The principal legislation protecting privacy in Australia is the federal Privacy Act 1988 (the Privacy Act). The Privacy Act establishes 13 Australian privacy principles (APPs), which regulate the handling of personal information by many private sector organisations and by federal government agencies.
The body responsible for enforcing the Privacy Act is the Office of the Australian Information Commissioner (OAIC). In practice, the Information Commissioner (the Commissioner) is responsible for the majority of the privacy-related functions of the OAIC, including the investigation of complaints made by individuals.
Substantive amendments to the Privacy Act came into effect on 12 March 2014. In particular, from that date, substantial monetary penalties (currently, up to A$420,000 for individuals or A$2.1 million for corporations) can now be imposed for 'serious' or 'repeated' interferences with the privacy of individuals.
Although this chapter is principally concerned with the Privacy Act, each Australian state and territory has also passed legislation that protects information held about individuals by state and territory government organisations.
Privacy also receives some protection through developments to the common law, particularly developments in the law relating to confidential information.2 However, to date the Australian courts have not recognised a specific cause of action to protect privacy, although there has been judicial suggestion that such a development may be open.3
There is no general charter of human rights in Australia,4 and as such there is no general recognition under Australian law of privacy being a fundamental right.
II THE YEAR IN REVIEW
According to the OAIC's Annual Report 2016–175 (the most recent report as at 18 July 2018), the OAIC received 2,492 privacy complaints and responded to 16,793 privacy enquiries in the year ending 30 June 2017. The Commissioner also initiated 29 investigations, worked on 14 assessments and received 114 voluntary data breach notifications from organisations.
Although there have been several significant enforcement actions (see Section VII for more information), no monetary penalties have yet been imposed on organisations under the new sanction provisions.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The Privacy Act protects personal information – that is, information or an opinion about an identified individual or an individual who is reasonably identifiable. Special protection is afforded to 'sensitive information' (see further discussion below).
The Privacy Act contains exemptions for certain organisations from the requirement to comply with the APPs. Operators of small businesses (businesses with an annual turnover for the previous financial year of A$3 million or less) are not generally subject to the Privacy Act.6 There are also exemptions for domestic use,7 media organisations8 and political representatives.9 There is no general exemption for not-for-profit organisations.
There is a broad exemption10 from the application of the Privacy Act for acts or practices that are directly related to a current or former employment relationship and that involve an employee record held by the employer. In practice, this means that many activities of organisations with respect to their own employees are exempted from the Privacy Act.
There is a limited exemption from the application of the Privacy Act for the sharing of personal information (other than sensitive information) between companies in the same corporate group.11 The rules regarding the disclosure of personal information outside Australia apply even where the information is shared between group companies.
Protection of sensitive information
Sensitive information is defined in Australia as being:
- information or an opinion about an individual's:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sexual orientation or practices; or
- criminal record;
- health information about an individual;
- genetic information about an individual that is not otherwise health information;
- biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
- biometric templates.
Generally, an organisation must not collect sensitive information about an individual unless the individual has consented to the collection and the personal information is reasonably necessary for one or more of the organisation's functions or activities. An organisation may collect sensitive information about an individual without consent in certain limited circumstances; for example, where collection is required by Australian law.
APP Guidelines (Guidelines)
The OAIC has published Guidelines to assist organisations in complying with the APPs. Although the Guidelines are not legally binding, they provide guidance as to how the APPs will be interpreted and applied by the Commissioner when exercising his or her functions and powers under the Privacy Act.
ii General obligations for data handlers
There is no distinction in the Privacy Act between entities that control and those that process personal information. Any handling of personal information, whether holding, processing or otherwise, is potentially subject to the APPs. The 13 APPs are summarised below.
APP 1 – open and transparent management of personal information
Organisations must take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs. See the discussion on the required content of privacy policies in Section V.
APP 2 – anonymity and pseudonymity
Individuals must have the option of not identifying themselves unless this is impracticable.
APP 3 – collection of solicited personal information
Information may be collected only if it is reasonably necessary for the organisation's functions or activities and must be collected only by lawful and fair means. An organisation may only collect information directly from the individual, unless this is unreasonable or impracticable.
