Australia - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
The key legislation in Australia affecting private-sector organisations (and Federal Government agencies) Australia-wide is the Privacy Act No. 119 1988 (as amended) ('the Privacy Act') and its Australian Privacy Principles ('APPs'). In addition to the Privacy Act/APPs, there is a Privacy Regulation 2013, legally binding Privacy (Credit Reporting) Code and rules and guidelines, for example, in relation to privacy in the conduct of medical research and Tax File Numbers ('TFNs') which have the force of law, and apply in specific areas/to specific types of information.
Also, on an Australia-wide basis, there are additional sector/information-specific laws such as those relating to TFNs and personal electronic health records that also apply in addition to the Privacy Act/APPs.
In addition, a number of Australian States also have their own privacy laws that regulate State Government agencies and private enterprise contractors to the State Governments and, in some cases, health records. Even where private sector organisations, as contractors to State Government agencies, are governed by State privacy law this will be in addition to their obligations under the Privacy Act/APPs.
Key non-binding Guidelines and Guides issued by the OAIC and the Privacy Commission include:
- Australian Privacy Principles guidelines;
- Privacy management framework;
- Guide to securing personal information;
- Data breach preparation and response;
- Notifiable Data Breaches scheme;
- Mobile privacy: a better practice guide for mobile app developers;
- Guide to undertaking privacy impact assessments;
- Guide to developing a data breach response plan;
- De-Identification and the Privacy Act;
- Guide to Data Analytics and the Australian Privacy Principles; and
- The De-Identification Decision Making Framework.
1.3. Case Law
Noteworthy recent decisions, determinations, and undertakings obtained by the Privacy Commissioner include:
- Ben Grubb and Telstra Corporation Limited  AICmr 35 (and the AAT appeal and Federal Court appeal decisions);
- L B and Comcare (Privacy)  AICmr 28;
- Financial Rights Legal Centre Inc & Others and Veda Advantage Information Services and Solutions Ltd  AICmr 88;
- 'IV' and 'IW'  AICmr 41;
- 'IR' and NRMA Insurance, Insurance Australia Limited  AICmr 37;
- 'HW' and Freelancer International Pty Ltd  AICmr 86;
- Avid Life Media Inc. (Ashley Madison) enforceable undertaking;
- Singtel Optus Pty Ltd enforceable undertaking;
- Department of Immigration and Border Protection: Own motion investigation report;
- Publication of MBS/PBS data (Department of Health): Own motion investigation; and
- Jeremy Lee v. Superior Wood Pty Ltd  FWCB 2946
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
In addition to all Federal Government agencies, the Privacy Act/APPs apply to all private sector organisations other than:
- those with less than AUD 3 million (approx. €1.8 million) turnover (unless they use or disclose personal information for a benefit or collect and use health information);
- registered political parties; and
- State or Territory Authorities or Instrumentalities, although the NDB provisions apply to all eligible data breaches involving TFNs (including in respect of the above).
The Privacy Act/APPs apply to all those APP entities carrying on business in Australia which, even for offshore entities, will include actively collecting personal information in Australia or from Australian residents, including by promoting an offshore entity/website to Australian residents.
2.2. What types of processing are covered/exempted?
All processing (i.e. collection, use, and disclosure) of personal information by APP entities is covered by the Privacy Act/APPs. However, the processing of de-identified or anonymous data (if it cannot be reasonably re-identified) is not covered by the Privacy Act/APPs.
In addition (and even if not an APP entity), all persons and entities (including usually excluded entities – e.g. State Government agencies) dealing with TFNs are covered by:
- the TFN Rules; and
- the NDB provisions as regards any data breaches involving TFNs/TFN information.
Processing exempted from the Privacy Act/APPs includes purely personal/domestic processing of personal information (i.e. individuals in a non-business capacity), employee records (as to which please see Section 13), political acts and practices (e.g. related to Members of Parliament), small businesses engaged under a Commonwealth contract and by media organisations, if done in the course of journalism.
