Privacy rights

All Australians have certain legal rights to privacy.

However, a person’s right to privacy is not absolute, and in some circumstances it is balanced with the interests of others and benefits to society as a whole. An example of this where a criminal offence is being or may be committed.

Privacy is protected in a number of different ways. In Queensland, an individual’s privacy is protected under:

      • The Federal Privacy Act 1988 (Cth) in relation to personal information held by a Commonwealth government agency and most private sector companies and organisations;
      • Information Standards 42 and 42A in relation to personal information held by Queensland government agencies;
      • The Health Services Act 1991 (Qld) in relation to medical records held by Queensland Health;
      • The Telecommunications Act 1997 (Cth) in relation to information held by telecommunications companies;
      • The Invasion of Privacy Act 1971 (Qld) and Telecommunications (Interception) Act 1979 (Cth) in relation to monitoring (listening in to), or recording of telephone conversations.

The Privacy Act 1988 (Cth)

The Privacy Act establishes a national scheme for the collection, holding, use, disclosure and transfer of personal information by certain organisations.

Who has to comply with the Privacy Act?

The Privacy Act regulates personal information held by:

      • Commonwealth and ACT government agencies – under the 11 Information Privacy Principles (IPPs)
      • Most private sector businesses – under the National Privacy Principles (NPPs). Private sector businesses that are bound by the NPPs include:
        • most private businesses (see the small business exemption below)
        • private health providers
        • tenancy database providers
      • Credit reporting agencies and credit providers – under the Credit Reporting Code of Conduct.

Some organisations do not have to comply with the Privacy Act (or certain aspects of it), including:

      • Most small businesses that have an annual turnover of $3 million or less
      • Registered political parties
      • Media organisations in the course of journalism
      • Employers in relation to personal information held about current and past employees in the context of the employment relationship.

What personal information is protected by the Privacy Act?

Personal information – which is ‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.’

Personal information can include details such as your name, contact details and birth date, and also images of you (such as CCTV footage) if you can be identified by the image.

Sensitive personal information is subject to stricter protections under the Privacy Act. Sensitive personal information includes any information or opinion regarding an individual’s:

      • racial or ethnic origin
      • political opinion
      • membership of a political association
      • religious beliefs or affiliations
      • philosophical beliefs
      • membership of a professional or trade association
      • membership of a trade union
      • sexual preferences or practices
      • criminal record
      • health information about an individual
      • genetic information about an individual that is not otherwise health information.

Tax file numbers have special protections under the Tax File Number Guidelines. Tax file numbers are issued by the Australian Taxation Office (ATO) to identify your tax records. For more information, please visit the ATO Website.

How is your personal information protected by the Privacy Act?

National Privacy Principles (NPPs)

Most private sector organisations must comply with the 10 NPPs. The NPPs are set out at the end of this fact sheet.

Under the NPPs, an organisation must take reasonable steps to make individuals aware that it is collecting personal information about them, the purposes for which it is collecting the information, and who it might pass the information on to. There are restrictions on what an organisation can do with the personal information it collects and when it can disclose personal information or transfer it overseas.

In summary, an organisation can only use or disclose your personal information if it is within the reasonable expectations of what you would expect the organisation would do with your personal information. Sensitive personal information must generally only be collected, used and disclosed if you have specifically consented to it, or it is required under law.

Except for some special circumstances, individuals have a right to get access to personal information an organisation holds about them and to have the information corrected or annotated if the information is incorrect, out-of-date or incomplete.

Information Privacy Principles (IPPs)

Federal government agencies must comply with the 11 IPPs.

