an employee is engaged in illegal activity.

The Listening Devices Act 1984 regulates use of listening devices and the admissibility of evidence collected as a result. Where video surveillance captures sound as well as images, this Act may be relevant to that surveillance. The Terrorism Legislation Amendment (Warrants) Act 2005 (date for commencement not yet specified) will amend the Listening Devices Act 1984 by extending the maximum period during which listening devices may be used for certain Commonwealth terrorism offences to 90 days.

Interaction with Privacy Act 1988 (Cth)

The Federal Privacy Act has a saving provision which allows the unaffected operation of State and Territory Laws which regulate the collection, holding, use, correction, disclosure or transfer of personal information (subject, of course, to s109 of the Commonwealth Constitution which provides that to the extent that a State law is inconsistent with a Federal law, the State law is void).

To toptop of page

Queensland

State legislation and regulations

There is no legislation that specifically addresses privacy in Queensland. Government departments are bound by Information Standards 42 and 42A. There is legislation that has an indirect effect on personal privacy, for example, the Invasion of Privacy Act 1971 (Qld) and associated regulations protect privacy rights by requiring the licensing and control of credit reporting agents and regulating the use of listening devices.

Also, chapter 33A of the Criminal Code deals with the stalking of individuals.

Information Standards

Information Standards in Queensland are issued under the authority of ss 22(2) and 56(1) of the Financial Management Standard 1997 and apply to all accountable officers and statutory bodies (including government departments) as defined under the Financial Administration and Audit Act 1977. The requirement for agencies to comply with Information Standards and Guidelines is administratively based. This means that:

  • where conflicting requirements exist, any legislative requirements will supersede compliance with the Information Standard;
  • any outsourcing arrangement, contracts and licenses will be expected to comply with the relevant Information Standard. Note that where any outsourcing arrangements, contracts or licenses which existed before the implementation of the private sector provisions of the Privacy Act contemplated a future privacy regime (for example, where privacy clauses were written into a contract or license in anticipation of a future privacy regime) it may be possible that terms have been or can be negotiated.
Information Standard 42

Information Privacy
Information Privacy Guidelines

The IS 42 and its guidelines apply to most statutory Government Owned Corporations (GOC) and their subsidiaries. It requires personal information to be managed in accordance with the Information Privacy Principles adapted from the Commonwealth Government public sector IPPs contained in the Privacy Act 1988 (Cth). There are a number of bodies exempt from IS 42 (e.g. Royal Commissions and commissions of inquiry) and certain personal information is exempt (e.g. witness protection information). IS 42 specifically does not apply to the Queensland Department of Health.

Information Standard 42A

Information Privacy for the Queensland Department of Health
Information Privacy Guidelines

IS 42A applies only to the Queensland Department of Health and requires personal information to be managed in accordance with the National Privacy Principles adapted from the Commonwealth NPPs contained in the Privacy Act 1988 (Cth) (rather than the Information Privacy Principles (IPPs)).

IS 42A applies the NPPs to the Queensland Department of Health, but otherwise reflects the content and mandatory requirements contained in Information Standard No 42. Certain personal information is exempt from the operation of the IS (e.g. whistleblowers) and certain principles have been deleted because the issues are dealt with elsewhere (eg NPP 6 as the right of access and correction is limited to the Freedom of Information Act 1992 (Office of the Information Commissioner Queensland) and/or the Department of Health's Administrative Access to Health Records Policy).

To toptop of page

Western Australia

State legislation and regulations

There is no legislation that specifically addresses privacy in Western Australia. There is legislation that has an indirect effect on personal privacy, for example, the Surveillance Devices Act 1998 (WA) protects privacy rights by restricting the use, installation and maintenance of listening devices to record 'private conversations'.

Bills

The Western Australian Attorney-General, Jim McGinty, released a discussion paper in May 2003 proposing the introduction of Western Australian privacy laws. The proposed Act would apply to the Western Australian public sector and private contractors working for government. It would also apply to the private sector in relation to health information only.

