Background to the Privacy Act 1988
The Privacy Act 1988 (Privacy Act) was passed by the Australian Parliament at the end of 1988 and commenced in 1989. The Privacy Act gave effect to Australia's agreement to implement the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as to its obligations under Article 17 of the International Covenant on Civil and Political Rights.
The introduction of the Privacy Act saw the appointment of the first Privacy Commissioner and the establishment of the privacy regulator, the Office of the Privacy Commissioner (OPC).
Initially, the Privacy Act had two objectives:
- the protection of personal information in the possession of Australian Government departments and agencies
- safeguards for the collection and use of tax file numbers (this was connected with the up-grading of the tax file number system following the demise of the 'Australia Card' proposal).
ACT government agencies became bound by the Privacy Act through the passing of the Australian Capital Territory Government Service (Consequential Provisions) Act 1994. On 1 January 2011, the Privacy Act was extended to the Norfolk Island government by the Territories Law Reform Act 2010.
Eleven Information Privacy Principles (IPPs), which are based on the OECD guidelines, set out how Australian, ACT and Norfolk Island government agencies must collect, store, use and disclose, provide access to and correct personal information.
In December 2000, the Privacy Amendment (Private Sector) Act 2000 was passed by Parliament and extended coverage of the Privacy Act to many private sector organisations. The new scheme came into effect on 21 December 2001.
The Privacy Amendment (Private Sector) Act 2000 introduced 10 National Privacy Principles (NPPs) into the Privacy Act. The NPPs set out how private sector organisations must collect, use and disclose, keep secure, provide access to and correct personal information.
Other additions to the Commissioner's jurisdiction
On 1 November 2010, additional jurisdictions previously acquired by the Privacy Commissioner was transferred to the Australian Information Commissioner (see ‘the Office of the Australian Information Commissioner and Freedom of Information Reform’ section below).
The Privacy Amendment (Private Sector) Act 2000 was one of many additions to the Privacy Commissioner's jurisdiction since the Privacy Act commenced in 1989.
The additions to the Commissioner’s jurisdiction include the following:
- Tax file numbers: The Interim Tax File Number Guidelines, which regulated the handling of tax file numbers, were contained in the Privacy Act and came into effect 1 January 1989. They were replaced by the Tax File Number Guidelines 1990 which came into effect October 1990. The 1990 Guidelines were replaced by the Tax File Number Guidelines 1992 (which came into effect 21 December 1992), which were subsequently replaced by the Tax File Number Guidelines 2011 which came into effect December 2011.
- Spent convictions: The Privacy Commissioner was given compliance and advisory functions in relation to spent convictions information when Part VIIC of the Crimes Act 1914 came into effect on 30 June 1990. Part VIIC deals with aspects of the collection, use and disclosure of old conviction information.
- Data matching and credit reporting: Two major additions were made in the areas of government data-matching and credit reporting:
- the Data-matching Program (Assistance and Tax) Act 1990 and guidelines made under that Act gave the Privacy Commissioner oversight and compliance functions in relation to how the Australian Taxation Office (ATO) and assistance agencies use tax file numbers to compare personal information for the purpose of detecting incorrect payments
- the Privacy Amendment Act 1990, which commenced on 24 September 1991, introduced a new Part IIIA into the Privacy Act which regulates the handling of consumer credit reports by credit reporting agencies and credit providers.
- Medicare and Pharmaceutical benefits schemes: The Privacy Commissioner acquired additional functions under amendments to the National Health Act 1953 (passed in 1991), in relation to guidelines to safe guard personal information provided for the purposes of the Medicare and pharmaceutical benefits schemes.
- Telecommunications: The Privacy Commissioner was given monitoring, advisory and compliance functions in relation to the privacy of personal information held by telecommunications carriers, carriage service providers and others following the introduction of the Telecommunications Act 1997 (Telecommunications Act) and amendments to the Telecommunications (Interception and Access) Act 1979 (TIA Act). More information can be found on the Telecommunications page.
- Anti-Money Laundering and Counter-Terrorism: The introduction of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) established a requirement that the Australian Transaction Reports and Analysis Centre (AUSTRAC), the agency responsible for ensuring compliance with the AML/CTF Act, consult the Privacy Commissioner on matters that relate to the privacy of individuals. More information can be found on the Anti-money laundering page.
- Healthcare identifiers: The Privacy Commissioner was given oversight and compliance functions following the introduction of the Healthcare Identifiers Act 2010 (HI Act), including the investigation of complaints about the mishandling of healthcare identifiers.
- Personal Property Securities Register: In 2012, the Australian Information Commissioner was given a new compliance function by the Personal Property Securities Act 2009 in relation to personal information contained in the Personal Property Securities Register.