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
The Privacy Commissioner is the relevant regulator under the Privacy Act/APPs. The Privacy Commissioner sits within, and is overseen by, the Australian Information Commissioner (who is currently the same person as the Privacy Commissioner) and the Office of the Australian Information Commissioner ('OAIC').
3.2. Main powers, duties and responsibilities
The Privacy Commissioner is charged with enforcing the Privacy Act/APPs, including receiving and resolving complaints, undertaking own motion investigations and, as a result of any relevant determination, seeking an enforceable undertaking, publishing the determination/decision and issuing guidance in respect of the interpretation and enforcement of the Privacy Act/APPs.
The Privacy Commissioner can also seek the imposition of a fine for a serious invasion of privacy (i.e. breach of the APPs) or repeated invasions of privacy (i.e. repeated breaches of the APPs). Please see section 9 below.
4. KEY DEFINITIONS | BASIC CONCEPTS
In Australia data protection is generally known as 'privacy' and, for the purposes of this Guidance Note, unless otherwise specifically noted, we limit our comments to the privacy law under the Privacy Act and APPs. The Privacy Act/APPs regulate the collection, use, holding, and disclosure of the personal information of living individuals by APP entities.
Personal Data: Referred to as 'personal information' is defined to mean information or an opinion about an identified individual or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not. The information or opinion itself does not have to identify the individual or the individual does not need be reasonably identifiable from that information or opinion only, but includes where an individual is reasonably identifiable by other means or from other information reasonably obtainable.
Sensitive Data: A sub-set of personal information is sensitive information, which is defined to mean information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record and health information, genetic information, and/or biometric information used for automated biometric verification or biometric identification. An APP entity is a Federal Government agency or a private sector 'organisation' to which the Privacy Act/APPs apply (see section 2 above). An organisation includes an individual, body corporate, partnership, any other incorporated association or trust that is not otherwise exempted from the Privacy Act/APPs.
Data Controller | Data Processor: Unlike European law, there are no concepts of data 'controller' and data 'processor' under Australian privacy law. Each APP entity that obtains/receives personal information (even as what may be considered a 'data processor' under EU law) will effectively be considered a data controller under Australian law and has its own separate and primary privacy obligations under the Privacy Act/APPs.
Other: For general personal information notification (i.e. not consent) of certain required mandatory matters (including the purpose(s) for which it is being collected) must be provided at or prior to the first collection of personal information about an individual. Collection, use, and disclosure of sensitive information requires prior express consent of the individual to whom it relates.
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
As noted above, there is no distinction under Australian law between a data controller and a data processor. Thus, all responsibilities and obligations under the Privacy Act/APPs listed here relate, and apply equally, to those that would be considered data controllers or data processors under EU law.
The key obligations of all APP entities (whether data controllers or data processors) under the Privacy Act/APPs include:
- to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs (APP 1.2);
- only collect personal information that is reasonably necessary for one or more of the APP entity's functions or activities (APP 3.2), by lawful and fair means (APP 3.3) and directly from the individual, unless it is unreasonable or impracticable to do so (APP 3.6);
- at or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, take such steps as are reasonable in the circumstances to notify the individual of the matters in APP 5.2 or otherwise ensure that the individual is aware of such matters (APP 5.1);
- only use the personal information collected for the notified purpose(s) for collection, unless a secondary purpose is permitted by the APPs or consented to by the individual (APP 6.1);
- to take reasonable steps to ensure that the personal information that the APP entity collects, uses or discloses is accurate, up-to-date, and complete (APP 10);
- to take reasonable steps in the circumstances to protect the personal information held by the APP entity from misuse, interference and loss and from unauthorised access, modification or disclosure (APP 11.1); and
- to notify all eligible data breaches as soon as practicable to the OAIC and all affected individuals (see section 11).