The key proposals include:

  • a set of principles governing the storage, collection, security, use, disclosure and correction of personal information;
  • creation of an office of Privacy and Information Commissioner for the purpose of administering the new Privacy Act and the FOI Act (in contrast to the New South Wales Bill, which proposes to remove this office);
  • creating an individual complaints mechanism; and
  • creating criminal offences for serious, flagrant or repeated violations of information privacy principles or privacy codes.

As yet, no Bill has been put to the Western Australian Parliament.

To toptop of page

South Australia

State legislation and regulations

There is no legislation that specifically addresses privacy in South Australia. There is legislation that has an indirect effect on personal privacy, for example, the Listening Devices Act 1972 (SA) protects privacy rights by restricting the use, installation and maintenance of listening devices to record 'private conversations'.

There is also the Casino Act 1997 and the Security and Investigation Agents Act 1995 which regulate the installation and operation of surveillance systems in South Australia.

Bills

There are no bills currently before Parliament.

To toptop of page

Victoria

State legislation

The collection and handling of personal information in the Victorian public sector (including government organisations, statutory bodies and local councils) is subject to the Information Privacy Act 2000 (Vic) which came into full effect on 1 September 2002. Organisations performing work for Victorian government may also be subject to the Act, depending on the particular contract.

The Act requires public sector organisations (with some limited exceptions) to comply with ten Information Privacy Principles (IPPs) or have an approved code of practice. Health information is not governed by the Act and is the subject of separate legislation, as noted below. Privacy Victoria is the Office of the Victorian Privacy Commissioner, an independent statutory office established pursuant to the Act, which has authority to administer and enforce the Act and to investigate and conciliate complaints. Disputes which cannot be resolved may be referred to the Victorian Civil and Administrative Appeals Tribunal (VCAT) which can offer a number of remedies, including requiring the organisation to make an apology, correct or delete personal information or pay compensation.

The protection of personal health information is dealt with specifically in the Health Records Act 2001 (Vic). This Act came into effect on 1 July 2002 and applies to both public and private sector organisations which are health service providers or collect, hold or use personal health information. There are few exemptions to this Act and these do not reflect the exemptions to the Commonwealth Privacy Act 1988.

For example, employers dealing with employee records in which health information is held will be required to comply with the Health Records Act, despite being exempt from compliance with the National Privacy Principles (NPPs) under the Commonwealth legislation. The Act sets out eleven Health Privacy Principles (HPPs) which impose obligations similar to the NPPs in relation to health information (which is a type of sensitive information to which more stringent obligations apply).

The Office of the Health Services Commissioner is responsible for administering and enforcing this Act. Unlike the Federal Privacy Commissioner, the Health Services Commissioner can investigate a complaint without the complainant individual having first attempted to resolve the complaint with the relevant organisation. In addition, the Health Services Commissioner has a right to conduct or commission audits of records of health information held by an organisation to check whether they are being handled in accordance with the HPPs.

Other Victorian legislation that impacts on privacy rights includes the Surveillance Devices Act 1999 (Vic) and the Surveillance Devices (Workplace Privacy) Act 2006.

Bills

There are no bills currently before the Victorian Parliament in relation to privacy issues.

Interaction with Privacy Act 1988 (Cth)

The Federal Privacy Act has a saving provision which allows the unaffected operation of State and Territory laws which regulate the collection, holding, use, correction, disclosure or transfer of personal information (subject, of course, to s109 of the Commonwealth Constitution which provides that to the extent that a State or Territory law is inconsistent with a Federal law, the State or Territory law is void). These Acts together regulate the handling of personal information by public and private bodies governed by the Federal Privacy Act, and by Victorian public sector bodies, and the handling of health information by all bodies covered by the Acts.

To toptop of page

Tasmania

State legislation

The Personal Information Protection Act 2004 was passed last year and received assent on 17 December 2004. Consistent with the Commonwealth Government's privacy legislation, and similar to legislation in Victoria and New South Wales, the purpose of the Act is to 'regulate the collection, maintenance, use and disclosure of personal information relating to individuals'.

