Commonwealth Privacy Act 1988
A Personal Summary
Roger Clarke
Version of 5 February 1989
© Roger Clarke, 1989
Companion Pages are:
an
unofficial short form of the Information Privacy Principles
an
interpretation and annotations (abstract only)
an
assessment against the OECD Guidelines
History
This 60-page statute was passed and assented to in December 1988. It
followed a long history of deliberations, including a study by the Law Reform
Commission from 1976-83; a 1984 commitment by the Government to comply with
the OECD's Data Protection Guidelines of 1980; the Privacy Bill 1986 which was
closely intertwined with the Australia Card Bill and lapsed with it in 1987;
and negotiations between the Government and Opposition, which resulted in
significant changes to the Privacy Bill 1988 late in its time before the
legislative.
Synopsis
The Bill regulates use by federal government agencies of personal data. As
a central part of the regulatory framework, it establishes a set of Information
Privacy Principles which agencies may not breach.
The Bill regulates private sector organisations and state government agencies,
but only to the extent that they are recipients of tax file number
information.
The Bill creates a 'watchdog' by adding a Privacy Commisioner to the Human
Rights and Equal Opportunities Commission.
Structure of the Act
- the Act commences with 9 pp. of definitions, including:
- the organisations that are subject to regulation:
- agencies - s.6(1);
- acts and practices of agencies - ss.7,8;
- collectors - s.9;
- record-keepers - s.10;
- file number recipients - s.11;
- acts and practices of file number recipients - s.7
- tax file number information - s.6(1);
- the matters that are subject to regulation:
- interferences with privacy - s.13;
- individual - s.6(1) qualified by 6(4);
- personal information - s. 6(1);
- record - s.6(1);
- solicit - s.6(1);
- use - s.6(1).
Appendix B shows the key definitions.
- 11 Information Privacy Principles are defined - s.14; an
unofficial short form is attached at Appendix A.
- The Collection Principles (1-3) and the Use and Disclosure Principles (10
and 11) apply only in relation to information collected after the commencement
of the Act; the remainder apply irrespective of when the personal information
was collected - s.15(1-2).
- An agency shall not do an act, or engage in a practice, that breaches an
Information Privacy Principle - s.16.
- interim guidelines concerning tax file number information
and its collection, storage, use and security are promulgated - s.17(4) and
Schedule 2.
- The Commissioner shall issue such guidelines, subject to normal
disallowance arrangements - s.17(1-3).
- A file number recipient shall not do an act, or engage in a practice, that
breaches a guideline issued under s.17 - s.18.
- a Privacy Commissioner is established by Part IV -
ss.19-35.
- the Privacy Commissioner's powers of investigation are
defined by Part V - ss.36-70.
- the Privacy Commissioner's powers to make public interest
determinations approving acts or practices whose benefits outweigh any
possible breach of the Information Privacy Principles are defined by Part VI -
ss.71-80.
- a Privacy Advisory Committee is established by Part VII -
ss.81-88.
- obligations of confidence are established by Part VIII -
ss.89-95.
- miscellaneous matters in Part IX include:
- power of the NHMRC to issue guidelines for the protection of privacy in
medical research, subject to the Privacy Commissioner's approval -s.95
- non-disclosure of private information by officers of HREOC - s.96
- annual report by HREOC on the operation of the Act - s.97
- Federal Court may grant injunctions on application by the Commissioner -
s.98
- delegation by the Privacy Commissioner of his powers to staff - s.99
- regulations may be prescribed
- amendments of other Acts are contained in Part X (s.101
and Schedule 1), viz.:
- Freedom of Information Act 1982 (2 pp.)
- Human Rights and Equal Opportunity Commission Act 1986 (2 pp.)
- Ombudsman Act 1976 (1 pp.)
Appendix A: The Information Privacy Principles
(Unofficial Short Form)
The Information Privacy Principles are central to the regulatory mechanism.
They occupy 5 pages and 1500 words, and are expressed in careful legalese. The
following is a rendition designed to convey their essential content, not
their detailed meaning, nor the manifold exceptions and qualifications.