APP 4 – unsolicited personal information
Where an organisation receives unsolicited personal information, it must, within a reasonable period, determine whether it could have collected the information itself under the APPs. If not, the organisation must destroy or 'de-identify' that information.
APP 5 – notification of collecting personal information
At or before the time of collection (or as soon as practicable afterwards), an organisation collecting personal information must take such steps (if any) as are reasonable in the circumstances to make the individual aware of a number of prescribed matters; for example:
- the identity of the organisation;
- the purposes of the collection;
- the types of organisation to whom the personal information may be disclosed;
- whether the organisation is likely to disclose the information to overseas recipients (and, if so, to which countries); and
Where personal information is not collected directly from the individual, an organisation must take reasonable steps to make sure the individual is informed of the same matters in respect of its indirect collection.
APP 6 – uses or disclosures of personal information
Personal information must only be used or disclosed for the purpose for which it was collected (the primary purpose). Personal information may be used or disclosed for a secondary purpose where:
- the secondary purpose is related to the primary purpose and the individual would reasonably expect it to be disclosed or used this way;
- the individual has consented to that disclosure or use; or
- another exception applies (e.g., that the use or disclosure is required by Australian law).
In the case of sensitive information, the secondary use or disclosure under item (a) above must be directly related to the primary purpose.
APP 7 – direct marketing
Sensitive information can only ever be used for direct marketing with the individual's consent. Other personal information cannot be used or disclosed for direct marketing unless an exception applies. Where direct marketing is permitted, organisations must always provide a means for the individual to 'opt out' of direct marketing communications.
APP 7 does not apply to the extent that the Do Not Call Register Act 2006 (Cth) or the Spam Act 2003 (Cth) apply.
APP 8 – cross-border disclosure of personal information
APP 8 regulates the disclosure of information to a person who is outside Australia. See the discussion in Section IV for further details of the requirements of APP 8.
Under Section 16C of the Privacy Act, in certain circumstances, an organisation may be deemed to be liable for a breach of the APPs by an overseas recipient of personal information disclosed by that organisation.
APP 9 – adoption, use or disclosure of government-related identifiers
An organisation must not adopt an identifier that has been assigned to an individual by a government agency as its own identifier of the individual; or disclose or use an identifier assigned to an individual by a government agency, unless an exception applies (e.g., the adoption, disclosure or use is required or authorised by an Australian law).
An identifier includes things such as a driving licence and passport number.
APP 10 – quality of personal information
An organisation must take reasonable steps to ensure that the personal information it collects, uses and discloses is accurate, complete and up to date and also, in the case of use or disclosure, relevant.
APP 11 – security of personal information
Organisations must take reasonable steps to protect information they hold from misuse, interference, loss, unauthorised access, modification or disclosure; and destroy or de-identify information once it is no longer needed for any purpose for which the information may be used or disclosed under the APPs.
APP 11 does not mandate any specific security obligations or standards. The OAIC, however, has published a Guide to securing personal information,12 which provides non-binding guidance on the reasonable steps organisations are required to take to protect the personal information they hold.
There are no specific rules governing the handling of personal information by third parties. The obligation placed on organisations under APP 11 to take reasonable steps to protect personal information they hold has the effect of requiring organisations to take reasonable steps to ensure that any third party (including an overseas data processor) handling personal information on their behalf also takes reasonable steps to protect personal information. The above-mentioned Guide to information security also provides non-binding guidance in relation to the processing of information by third parties.
APP 12 – access to personal information
As a general rule, an organisation must, upon request, give an individual access to any personal information held about him or her. There are exceptions to this general rule, including where the provision of access to personal information could have an unreasonable impact on the privacy of other individuals, or where denying access is required or authorised by Australian law.
APP 13 – correction of personal information
An organisation must take reasonable steps to correct any personal information if the entity is satisfied the information is inaccurate or where the individual requests the entity to do so. According to the Guidelines, the reasonable steps to be taken may include 'making appropriate [. . .] deletions'. However, individuals do not have an express legal right to have inaccurate data deleted.