A summary of the 11 IPPs are as follows:

Collection of personal information (IPPs 1-3) An agency can only collect personal information directly related to its activities and only by fair means. The collection of this information should not unreasonably intrude upon the privacy of the individual concerned.
In most cases, when collecting personal information, an agency must advise an individual:

  • why the information is being collected; and
  • to whom the information is normally disclosed.
    Reasonable steps are taken by an agency to ensure that personal information collected is relevant, up-to-date and complete. The collection of information must not unreasonably intrude upon the individual’s personal affairs.
Storage and Security (IPPs 4-5) Agencies in possession of personal information are to ensure that there are reasonable safeguards to prevent unauthorised access, use, modification, or disclosure of the information.
Access and Alteration (IPPs 6-7) Individuals are entitled to access records containing their personal information and to request the record keeper to alter those records if they are inaccurate.
Accuracy (IPP 8) Reasonable steps are to be taken by agencies to ensure that any personal information proposed to be used is accurate, up-to-date and complete.
Use and Disclosure (IPPs 9-11) In general, an agency must use personal information only for the purpose for which it was collected and disclose personal information only if the individual concerned is aware of, or has consented to that disclosure.
However, an agency may use or disclose personal information if it is authorised by law or if it is necessary for certain types of law enforcement.

The Queensland Government has also administratively adopted the IPPs (with certain minor amendments) for all Queensland government departments and agencies by way of Information. Standard 42 and Information Standard 42A.

How do you make a complaint if you think your rights under the Privacy Act have been breached?

If you feel your personal information has been handled inappropriately by an organisation or federal agency, you can make a complaint.

You must first make a complaint to the organisation or agency itself, to give it a chance to resolve it. You should give the organisation or agency a reasonable time to respond (usually 30 days is reasonable).

If the issue is not resolved by the organisation, you can contact the Office of the Privacy Commissioner. The Privacy Commissioner cannot become involved in a complaint if you have not first made a complaint to the organisation concerned, unless the Commissioner is of the view that this would be inappropriate.

If you want to make a complaint to the Privacy Commissioner, your complaint letter should include:

      • The name of the agency or organisation involved
      • A brief description of your privacy problem
      • Any action the agency or organisation has taken to fix the problem
      • A description of any response you have had from the agency or organisation
      • Copies of any relevant documents
      • Complaint forms are available online from the Office of the Privacy Commissioner’s website.

Complaints may be sent to the Office by:

Post, addressed to:
Director, Compliance
Office of the Privacy Commissioner
GPO Box 5218
Fax: (02) 9284 9666

If you feel your personal information has been handled inappropriately by a Queensland government department or agency, you should first contact the department or agency. If you are not satisfied with their response, you can seek an internal review. More information on making privacy complaints to Queensland government departments agencies can be found on the website.

What can the Privacy Commissioner do about a breach of the Privacy Act?

The Privacy Commissioner will then attempt to resolve the complaint, usually by negotiation. If this is successful, your complaint could result in an apology from the organisation, the organisation changing its practice, or (in some cases) payments of compensation if the breach of your privacy has caused you to suffer monetary loss.

The Commissioner also has the power under the Privacy Act to make formal determinations in relation to complaints. After investigating a complaint, the Commissioner may decide to dismiss the complaint, or may find that the complaint is substantiated.

If the complaint is substantiated, the Privacy Commissioner can make a determination, which may include declarations that the respondent:

      • has breached the Act;
      • should stop breaching the Act, for example, by changing their procedures;
      • take reasonable steps to redress any damage suffered by the complainant; or
      • pay compensation to the complainant.

Determinations by the Privacy Commissioner are not legally binding, however, any determination made by the Privacy Commissioner can be enforced in the Federal Court (or the Federal Magistrates Court), provided the Court also finds a breach following a further hearing.

Some examples of cases where the Privacy Commissioner has resolved privacy complaints are below:

File Facts Findings Amount
F v Credit Provider [2003] PrivCmrA 4 Balance of complainant’s general credit account improperly disclosed to her former partner by a retail store at which she had a credit account. Breach of s18N(1) Apology and compensation of $750 offered by credit provider which was accepted.
K v Financial Institution [2003] PrivCmrA 9 Financial institution incorrectly linked the complainant’s account with another family member. As a result, the financial institution sent a statement for the complainant’s account to the family member. When the family member became aware of the complainant’s financial position, they requested that the complainant provide a guarantee in relation to some financial dealings with which the complainant agreed to avoid strain on the relationship. Breach of NPP 3 and 2.1 Complainant’s claimed and received $1,000.
C v Commonwealth Agency [2003] PrivCmrA 1 Complainant was employed by a Cth agency and applied for a position with another Cth agency. The referee provided was the complainant’s supervisor who upon contact improperly disclosed personal details about the complainant not relevant to the position. Complainant failed to get the position. Breach of NPP 11.1 Agency apologised and paid $7,000.
I v Major wholesaler [2003] PrivCmrA 7 Complainant’s ex partner’s current girlfriend used her position at a company to access the complainant’s credit report and check her financial position. The complainant had not made an application for credit with the company. Breach of ss18K and 18S Company counselled the employee, apologised to the complainant and agreed to pay $7,500 for interference with privacy.
J v Superannuation Provider [2005] PrivCmrA 7 Complainant’s records with the superannuation provider were left at a public thoroughfare. Information included reports about covert surveillance undertaken by the superannuation provider as part of the claim assessment. Documents also contained incorrect information about him, described him in a manner that was offensive and was disclosed to his neighbours. Breach of NPP 4.1 and 6.5 Conciliation reached including apology and payment of $3,500 for loss or damage including legal expenses, hurt and embarrassment.
L v Commonwealth Agency [2003] PrivCmrA 10 Complainant’s ex-wife submitted an application to the agency which impacted on the complainant. The application included an incorrect mailing address for the complainant. The complainant only found out about the application 1 year later because the agency had been sending the information to the incorrect mailing address. Breach of IPP 8 and 4 $250 compensation.

Medical Records

Medical records held by private organisations (such as your General Practitioner’s surgery) are regulated by the NPPs in the Privacy Act.

Medical records held by Queensland Health are protected under the Health Services Act 1991 (Qld). You can access your own medical records by putting your request in writing and sending it to the office of the Medical Superintendent of the public hospital you have attended, or the manager of the community health service you have attended. You must also supply documentary evidence of identity with your request (for example, a certified copy of a driver’s licence or birth certificate).

Personal information held by telecommunications providers

In addition to the NPPs, the telecommunications industry (including phone and internet providers) has specific privacy protections. Under the Telecommunications Act 1997 (Cth), and industry codes developed under this Act, both the substance of communications and other personal information is protected, including:

      • a subscriber’s name;
      • addresses;
      • telephone number/s;
      • billing information; and
      • call charge records, i.e. details of the time, date, parties to and duration of each communication.

Details of how to make a complaint about the way a telecommunication company has handled your personal information can be found at the Telecommunications Ombudsman’s website.

Secret recording of conversations

As a general rule, conversations cannot be recorded without the permission of the people party to the conversation.

If a call is to be recorded or monitored (for example if you telephone a customer call centre), an organisation must tell you at the beginning of the conversation so that you have the chance either to end the call, or to ask to be transferred to another line where monitoring or recording does not take place if this is available.

It is an offence under the Invasion of Privacy Act 1971 (Qld) to use a listening device to record a private conversation unless you are a party to the conversation or unless you have a warrant. It is also an offence to publish a recording of a private conversation, or information obtained from the recording (even if you were a party to the conversation), unless it is for certain defined purposes such as legal proceedings.

Under the Telecommunications (Interception) Act 1979 (Cth), telecommunications cannot be intercepted, except where a warrant has been obtained in the interests of security or in connection with enquiries related to narcotics offences, etc. However, communications that are no longer passing over a telecommunications system (such as emails stored on a computer system) are not protected under this Act.

National Privacy Principles

NPP 1 – Collection An organisation must only collect personal information that’s necessary for one or more of its legitimate functions or activities (primary purpose).At the time of collection (or as soon as practicable afterwards) it must take reasonable steps to ensure that the individual is told:

  • the identity of the organisation and how to contact it;
  • that they can access the information;
  • why the information is collected;
  • the disclosure practices of the organisation; and
  • any law that requires the particular information to be collected and the consequences (if any) for the individual if the information isn’t provided.
NPP 2 – Use and Disclosure Generally, an organisation should only use or disclose personal information for the purpose for which it was collected. But an organisation can use or disclose personal information about an individual for another purpose if:

  • the individual has consented; or
  • the secondary purpose is related to the primary purpose and might reasonably be expected. If the personal information is sensitive information (see NPP 10), the secondary purpose must be directly related to the primary purpose.

