Organisations that come under the private sector privacy regime are bound by either an approved privacy code or the National Privacy Principles (the NPPs). Failure to follow a code or the NPPs constitutes an interference with the privacy of an individual, to which sanctions apply.
National Privacy Principles
The NPPs set out a minimum standard for the fair handling of personal information by private sector organisations. The 10 NPPs cover everything from the collection and use of information, to data quality and access rights.
We've provided a summary of the NPPs and how they may affect you.
Approved Privacy Codes
One of the aims of the private sector laws was to encourage private sector organisations to develop industry-wide codes of practice for handling personal information. If there's an approved code for your industry, you can choose to be bound by the code instead of the NPPs themselves. You can also seek to have your own privacy code approved by the Privacy Commissioner. In practice, very few codes have been developed and approved. An approved privacy code must incorporate all of the NPPs or impose equivalent – or more stringent – obligations. So, an approved code may carry a higher burden of obligation than do the NPPs.
Once an organisation has approved and adopted a code, it replaces the NPPs.
The Privacy Commissioner keeps a publicly available register of approved codes. Currently, the following approved codes are on the register:
- Market and Social Research Privacy Code;
- Queensland Club Industry Privacy Code; and
- Biometrics Institute Privacy Code.
Who, what & when?
Who do the private sector provisions of the Privacy Act apply to?
The private sector provisions of the Privacy Act (the Act) apply to private sector organisations with a link to Australia, including:
- individuals who collect, use or disclose personal information in the course of a business. For example, a sole trader's business activities will be regulated (unless it's a small business), but information gathered outside business activities won't be;
- bodies corporate; and
- partnerships, unincorporated associations and trusts – any act or practice of a partner, committee member or trustee is attributed to the organisation.
Organisations outside Australia must comply with the provisions in some circumstances. Sending information out of Australia is also regulated.
There are also exemptions, and the private sector provisions usually don't cover:
- a small business operator;
- a registered political party;
- a Commonwealth Government agency;
- a media organisation – journalism;
- certain transfers of personal information between related bodies corporate;
- a State or Territory authority; or
- a prescribed instrumentality of a State or Territory.
What is protected?
The Act regulates the way in which private sector organisations collect, handle, disclose, use and store personal information. So what's personal information? Basically, any information - including an opinion - that can be used to identify a person. It could simply be their name, address, telephone number or date of birth. There are extra protections for sensitive information, such as information about an individual's race, sexual preference or health.
When did the private sector provisions of the Act come into effect?
The private sector provisions came into effect on 21 December 2001 for most organisations and 21 December 2002 for most of the small businesses that are subject to them.
What about information collected before that time?
Personal information collected before 21 December 2001 is generally affected by some, but not all, NPPs. But if information is later updated, all the NPPs will apply. So it's important to be able to tell whether information was collected before or after the cut-off date.