If an organisation refuses to correct personal information, it must give reasons to the person who has requested the correction and tell them about the mechanisms available to complain about the refusal.
iii Technological innovation and privacy law
The Privacy Act is drafted in a technologically neutral manner and its provisions can be applied to developments in new technologies. As an example, the direct marketing principle, APP 7, has been taken by the Commissioner13 to apply to online behavioural advertising (OBA). In consequence, the requirements of APP 7 (e.g., to allow people to opt out of marketing communications) could apply to advertisements appearing through use of OBA.
Since sensitive information under the Privacy Act includes biometric information that is used for the purpose of automated biometric identification, it is likely that the use of automated facial and speech recognition technologies will require compliance with the obligations of the APPs relating to sensitive information. Those obligations include the requirement to obtain consent before the relevant biometric information is collected.
iv Specific regulatory areas
There are a number of state and federal acts that protect privacy in particular circumstances, such as when communicating over a telecommunications network, accessing a computer system, or when engaging in activities in a private setting or that protect specific types of information, such as credit information, tax file numbers, healthcare identifiers, eHealth records or health records.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
APP 8 provides that, prior to disclosing personal information to a recipient who is located outside Australia, an organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal information. This requirement does not apply if:
- the organisation reasonably believes that the overseas recipient is bound by a law similar to the APPs that the individual can enforce;
- the individual consents to the disclosure of the personal information in the particular manner prescribed by APP 8; or
- another exception applies (e.g., that the disclosure of the personal information is required by Australian law).
The consent required by APP 8 has to be an informed consent, and in many cases its requirements are likely to be difficult to satisfy in practice. Further, in many cases the overseas recipient will not be subject to a similar overseas law that is enforceable by the individual. Accordingly, in most cases, the organisation must take 'reasonable steps' to ensure that the overseas recipient does not breach the APPs prior to disclosing that information to the overseas recipient. The Guidelines indicate that taking reasonable steps usually involves the organisation obtaining a contractual commitment from the overseas recipient that it will handle the personal information in accordance with the APPs.
V COMPANY POLICIES AND PRACTICES
- the kinds of personal information that the organisation collects and holds;
- how the organisation collects and holds personal information;
- the purposes for which the organisation collects, holds, uses and discloses personal information;
- how an individual may access personal information about the individual that is held by the organisation and seek correction of the information;
- how an individual may complain about a breach of the APPs, or a registered APP code (if any) that binds the organisation and how the organisation will deal with such a complaint;
- whether the organisation is likely to disclose personal information to overseas recipients;
- if the organisation is likely to disclose personal information to overseas recipients, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
This is an overarching obligation applying to organisations in Australia and is generally understood as requiring organisations in Australia to implement the principles of 'privacy by design'. Helpful guidance as to what the Commissioner expects organisations to do to comply with this general obligation was published by the Commissioner in May 2015.14
VI DISCOVERY AND DISCLOSURE
Under APP 6, in general personal information can only be used and disclosed for the purpose for which the information was collected or for a related secondary purpose that would be reasonably expected by the individual. The disclosure of information in response to national or foreign government requests, or in response to domestic or foreign discovery court orders or internal investigations, would not normally satisfy this requirement. However, there are a number of exceptions that may, depending on the circumstances, be available to allow disclosure in response to such requests or orders. These are summarised below.
In the case of Australian legal proceedings, APP 6.2(b) allows disclosure if the disclosure is 'required or authorised by or under an Australian law or a court/tribunal order'. This will allow disclosures that are required or authorised under Australian rules of court.
In addition, Section 16A(i)(4) of the Privacy Act allows disclosure where it is 'reasonably necessary for the establishment, exercise or defence of a legal or equitable claim'. Disclosures of information in the course of legal proceedings where the disclosures are necessary to either assert or defend a claim will accordingly be permitted. Section 16A(i)(5) allows disclosure where it is reasonably necessary for the purposes of a 'confidential alternative dispute resolution process'. This will permit disclosures in the course of confidential mediations and the like. However, these exceptions do not apply to the disclosure of information to someone outside Australia and so would not be available for claims being pursued in foreign courts.