As regards the information security obligations in APP 11.1, it is important to note that this is not a fixed or static obligation (i.e. it is not a 'one size fits all'). The bigger you are, the more personal information you collect, the more sensitive the information is, the more centralised the data holdings are etc., the greater the security obligations are (i.e. measures that need to be taken to satisfy the obligations). A helpful start to understanding one's information security obligations under APP 11.1 is the Privacy Commissioner's guide to securing personal information.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
Please see section 6 above: data processors have the same primary rights and responsibilities as data controllers under the Privacy Act/APPs.
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
As noted above, there is no separation between controllers and processors in Australia and thus no mandated agreement requirements or rights. However, it is recommended that any third-party service provider arrangement should be documented (i.e. by agreement), especially where the processor is outside Australia, and should include purpose limitations, compliance with the Privacy Act/APPs (for offshore providers) and provisions relating to the notification of and responsibility for notifiable data breaches.
9. DATA SUBJECT RIGHTS
The key rights of the data subject/individual whose personal information is collected by an APP entity include:
- the right to not identify oneself when dealing with an APP entity (i.e. deal anonymously), unless impracticable or required by law (APP 2);
- the right to access the personal information held by the APP entity about that individual (APP 12.1);
- the right to seek correction of the personal information held by the APP entity about that individual (APP 13.1) and to have any correction notified to third parties to whom the personal information was provided by the APP entity (APP 11.2); and
- the right to request not to receive direct marketing and to not have the individual's personal information disclosed or used for direct marketing (APP 7.6).
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment (yes/no)
No. A data protection officer ('DPO') (or rather, in Australian terminology, a privacy officer) is not required by law in Australia but is recommended by the Privacy Commissioner.
In practice, we are seeing more and more privacy officer roles where a substantial part of the job description (or, for large APP entities, some chief privacy officers whose sole responsibility) is privacy compliance.
As a DPO is not compulsory under Australian privacy law, there are no stated/legislative requirements for the position. In practice, a privacy officer is usually from/in the risk or in-house legal functions, but it is recommended that they also have some IT and business knowledge/experience.
11. DATA BREACH NOTIFICATION
11.1. General obligation (yes/no)
Australia has mandatory notification of all eligible data breaches. Unless a specific limited exemption applies, all eligible data breaches must be notified to the OAIC and all relevant individuals as soon as practicable after the entity:
- becomes aware of the eligible data breach;
- becomes aware of reasonable grounds to believe an eligible data breach has occurred; or
- is directed to do so by the Privacy Commissioner.
An eligible data breach occurs if:
- there is an unauthorised access to, unauthorised disclosure or loss of personal information held by an APP entity (i.e. a data breach); and
- a reasonable person would believe that such data breach is likely to result in serious harm to any of the individuals to whom the information relates.
To assist with assessing what a reasonable person might think, a non-exhaustive list of relevant matters to be considered has been included in the Privacy Act.
Where there are no reasonable grounds to believe but there are reasonable grounds to suspect that there may have been an eligible data breach the entity must take all reasonable steps to undertake an assessment within 30 days (after the entity becomes aware of reasonable grounds to suspect such may have occurred) to determine whether an eligible data breach has occurred. Once such an assessment is completed the entity will have to notify the eligible data breach as soon as practicable, assuming it finds reasonable grounds for believing that an eligible data breach has occurred. However, this provision cannot be used to automatically get 30 days to determine what to do in the case of an eligible data breach.
APP entities may use the usual means by which they communicate with the relevant affected individuals, if practicable, to notify all affected individuals of the eligible data breach. If not practicable, the APP entity must consider other means by which to notify the eligible data breach but, simply because it is impracticable to notify each individual personally, this does not obviate the need for notification and other appropriate means must be devised to notify the affected persons. As a deterrent to doing nothing the provisions require, at a minimum, the required notice be prominently published on the entity's website or that it is otherwise widely publicised.
11.2. Sectoral obligations
Mandatory data breach notification also exists and applies in respect of electronic health records covered by the Personally Controlled Electronic Health Record/My Health Records Act 2012 legislation and system.
