The Privacy Act 1988 (Privacy Act) protects your personal information. Personal information is information or an opinion that identifies you or could identify you. Some examples are your name, address, telephone number, date of birth, medical records, bank account details and opinions about you.
On 12 March 2014, changes to the Privacy Act commenced. These changes include a new set of Australian Privacy Principles (APPs), which set out how private sector organisations and Australian Government agencies (called entities), must handle your personal information. They also include changes to the way your credit information can be collected and used and new powers for the Office of the Australian Information Commissioner (OAIC) to resolve privacy complaints and investigations.
This fact sheet will give you an overview of the key changes, and how they might affect you.
Under the new laws, entities have greater responsibility to manage information in an open and transparent way.
Entities should also give you a ‘privacy notice’ when they collect your personal information.
The privacy notice should tell you who the entity is and how to contact them, why they are collecting your personal information, if there are consequences to not providing it, who they are likely to give it to, and whether they are likely to disclose it to an overseas organisation or agency.
Privacy tip: Read privacy policies and notices to find out what will happen to your personal information.
Under the new laws, you have the right to deal with an entity anonymously (without giving your name) or pseudonymously (using an assumed name), unless it is not appropriate for the type of interaction you are having.
You have this right when talking to all entities that are covered by the Privacy Act, but it may not always be possible. For example, if you wish to open a bank account or receive a government benefit, you will usually have to provide proof of your identity.
There are new rules about how entities can use or share your personal information to direct market you their goods or services. They are only allowed to do this in certain circumstances.
If they do they must give you a simple way to ask them to stop. They must stop if you ask them to (remember to keep a record). And if you ask them, they must also tell you where they got your personal information from.
Entities are not allowed to use sensitive information for direct marketing, unless you have previously agreed to this. Sensitive information includes information about your health, who you vote for, your ethnicity or your sexual orientation.
Privacy tip: Don’t want to receive direct marketing? Opt out and ask where the organisation got your personal information.
Disclosing personal information overseas
If an entity discloses your personal information to an overseas organisation or agency they need to make sure that it will be handled in accordance with Australian privacy law.
If your personal information is mis-handled by the overseas organisation or agency, the entity that disclosed your information may be legally responsible for this.
These obligations don’t apply in some circumstances, such as where you specifically agree to your information being disclosed to an overseas organisation or agency.
Accurate and up-to-date records
People now have greater rights to access and correct records containing their personal information.
If an entity holds personal information about you and you ask to access it, they must give it to you except in some limited circumstances.
They must respond to your request for access within a reasonable period (generally less than 30 days). They should also give you access in the manner you have requested. If they refuse to give you access they must give you a written notice that includes reasons.
An entity is not allowed to charge you for asking for access. Australian Government agencies are also not allowed to charge for giving you access, but private sector organisations may impose a reasonable charge.
If an entity holds personal information about you that is incorrect, you can ask them to correct it.
You can ask them to correct your personal information if it is: inaccurate, not up-to-date, incomplete, irrelevant or misleading.
Entities must respond to your request for correction within a reasonable period (generally less than 30 days). If they refuse to make the correction they must give you a written notice that includes reasons.
If your personal information is held by an Australian Government agency you may be able to get access to it or ask that it be corrected under the Freedom of Information Act 1982. However, many requests for access and correction can be dealt with informally and quickly — a phone call or email may be all that is required.
Privacy tip: Check that the information held about you is correct, and if not ask for it to be corrected.
Information provided in this fact sheet is of a general nature and is not a substitute for legal advice.
For further information
telephone: 1300 363 992
write: GPO Box 5218, Sydney NSW 2001
Or visit our website at www.oaic.gov.au