To disclose information in response to the order of a foreign government or court the disclosure will have to comply with both APP 6 and APP 8 (the cross-border disclosure principle). There has been no binding Australian legal decision on the consequences of a person receiving in Australia an order from a foreign court requiring the disclosure of personal information outside Australia. To satisfy both APP 6 and APP 8, the party seeking disclosure of the information outside Australia is likely to have to apply under a relevant international treaty (such as the Hague Convention), to which Australia is a party and which has been implemented in Australian local law. If these conditions can be satisfied, then the disclosure of the information outside Australia will be 'required or authorised by or under an Australian law' and so will be permitted under both APP 6.2(b) and APP 8.2(c).
Another option that might be available in some circumstances would be to redact all personal information from the relevant document before the document is disclosed outside Australia. Whether a document that has been redacted in this way will still comply with the orders of the foreign court will depend on the circumstances.
With respect to disclosures outside Australia, Section 13D(1) provides that acts done outside Australia do not interfere with privacy if the act is required by an applicable law of a foreign country. This exception may be of use where relevant personal information is already located outside Australia and, pursuant to the legal process in the place where it is located, it has to be disclosed to someone in that place. The exception will not be available with respect to information that is located in Australia.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
If an individual makes a privacy complaint, the Commissioner has the power to attempt, by conciliation, to effect a settlement of the matter or to make a determination that includes declarations that:
- the individual is entitled to a specified amount as compensation for loss or damage suffered (including for injury to feelings or for humiliation);
- the organisation has engaged in conduct constituting an interference with the privacy of an individual and that it must not repeat or continue the conduct; and
- the organisation perform any reasonable act or course of conduct to redress any loss or damage suffered by the individual.
A determination of the Commissioner regarding an organisation is not binding or conclusive. However, the individual or the Commissioner has the right to commence proceedings in court for an order to enforce the determination.
The Commissioner also has the power to audit organisations (these audits are referred to in the Privacy Act as 'assessments'), accept enforceable undertakings, develop and register binding privacy codes and seek injunctive relief in respect of contraventions of the Privacy Act.
Finally, the Commissioner may apply to the Federal Court or Federal Circuit Court for a penalty (currently, up to A$420,000 for individuals or A$2.1 million for corporations) to be imposed for 'serious' or 'repeated' interferences with privacy. These penalties constitute regulatory fines and cannot be used to compensate individuals for breaches of the Privacy Act. As noted above, the Commissioner has not yet sought to levy the penalty on any organisation.
ii Recent enforcement cases
The Commissioner has recently taken action in a number of significant cases that are of potentially broad interest. These are summarised below.
Enforceable undertaking from Avid Life Media (ALM) following website attack
One of the enforcement powers available to the Commissioner is to accept an enforceable undertaking from an organisation it is investigating for breaches of privacy. Such an undertaking is likely to be offered by the organisation in the course of resolving an investigation by the Commissioner into its activities. The undertakings are enforceable by the Commissioner in the Federal Court.
ALM operates a number of adult dating websites, including 'Ashley Madison'. It is based in Canada, but its websites have users around the world, including Australia.
In July 2015, a cyber attacker announced the ALM website had been hacked and threatened to expose the personal information of Ashley Madison users unless ALM shut down its controversial website. ALM did not agree to the demand and, as a consequence, information that the hacker claimed was stolen from ALM (including profile information, account information and billing information from approximately 36 million user accounts) was published. This prompted the Commissioner and the Office of the Commissioner of Canada to launch a joint investigation into ALM's privacy practices.
The OAIC was satisfied that ALM was an organisation with an Australian link as it carried on business and collected personal information in Australia (despite not having a physical presence in Australia). The investigation identified a number of contraventions of the APPs, including with regard to ALM's practice of indefinite data retention and ALM not having an appropriate information security framework in place.
The Commissioner accepted an enforceable undertaking from ALM to address the concerns identified.
Provision of an enforceable undertaking by Optus
On 27 March 2015, the Commissioner accepted an enforceable undertaking from Optus (a major Australian telecommunications company) arising out of its investigation into three privacy incidents involving Optus.
