The Privacy Act 1988 (Privacy Act) regulates the way that Australian, ACT and Norfolk Island Government agencies and some private sector organisations (APP entities) collect, use, disclose, secure, provide access to and correct personal information. Several other laws also regulate the handling of particular information about an individual, for example, criminal records. The Office of the Australian Information Commissioner’s (OAIC) can take regulatory and enforcement action to encourage and ensure compliance with privacy obligations. The OAIC’s Privacy regulatory action policy explains the OAIC’s approach to using these privacy regulatory action powers.
One of the OAIC key roles is to investigate complaints made by individuals, about alleged interferences with privacy. More information on complaints can be found in the Privacy complaints section of this site.
Public interest determinations
The Privacy Act 1988 (Privacy Act) allows the Information Commissioner to make Public interest determinations (PID).
More information about PIDs, how the Information Commissioner makes these determinations and a list of PIDs is available on the Public interest determinations register page.
The Privacy Act allows the Information Commissioner to approve and register enforceable privacy codes that have been developed by entities on their own initiative, or developed by the Information Commissioner directly.
For further information, see the Privacy Codes Register.
Privacy Opt-in Register
The Privacy Act allows small business operators, who would otherwise not be covered by the Privacy Act, to choose to be treated as an organisation for the purposes of the Privacy Act and therefore subject to the Australian Privacy Principles.
For more information about how to opt-in, the opt-in form and how to opt-out see the Privacy opt-in register.
List of Recognised EDR schemes
The Privacy Act allows the Information Commissioner to recognise, by written notice, external dispute resolution (EDR) schemes to handle particular privacy-related complaints (s 35A of the Privacy Act).
For more information about EDR schemes that have applied and those that have been recognised see the Recognised EDR schemes page.
Privacy guidelines and rules
The OAIC issues guidelines to assist entities to comply with the Privacy Act. These guidelines contain detailed information about particular aspects of the Privacy Act and related legislation. Some guidelines are binding legislative instruments, such as the Guidelines issued under s 95A of the Privacy Act, which entities must comply with. Others are advisory such as the APP guidelines.
The Information Commissioner also has powers under the Privacy Act to make binding rules such as the Privacy (Persons Reported as Missing) Rule 2014.
Regulatory powers for working with entities
The Information Commissioner has a range of regulatory powers for working with entities to encourage compliance and best practice privacy practices
The Information Commissioner has powers under the Privacy Act to conduct an assessment of whether an entity is maintaining and handling personal information in accordance with relevant provisions (such as the Australian Privacy Principles). Assessment is a key method for determining the extent of compliance with the Privacy Act. The assessment function promotes good privacy practice amongst entities that are subject to the Privacy Act.
For further information, see the Privacy assessments page.
The Information Commissioner can direct an agency to give the Commissioner a privacy impact assessment (PIA) about a proposed activity or function. The Commissioner may issue a PIA direction where the proposed activity involves the handling of personal information, and the Commissioner considers that the activity or function might have a significant impact on the privacy of individuals.
In addition to the power to register codes that have been developed by entities on their own initiative, the Information Commissioner can request entities to develop an APP code and apply for the code to be registered, where the Commissioner is satisfied that it is in the public interest for the code to be developed. Where a request is not complied with, or the Commissioner decides not to register the relevant code, the Commissioner may develop the code and register it.
Once registered, a code is enforceable in relation to the entities or class of entities specified in the code. For further information about the development of codes, see the Privacy codes register page.
Investigation and enforcement powers
Privacy complaint investigations
The Information Commissioner has the power to investigate an entity that is covered by the Privacy Act following a complaint. Generally, the Information Commissioner must attempt to conciliate a complaint.
The OAIC produces case notes, which are summaries of privacy complaint investigations. They are selected on the basis that they involve the interpretation of the Privacy Act or associated legislation in new circumstances, illustrate systemic issues, or illustrate the application of the law to a particular industry or subject area. For further information, see the Privacy case notes page.
Privacy complaint investigations that result in a formal determination under section 52 of the Privacy Act are published as Privacy determinations.
Commissioner initiated investigations (CIIs)
The Information Commissioner has the power to investigate an entity that is covered by the Privacy Act on his own initiative, that is, without someone making a complaint. For example, if the media reports an alleged breach of privacy, the OAIC may take action and investigate before a complaint is made. Results of these investigations are generally published as Commissioner initiated investigation reports or if a formal determination is made under s 52 of the Privacy Act as Privacy determinations.
Privacy enforceable undertakings
The Information Commissioner may accept an enforceable undertaking from an entity. An enforceable undertaking is a promise by an entity that it will take specified action or refrain from taking specified action in order to comply with the Privacy Act, or to ensure it does not do an act or engage in a practice that interferes with an individual’s privacy. If an entity does not comply with the terms of an undertaking it has given, the Commissioner may apply to the courts to enforce the undertaking.
The Information Commissioner can make a determination on a privacy complaint where conciliation has not resolved the matter. The Information Commissioner can also make a determination after conducting a Commissioner initiated investigation. Determinations can provide useful guidance about the application of the Privacy Act.
For further information, see the Privacy determinations page.
Privacy injunctions and civil penalty orders
The Information Commissioner may apply to the courts for an injunction to restrain a person from engaging in conduct that would constitute a breach of the Act.
The Information Commissioner may also apply to the courts for an order that an entity pay the Commonwealth a civil penalty. The Information Commissioner can make this application where an entity has breached a ‘civil penalty provision’. For example, s 13G of the Privacy Act (serious or repeated interferences with privacy) is a civil penalty provision and an entity that contravenes this section may be liable to pay a civil penalty. Other civil penalty provisions are contained in Part IIIA (Credit reporting) of the Act.