Who has rights under the Privacy Act?
The Privacy Act 1988 (Privacy Act) regulates the way individuals’ personal information is handled.
As an individual, the Privacy Act gives you greater control over the way that your personal information is handled. The Privacy Act allows you to:
- know why your personal information is being collected, how it will be used and who it will be disclosed to
- have the option of not identifying yourself, or of using a pseudonym in certain circumstances
- ask for access to your personal information (including your health information)
- stop receiving unwanted direct marketing
- ask for your personal information that is incorrect to be corrected
- make a complaint about an entity covered by the Privacy Act, if you consider that they have mishandled your personal information.
Who has responsibilities under the Privacy Act?
Australian and Norfolk Island Government agencies and all businesses and not-for-profit organisations with an annual turnover greater than $3 million have responsibilities under the Privacy Act subject to some exceptions.
As well some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act including:
- private sector health service providers, including child care centres, private schools and private tertiary educational institutions
- businesses that sell or purchase personal information
- credit reporting bodies
- contracted service providers for a Commonwealth contract
- employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
- businesses that have opted-in to the Privacy Act
- businesses prescribed by the Regulations.
In addition, particular acts and practices of some other small business operators are covered by the Privacy Act including:
- activities of reporting entities or authorised agents relating to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and its Regulations and Rules
- acts and practices to do with the operation of a residential tenancy database
- activities related to the conduct of a protection action ballot.
The Privacy Act also covers specified persons handling your:
- credit reporting information — including credit reporting bodies, credit providers (which includes energy and water utilities and telecommunication providers) and certain other third parties
- tax file numbers under the Tax File Number Guidelines
- personal information contained on the Personal Property Securities Register
- old conviction information under the Commonwealth Spent Convictions Scheme
- ehealth record information under the Personally Controlled Electronic Health Records Act 2012 and Individual Healthcare Identifiers under the Healthcare Identifiers Act 2010
Privacy Act and ACT Government Agencies
A different version of the Privacy Act applies to ACT Government agencies. The Privacy Act, as in force on 1 July 1994 (and as modified by the Australian Capital Territory Government Service (Consequential Provisions) Act 1994), applies to those agencies.
Who doesn't have responsibilities under the Privacy Act?
The Privacy Act does not cover:
- State or Northern Territory Government agencies, including state and territory public hospitals and health care facilities (which are covered under State and territory legislation) except:
- ACT Government agencies handling health information or health records
- individuals acting in their own capacity, including your neighbours
- universities, other than private and ACT universities and the Australian National University
- public schools (except ACT public schools)
- in some circumstances, the handling of employee records by an organisation in relation to current and former employment relationships
- small business operators, unless an exception applies (see above)
- media organisations acting in the course of journalism if the organisation is publicly committed to observing published privacy standards
- registered political parties and political representatives.