The regime created by the Act applies to 'personal information custodians' including state government agencies, statutory boards and government business enterprises, the University of Tasmania, as well as local councils and any other organisation or person who has entered into a 'personal information contract'; courts and tribunals are exempt. However, a personal information custodian may seek exemption from the proposed privacy obligations. The Minister for Justice and Industrial Relations would be responsible for determining (and revoking) any such exemptions.

The 'personal information protection principles' set out in Schedule 1 of the Act are based upon the NPPs contained in the Commonwealth legislation, although aspects of the Victorian Information Privacy Act 2000 and the New South Wales Information Privacy Protection Act 1998 have also been taken into account. While the regime is similar in prescribing exemptions for public information and law enforcement information, the obligations in relation to 'employee information' are somewhat different, allowing both job applicants and employees to benefit from the privacy obligations to be imposed on employers.

The proposed administrative approach relies upon individual personal information custodians being responsible for complying with the legislation and, rather than appointing a central body (such as a privacy commissioner) to manage complaints, the Ombudsman would either investigate and determine the complaint or refer the complaint to any person, body or authority the Ombudsman considers appropriate for investigation or any other action.

Pursuant to the Freedom of Information Act 1991, individuals also have the right to access information about their personal affairs which is held by a Tasmanian government agency (including local councils), unless the information is exempt from release.

Some references to respecting individuals' privacy is also included in the HIV/AIDS Preventative Measures Act 1993 and Births, Deaths and Marriages Registration Act 1999. The Listening Devices Act 1991 may also impact on privacy rights.

To toptop of page

Northern Territory

State legislation

The Information Act was passed in October 2002 and commenced on 1 July 2003. The Information Act applies to public sector organisations and provides for the responsible collection and handling of personal information, public access to and correction of personal information, and records and archives management in the public sector.

Health Sector Discussion Paper and Code of Conduct

A discussion paper called 'Protecting Privacy of Health Information in the Territory' was released in March 2002 by the Health Information Privacy Office of the Department of Health and Community Services. The discussion paper is designed to serve as a basis for consultation on the development of health-specific privacy protection in the Northern Territory.

To toptop of page

Australian Capital Territory

The ACT public sector complies with the Privacy Act 1988 and is administered by the Federal Privacy Commissioner on behalf of the ACT government.

The ACT has removed health records from the jurisdiction of the Federal Privacy Commissioner by passing the Health Records (Privacy and Access) Act 1997 (Health Records Act). Section 5 of the Act contains principles which are based on the privacy principles contained in the Federal legislation but modified to suit the requirements of health records. Section 10 the Act gives people access to their own health records (as defined by the Act) or any other record to the extent that it contains personal health information as defined in the Act. This right of access exists for all factual matters whenever they were entered on the record and for any expressions of opinion that were entered onto the record after the commencement date (1 February 1998). The Act imposes obligations on both the requestor (section 12) and the requestee (section 13). In particular it is important to respond to the request within fourteen days regardless of whether access will be given or refused on specified grounds such as exemptions. Under section 18 of the Act the ACT Community and Health Services Complaints Commissioner is empowered to receive health record privacy complaints, for example on grounds of refused access.

Under s10 of the Human Rights Act 2004 (right to privacy) all individuals (see section 6) have the right not to have their privacy, family, home or correspondence interfered with unlawfully or arbitrarily or to have their reputation unlawfully attacked. The legislation also imposes what is known as a duty of consistent interpretation in respect of other legislation. In Section 30(1) of the Act the court must, when 'working out the meaning of a Territory law' prefer the adoption of an interpretation 'consistent with human rights' 'as far as possible'. A similar provision in the UK (section 3 of the Human Rights Act 1998) which requires the court to read and give effect to legislation in a way which is compatible with certain European Convention rights 'so far as it is possible to do so' has had wide-reaching effects.

To toptop of page



Allens home | Privacy home | Top of page | Disclaimer | Privacy | Sitemap
Allens Arthur Robinson - a leading international law firm
© 2008 Allens Arthur Robinson, Australia | contactus@aar.com.au

 Allens Arthur Robinson - Clear Thinking