In the first of these incidents, Optus became aware in April 2014 that, because of a coding error, the names, addresses and phone numbers of 122,000 Optus customers were listed in the White Pages directory without those customers' consent. In the second incident, Optus had issued modems to its customers in such a way that the management ports for the modems were issued with user default names and passwords in place. The consequence was that Optus customers who did not change the default user names and passwords were then vulnerable to a person making and charging calls as though they were the Optus customer. However, there was no evidence that the vulnerability had in fact been exploited. The final incident involved a security flaw that left some Optus customers vulnerable for eight months to 'spoofing attacks', under which an unauthorised party could access a customer's voicemail account.
Following an eight-month investigation, the Commissioner concluded that an enforceable undertaking was the most appropriate regulatory enforcement action in the circumstances. This conclusion was due, in most part, to Optus' cooperation with the Commissioner and steps it had taken to respond to the Commissioner's concerns. Under the terms of the undertaking, Optus was required to appoint an independent third party to conduct reviews of the additional security measures Optus adopted in response to the privacy incident and its vulnerability detection processes concerning the security of personal information.
Metadata collected by telecommunications companies constituted personal information to which the relevant individual could obtain access
In May 2015, the Commissioner found that metadata could be personal information under the Privacy Act where the organisation holding that data has the capacity and resources to link that information to an individual. The background to that finding was a request made by a journalist to access all metadata that Telstra (Australia's largest telecommunications company) stored about him in relation to his mobile service. Over the course of some months, Telstra ultimately released much of the requested metadata to the journalist, but continued to refuse access to IP address information, URL information and cell tower location information beyond that which Telstra retained for billing purposes.
The Commissioner found that the above three categories of information did constitute personal information under the Privacy Act and that Telstra had breached the Privacy Act by failing to release that information.
The decision was overturned by the Administrative Appeals Tribunal (AAT) in December 2015. The AAT reasoned that mobile network data would need to be information 'about an individual' for it to fall within the definition of personal information. It found that the relevant mobile network data was not information about an individual as such, but rather information about the way in which Telstra delivers its services. It could not, therefore, be characterised as personal information under the Privacy Act and did not need to be disclosed to customers upon request.
In coming to the conclusion that the mobile network data was not personal information, the AAT appears to have been influenced by evidence from Telstra that its mobile network data were kept separate and distinct from customer databases, rarely linked to these databases and not ordered or indexed by reference to particular customers.
On 14 January 2016, having considered the AAT's decision, the Commissioner filed a notice of appeal from a tribunal to the Federal Court of Australia. The Federal Court dismissed the Commissioner's appeal on 19 January 2017. In dismissing the appeal, the Court confirmed that if information is not 'about an individual', the information will not be personal information and, accordingly, the Privacy Act will not apply.
Enforceable undertaking from the Australian Red Cross following inadvertent disclosure by a third-party contractor
On 5 September 2016, a file containing personal information of approximately 550,000 individuals was inadvertently posted to a publicly accessible section of the Australian Red Cross (the Red Cross) website by a third-party contractor. This included 'personal details' and identifying information such as names, gender, addresses and sexual history.
The Red Cross was only made aware of this breach after an unknown individual notified the Red Cross through multiple intermediaries on 25 October 2016. Upon notification, the Red Cross took a number of immediate steps to contain the breach. This included notifying affected individuals, undertaking a risk assessment of the information compromised and conducting a forensic analysis on the exposed server.
The Commissioner found that the Red Cross did not breach the obligation relating to unauthorised disclosure of personal information, as it did not disclose personal information, this was done by a third-party employee. In addition, it was found that although the Red Cross did not physically hold the personal information, it retained ownership of the information because of the terms of its contract with the third-party contractor. Because of its ownership of the personal information, the Red Cross had an obligation to protect this personal information against unauthorised access or disclosure. The Commissioner concluded that the Red Cross had breached this obligation by failing to properly assess the adequacy of its third-party contractor's security practices and by failing to include control measures to mitigate the risks of contracting with a third party in its contractual arrangements.
