The Privacy Act 1988
The Privacy Act 1988 (Privacy Act) was passed by the Australian Parliament at the end of 1988 and commenced in 1989. The Privacy Act gave effect to Australia's agreement to implement the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as to its obligations under Article 17 of the International Covenant on Civil and Political Rights.
Initially the Privacy Act had two objectives, to:
- protect personal information in the possession of Australian Government agencies — the Privacy Act included eleven Information Privacy Principles, which were based on OECD guidelines and set out standards in relation to Australian Government agencies collecting, storing, using and disclosing, providing access to, and correcting personal information
- implement safeguards for the collection and use of tax file numbers — the Privacy Act included the Interim Tax File Number Guidelines, which regulated the handling of tax file numbers.
The introduction of the Privacy Act also saw the appointment of the first Privacy Commissioner, within the Human Rights and Equal Opportunity Commission (the HREOC).
Expanding the coverage of the Privacy Act
1991 — Credit reporting: The Privacy Amendment Act 1990, which commenced on 24 September 1991, introduced a Part IIIA into the Privacy Act regulating the handling of consumer credit reports by credit reporting agencies and credit providers.
1994 — Australian Capital Territory: ACT Government agencies became bound by a version of the Privacy Act through the Australian Capital Territory Government Service (Consequential Provisions) Act 1994.
2000 — Office of the Privacy Commissioner: the Privacy Amendment (Office of the Privacy Commissioner) Act 2000 established the Office of the Privacy Commissioner and separated the Privacy Commissioner from the Human Rights and Equal Opportunity Commission on 1 July 2000.
2001 — Private sector: In December 2000, the Privacy Amendment (Private Sector) Act 2000 extended coverage of the Privacy Act to some private sector organisations. The amendments commenced on 21 December 2001. These amendments introduced 10 National Privacy Principles (NPPs) into the Privacy Act, which set out standards in relation to private sector organisations collecting, using and disclosing, keeping secure, providing access to, and correcting personal information.
2010 — The Office of the Australian Information Commissioner (OAIC): The Australian Information Commissioner Act 2010established the OAIC on 1 November 2010. The former Office of the Privacy Commissioner was integrated into the OAIC on 1 November 2010. The OAIC is headed by the Australian Information Commissioner, who is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner. Further information about the OAIC is available on the What we do and the Australian Information Commissioner Act pages.
2011 — Norfolk Island: On 1 January 2011, the Privacy Act was extended to Norfolk Island Government agencies by the Territories Law Reform Act 2010.
2014 — Major privacy reforms: The Privacy Amendment (Enhancing Privacy Protection) Act 2012, which commenced on 12 March 2014, introduced many significant changes to the Privacy Act, including:
- the Australian Privacy Principles, which replaced the IPPs and the NPPs, to regulate the handling of personal information by Australian and Norfolk Island Government agencies and some private sector organisations
- a new Part IIIA of the Privacy Act, which allows for more comprehensive credit reporting
- a new requirement for a credit provider to be a member of an external dispute recognition scheme (EDR scheme) recognised under the Privacy Act, to be able to participate in the credit reporting system
- new laws on codes of practice about information privacy (APP codes) and a code of practice for credit reporting (the CR code), including enabling the Information Commissioner to develop and register binding codes that are in the public interest
- new enforcement powers for the Information Commissioner.
For further information about these changes, see Privacy Law Reform.
2014 – ACT privacy reforms: The Information Privacy Act 2014 (ACT), which commenced on 1 September 2014, introduced new privacy laws for ACT public sector agencies. The Information Privacy Act introduced the Territory Privacy Principles (TPPs), which set out standards for handling personal information. These TPPs are similar to the APPs. For more information about this change, see Australian Capital Territory Privacy.
Other additions to our privacy functions
Other additions to our privacy functions include the following:
1990 — Spent convictions: The Privacy Commissioner was given compliance and advisory functions in relation to spent convictions information when Part VIIC of the Crimes Act 1914 . These came into effect on 30 June 1990. Part VIIC deals with aspects of the collection, use and disclosure of old conviction information.
1990 — TFN Data matching: The Data-matching Program (Assistance and Tax) Act 1990, and guidelines made under that Act, gave the Privacy Commissioner oversight and compliance functions in relation to how the Australian Taxation Office (ATO) and certain other agencies use tax file numbers to compare personal information for the purpose of detecting incorrect payments
1991 - Medicare and Pharmaceutical benefits schemes: The Privacy Commissioner acquired additional functions under amendments to the National Health Act 1953, in relation to guidelines to safeguard personal information provided for the purposes of the Medicare and pharmaceutical benefits schemes.
1997 — Telecommunications: The Privacy Commissioner was given monitoring, advisory and compliance functions in relation to the privacy of personal information held by telecommunications carriers, carriage service providers and others following the introduction of the Telecommunications Act 1997 (Telecommunications Act) and amendments to the Telecommunications (Interception and Access) Act 1979 (TIA Act). More information can be found on the Telecommunications page.
2006 — Anti-Money Laundering and Counter-Terrorism: The introduction of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) established a requirement that the Australian Transaction Reports and Analysis Centre (AUSTRAC), the agency responsible for ensuring compliance with the AML/CTF Act, consult the Privacy Commissioner on matters that relate to the privacy of individuals. More information can be found on the Anti-money laundering page.
2010 — Healthcare identifiers: The Privacy Commissioner was given oversight and compliance functions following the introduction of the Healthcare Identifiers Act 2010 (HI Act), including the investigation of complaints about the mishandling of healthcare identifiers.
2012 — Personal Property Securities Register: The Australian Information Commissioner was given a new compliance function by the Personal Property Securities Act 2009 in relation to personal information contained in the Personal Property Securities Register, which commenced in 2012.
2012 — Electronic health records: A new function and, importantly, new powers were conferred on the Australian Information Commissioner by the Personally Controlled Electronic Health Records Act 2012. For more information see our E-health records page.