The ultimate sanction available to the OAIC/Privacy Commissioner is to apply to the court to have a fine of up to AUD 2.1 million (approx. €1.3 million) for entities and AUD 420,000 (approx. €260,000) for individuals imposed for a serious breach or repeated breaches of the APPs. Also, please see section 13 under New Developments.
The Privacy Commissioner also has the ability to impose enforceable undertakings, award compensation/reimbursement, and publish public determinations/decisions specifying full details of the alleged infringement (in the case of a complaint) and the results of the Privacy Commissioner's investigation.
13. ADDITIONAL RELEVANT TOPICS
13.1. Data Transfers and Outsourcing
As regards the obligations and requirements attached to the offshore disclosure (including transfer) of personal information, please see our separate Australia – Data Transfers Guidance Note.
Currently, employee records held by an employer are exempt from the Privacy Act/APPs when used or disclosed by the employer of those employees. However, to get the benefit of the exemption, care must be taken to ensure that the:
- personal information held is actually an employee record; and
- the person using, storing and/or disclosing that information is the employer of that employee.
An employee record is a record of personal information relating to the employment of the employee by their employer. However, for example, health information collected by the employer pursuant to a voluntary healthy living programme offered by the employer will not be an 'employee record' and thus will not be exempt from the Privacy Act/APPs. The employer is the legal entity that actually employs the employees. That is, not a related or group company or a third-party payroll processor (even though the employer has provided them the relevant information). Also, the exemption is not relevant to contractors, consultants or volunteers – only to the employees of that employer.
13.3. Data Retention
In addition to the security obligations noted above, the Privacy Act/APPs require (as a legal obligation) that APP entities delete or de-identify all personal information in their possession once all legal requirements to keep it in an identified form have passed, it is not required for threatened or current litigation, and it has been used for the notified purpose(s) for which it was collected. That is, personal information cannot be kept indefinitely, and all document/records/data retention policies must include appropriate provisions requiring deletion/de-identification of personal information.
14. OTHER SPECIFIC JURISDICTIONAL ISSUES
The de-identification/deletion obligation raises significant issues for those APP entities that wish to keep personal information beyond the time limits permitted by the Privacy Act/APPs for data analytics purposes, especially if collection for data analytics was not an original stated purpose for collection.
In addition to separate Do Not Call (telemarketing) and Spam (electronic marketing) laws, the Privacy Act/APPs restrict the use of personal information for direct marketing where the individual was not notified of such at, or prior to, the time of collection of their personal information, or such would not be reasonably expected by that individual. Also, a simple means must be provided for the individual to opt-out of direct marketing communications. Where the personal information in question is 'sensitive information' the consent of the individual is required for such use or disclosure.
The now re-elected Government, before the recent election, said it would revise the fines under the Privacy Act to be in line with other recent changes to administrative fines in other areas. Once passed by Parliament, which is expected by 31 December 2019, the maximum fine for a serious invasion or repeated invasions of privacy (i.e. breaches of the privacy law) will be up to AUD 10 million (approx. €6.2 million) or three times any benefit obtained from the invasion breach (whichever the greater) plus 10% of Australian annual revenue.
This proposed minimum five-fold increase in the available fine under the Privacy Act and the significantly increased budget given to the OAIC will lead to greater own-motion investigations (and levying of fines) by the OAIC.
Unsolicited Personal Information
Where an APP entity receives unsolicited personal information (e.g. on a recorded telephone call) it must, within a reasonable period, determine whether or not it could have solicited such information under the Privacy Act/APPs and either:
- if it could have solicited such information, it must deal with it in accordance with APPs 5-13 (inclusive), including notifying the individuals in question of the mandatory matters under APP 5.2; or
- if it could not have solicited such information, subject only to a specific legal requirement to keep it, destroy, or de-identify the information as soon as practicable.
Non-government APP entities (i.e. organisations) must not use as a means of identification, or otherwise use or disclose, any Government-related identifiers of an individual, unless required by law or court order.