If the secondary purpose is direct marketing, and the information is not sensitive information, use is permitted for direct marketing if:

  • it is impracticable to seek the individual’s consent before the particular use;
  • there is no charge for implementing an individual’s request not to be the target of direct marketing;
  • the individual has not made such a request; and
  • the individual is told (at each contact) that he or she may express a wish not to receive any further direct marketing communications.

The organisation must list its address, telephone number and contact addresses in each direct marketing communication. An organisation may also use or disclose personal information for some secondary purposes related to the public interest, such as law enforcement, public safety, research purposes or emergency situations.

NPP 3 – Data Quality An organisation must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
NPP 4 – Data Security An organisation must take reasonable steps to protect the personal information it holds from misuse, loss and unauthorised access, modification and disclosure. It must destroy personal information – or make it impossible to identify the person it relates to – if it is no longer needed for any purpose (in accordance with NPP 2).
NPP 5 – Openness Organisations must prepare clearly expressed policies on the management of personal information, which must be available on request. This may be a general statement saying that the organisation abides by the NPPs or an approved privacy code and mentioning any applicable exemptions. It should also briefly state the type of personal information held, the broad purposes for which it is used, and how an individual can access personal information or lodge a complaint.
If requested by an individual, an organisation must take reasonable steps to let the individual know more details about the sort of personal information it holds, the purpose for which the information is held and how the information is collected, used, stored and disclosed.
NPP 6 – Access & Correction As a general rule, an organisation must, upon request, give the individual access to any personal information held about them.An organisation doesn’t have to give access in some circumstances, for example if:

  • it would be unlawful to provide the information;
  • it would pose a serious and imminent threat to the life or health of any information;
  • it would have an unreasonable impact upon the privacy of other individuals; or
  • the request is frivolous or vexatious.

If providing access would reveal evaluative information about a commercially sensitive decision – making process (for e.g. a credit scoring process used by a credit provider), then the organisation may give an explanation rather than direct access to the information. An organisation may charge for providing access to personal information, but charges must not be excessive and must not apply to lodging a request for access. An organisation must also take reasonable steps to correct any personal information if the individual can establish that it is not accurate, up to date or complete. Where access is denied, or there is a refusal to correct personal information, the organisation must tell the person who’s requested it, why.

NPP 7 – Identifiers An identifier is a number used by a government agency to identify an individual – for e.g. a Medicare number, tax file number or pension number.An organisation must not adopt an identifier like this as its own identifier, and generally speaking, should not use or disclose an identifier assigned by a government agency.
NPP 8 – Anonymity Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions.
NPP 9 – Trans-border data flows Organisations in Australia must take steps to protect an individual’s privacy if personal information is sent overseas. Information may only be transferred if:

  • the organisation reasonably believes a law, binding scheme or contract applies at the destination which effectively delivers privacy standards substantially similar to the NPPs;
  • the individual consents to the transfer;
  • the transfer is for the benefit of the individual and it’s impracticable to obtain consent, but it’s likely consent would have been given;
  • the transfer is required by a contract between the individual and the organisation, or a contract between the organisation and a third party in the interests of the individual; or
  • the organisation has taken reasonable steps to ensure the information won’t be held, used or disclosed by its recipient inconsistently with the NPPs.
NPP 10 – Sensitive Information Generally, an organisation is not allowed to collect sensitive information from an individual unless:

  • the individual has consented;
  • collection is required or authorised by law;
  • the information is required to establish or defend a legal or equitable claim; or
  • the individual is incapable of consenting and the information is needed because of a serious and imminent threat to the life or health of the individual.

Non–profit organisations, including charities, may collect sensitive information if:

  • it relates solely to the members or the organisation, or people who have regular contact with it for the purpose of its activities; and
  • the organisation undertakes to the individual that it will not disclose the information without consent.