The Red Cross accepted an enforceable undertaking on 28 July 2017 to engage an independent review of its third-party management policy and standard operating procedure. The third-party contractor also entered into an enforceable undertaking with the Commissioner's office to establish a data breach response plan and update its data protection policy.
iii Private litigation
In general, privacy legislation is only enforceable in Australia by the relevant authority. However, some limited private rights of action do exist, particularly a general right under the Privacy Act for anyone to seek an injunction to restrain conduct that would be a contravention of the Act.15
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
The Privacy Act has a broad extraterritorial application and applies to the overseas activities of Australian organisations and foreign organisations that have an 'Australian link'.16
An organisation is considered to have an 'Australian link' if there is an organisational link17 – for example, the organisation is a company incorporated in Australia; or if the organisation carries on business in Australia and collects or holds personal information in Australia.18 This has been interpreted very broadly as including an organisation that has a website that offers goods or services to countries including Australia.19
If an organisation's overseas activity is required by the law of a foreign country, then that activity is not taken to amount to an interference with the privacy of an individual.20
IX CYBERSECURITY AND DATA BREACHES
As stated above, APP 11 requires an organisation to take such steps as are reasonable in the circumstances to protect information from misuse, interference and loss; and from unauthorised access, modification or disclosure.
The obligation in APP 11 would extend to taking reasonable steps to protect information that an organisation holds against cyberattacks. See the discussion on APP 11 in Section III for more details of its requirements.
In addition to the general obligation under APP 11, particular industry sectors are subject by their regulators to take additional measures to protect information (including personal information) that they hold. Government agencies are also generally subject to government-specific security requirements, most notably the Protective Security Policy Framework.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect on 22 February 2018 and amended the Privacy Act to impose an express obligation on entities to notify the OAIC, affected individuals and at-risk individuals in the event of an 'eligible data breach'.
An eligible data breach refers to any unauthorised access, disclosure or loss of information that a 'reasonable person' is 'likely' to conclude would result in serious harm to an individual. In the event an entity becomes aware that an eligible data breach may have occurred, it must provide a copy of a statement to the OAIC setting out the details of the breach as soon as is practicable. It must also subsequently notify any individuals affected by or at risk of being affected by the eligible data breach.
On 31 August 2017, the OAIC released its Corporate Plan 2017–2018.21 The Corporate Plan indicates that the OAIC will focus on the following activities in the coming year: compliance with the new Notifiable Data Breaches scheme; conducting targeted privacy audits (assessments) in areas of national security, national health and identity management to assess organisations' compliance with the Privacy Act; and the development of an Australian Public Services Privacy Governance Code.
1 Michael Morris is a partner at Allens.
2 See in particular Giller v. Procopets  VSCA 236.
3 See Australian Broadcasting Corporation v. Lenah Game Meats Pty Ltd (2001) 208 CLR 199.
4 Note, however, that Victoria has enacted the Charter of Human Rights and Responsibilities and the Australian Capital Territory has enacted the Human Rights Act 2004 (ACT). Both include the right for individuals not to have their privacy unlawfully or arbitrarily interfered with.
6 Section 6D.
7 Section 16 of the Privacy Act.
8 Section 7B(4) of the Privacy Act.
9 Section 7C(1) of the Privacy Act.
10 Section 7B(3) of the Privacy Act.
11 Section 13B of the Privacy Act.
12 'Guide to securing personal information: “Reasonable steps” to protect personal information:
January 2015', available at www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information.
13 Section 7.11, Privacy Guidelines, 'Chapter 7: Australian Privacy Principle 7 – Direct marketing: Version 1.0, February 2014' available at www.oaic.gov.au/images/documents/privacy/applying-privacy-law/app-guidelines/chapter-7-app-guidelines-v1.pdf.
14 'Privacy management framework: enabling compliance and encouraging good practice', available at www.oaic.gov.au/resources/agencies-and-organisations/guides/privacy-management-framework.pdf.
15 Section 98 of the Privacy Act.
16 Section 5B(1A) of the Privacy Act.
17 Section 5B(2) of the Privacy Act.
18 Section 5B(3) of the Privacy Act.
19 Section B.14, Privacy Guidelines, available at www.oaic.gov.au/images/documents/privacy/applying-privacy-law/app-guidelines/APP-guidelines-combined-set-v1.pdf.
20 Section 13D(1) of the Privacy Act.