1. Collection
A collector shall only collect personal information for inclusion
in a record or generally available publication where it is necessary for a
lawful purpose. A collector shall not collect personal information by
unlawful or unfair means
2. Solicitation from the Individual Concerned
Where personal information is solicited from the individual concerned, the
collector shall ensure that person is aware of the purpose for which
it is being collected, of any legal obligation to comply with the request, and
of disclosure practices relating to it
3. Solicitation of Personal Information Generally
When personal information is solicited, the collector shall ensure
that it is relevant to the purpose of collection, up to date and complete, and
that the collection is not unduly intrusive
4. Storage and Security
A record-keeper shall ensure that records are secure against loss,
unauthorised access, use, modification or disclosure, and against other misuse
5. Public Access Rights
A record-keeper shall enable any individual to ascertain the
nature, main purposes and subject access procedures relating to any personal
information held, and shall maintain a record of such details
6. Subject Access Rights
The individual concerned shall be entitled to have access to a record that
contains personal information, except to the extent that the
record-keeper is required or authorised to refuse
7. Subject Alteration Rights
A record-keeper shall make reasonable alterations to ensure that
records of personal information are accurate, relevant, up to date, complete
and not misleading, and where unwilling to make an alteration, shall allow the
individual concerned to attach to a record a statement of the alteration sought
8. Quality of Information Used
A record-keeper shall not use personal information without taking
reasonable steps to ensure that it is accurate, up to date and complete
9. Relevance of Information Used
A record-keeper shall not use personal information unless it is
relevant
10. Use Limitations
A record-keeper shall only use personal information for the purpose
for which it was obtained, and for such additional purposes as are consented to
by the individual, are authorised by law, are necessary in an emergency, and
are reasonably necessary for the enforcement of the criminal law or of a law
imposing a pecuniary penalty, or for the protection of the public revenue
11. Disclosure Limitations
A record-keeper shall only disclose personal information if the
individual to whom it relates should have been aware that it was subject to
disclosure, or the disclosure has been consented to by the individual,
authorised by law, or is necessary in an emergency, or is reasonably necessary
for the enforcement of the criminal law or of a law imposing a pecuniary
penalty, or for the protection of the public revenue. In the last three cases
a note to that effect shall be included in the record. The recipient of the
information shall not use or disclose the information except for the purpose
for which it was given it
Appendix B: The Key Definitions (Unofficial Short Form)
The 9 pages of global definitions are expressed in careful legalese. The
following is a rendition designed to identify the key terms, and convey their
essential content, but not to capture their detailed meaning.
1. The organisations that are subject to regulation:
- an agency is a Minister, Department or body or officer
established or appointed under a Commonwealth enactment, or by the
Governor-General or a Minister, but excluding an incorporated body and
some others - s.6(1);
- an act or practice of an agency is regulated by the Act
(ss. 7-8) except:
- where the body is of the following classes:
- an agency exempt from the Freedom of Information (FOI) Act under Schedule
1, except for acts and practices of an administrative nature;
- an agency exempt from the FOI Act under Schedule 2, in respect of the
Information Privacy Principles and the Commissioner's general functions as
specified by s.27 (which leaves very little);
- a intelligence-related agency specified in Schedule 2 of the FIO Act;
- an agency exempt from the FOI Act under Schedule 2 Part II, in respect of
records which are exempt from the FOI Act;
- a Minister (except in a couple of circumstances - s.7(1)(d-e);
- a federal court or court of the A.C.T.; the National Crime Authority;
and a Royal Commission; and
- where the record has originated with or has been received
from an intelligence-related agency
- an intelligence-related agency (not a term used in the
Act) includes an intelligence agency (A.S.I.O., A.S.I.S. and
O.N.A. - s.1), and D.S.D., J.I.O. and the N.C.A. (s.7)
- a collector is an agency that collects personal
information - s.9(1).
- Where information is collected by a person in the course of employment by,
or in the service of, an agency (or an unincorporated body connected with an
agency), then the collector is the agency - s.9(2-3);
- a record-keeper is an agency that is in possession or
control of a record of personal information - s.10(1).
- Where information is in the possession or under the control of a person in
the course of employment by, or in the service of, an agency (or an
unincorporated body connected with an agency), then the collector is the agency
- s.10(2-3).
- Where personal information is held by an archival agency (the Australian
Archives and the Australian War Memorial), the record-keeper is the agency by
or on whose behalf the record was placed with the archival agency - s.10(4-5);
- where an agency has possession but not control of a record of
personal information, the regulatory scheme does not apply to it - s.12
- a file number recipient is a person who is in
possession or control of a record that contains tax file number
information - s.11.
- Where a record that contains tax file number information is in the
possession or under the control of a person in the course of employment by, or
in the service of, a person (or an unincorporated body connected with an
agency), then the collector is that person - s.11(2-3).
- where an agency has possession but not control of a record of
personal information, the regulatory scheme does not apply to it - s.12
- tax file number information means information that
records the tax file number of a person in a manner connecting it with the
person's identity - s.6(1);
2. The matters that are subject to regulation:
- an act or practice is an interference with the privacy of an
individual if and only if the act or practice:
- is an act or practice of an agency and breaches an Information Privacy
Principle - s.13(a);
- is an act or practice of a file number recipient which breaches a
guideline under s.17 in relation to tax file number information that relates to
the individual - s.13(b);
- involves an unauthorised requirement or request for disclosure of the tax
file number of the individual - s.13(c)
- information in a publication - s.6(1).
Navigation
Go to
Roger's
Home Page.
Go to
the
contents-page for this segment.
Send
an email to Roger
Last Amended: 6 May 1996
|
These community service pages are a joint offering
of the Australian National University (which provides the infrastructure), and
Roger Clarke (who provides the content). |
|