The Office of the Australian Information Commissioner (OAIC) mainly deals with issues that are covered by the Privacy Act 1988 (Privacy Act). The Privacy Act regulates the handling of personal information by Australian Government agencies (and the Norfolk Island Administration), and some private sector organisations. Other Australian states and territories, along with many other countries, have equivalent legislation.
For information on privacy regulation in the states and territories, please refer to the appropriate links below. You may contact the OAIC Enquiries line if you have further questions about what aspects of privacy are dealt with by the OAIC.
On this page
- State and territory privacy
- State and territory health privacy
- International privacy law
State and territory privacy
Australian Capital Territory
The Information Privacy Act 2014 (ACT) (which commenced on 1 September 2014) regulates the handling of personal information by ACT public sector agencies.
The Office of the Australian Information Commissioner is exercising some of the functions of the ACT Information Privacy Commissioner. These responsibilities include handling privacy complaints against, and receiving data breach notifications from, ACT public sector agencies, and conducting assessments of ACT public sector agencies’ compliance with the Information Privacy Act. For more detailed information see Australian Capital Territory Privacy.
New South Wales
The NSW Information and Privacy Commission undertakes the privacy functions conferred by the Privacy and Personal Information Protection Act 1998 (NSW) and Health Records and Information Privacy Act 2002 (NSW).
South Australia has issued an administrative instruction requiring its government agencies to generally comply with a set of Information Privacy Principles and has established a South Australian privacy committee to handle privacy complaints.
The Tasmanian Ombudsman may receive and investigate complaints in relation to the Personal Information and Protection Act 2004 (Tas). This legislation covers the Tasmanian public sector including the University of Tasmania.
The Victorian Commissioner for Privacy and Data Protection is an independent statutory officer established by the Privacy and Data Protection Act 2014 (Vic) (which commenced on 17 September 2014). This legislation covers the handling of all personal information, other than health information, as well as covering protective data security, in the public sector in Victoria.
The state public sector in Western Australia does not currently have a legislative privacy regime. Various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information Act 1992 (WA) overseen by the Office of the Information Commissioner (WA).
State and territory health privacy
The Privacy Act 1988 (Privacy Act) applies to all health service providers in the private sector throughout Australia. A ‘health service provider’ is a person or entity who provides a health service and holds health information, even if providing a health service is not their primary activity. Health service providers are covered by the Privacy Act for all activities involving the handling of personal information, not just activities that relate to providing a health service.
The Privacy Act does not apply to state and territory public sector health service providers, such as public hospitals.
New South Wales (NSW), Victoria and the Australian Capital Territory (ACT) have specific health privacy legislation that covers all health service providers (public and private sector) in those jurisdictions. This means that private sector health service providers operating in NSW, Victoria and the ACT must comply with both Commonwealth and state or territory privacy legislation when handling health information.
Queensland, the Northern Territory and Tasmania have privacy legislation that applies only to their public sector, including public sector health service providers. Western Australia and South Australia do not have specific privacy legislation although South Australia has administrative directions and codes that apply to the public sector, including public sector health service providers. South Australia also has health care legislation that contains some privacy related provisions.
For information on privacy regulation of health service providers in the states and territories, please refer to the appropriate links below. You may contact the OAIC Enquiries line if you have further questions about what aspects of privacy are dealt with by the OAIC.
The OAIC is also the independent privacy regulator for the eHealth record system and Healthcare Identifier service and has functions and responsibilities under both the My Health Records Act 2012 and the Healthcare Identifiers Act 2010. More information is available on the eHealth records page.
Australian Capital Territory
The Health Records (Privacy and Access) Act 1997 (ACT) regulates the handling of health information by both public and private sector health service providers in the ACT. The ACT Health Services Commissioner is one of three Commissioners within the ACT Human Rights Commission and handles health record privacy complaints.
New South Wales
The Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) outlines how NSW health service providers and public sector agencies must manage the health information of individuals in NSW. The HRIP Act applies to organisations (public sector agencies or a private sector person) that are health service providers or that collect, hold or use health information. The NSW Information and Privacy Commission administers the HRIP Act and accepts complaints about the handling of health information.
The Health Records Act 2001 (Vic) provides for the protection of health information held by the Victorian public and private sectors. The Act is administered by the Office of the Health Services Commissioner, an independent statutory body which conciliates complaints between consumers and health care providers.
The Information Act 2003 (NT) applies to NT public sector bodies, including to their handling of health information. The Office of the Information Commissioner for the Northern Territory is the independent statutory body responsible for overseeing the privacy provisions of the Act and accepts complaints from consumers relating to the privacy of health information. The Health and Community Services Complaints Commission is also able to accept and resolve complaints about health, disability and aged services in the Northern Territory.
The Information Privacy Act 2009 (Qld) regulates the handling of personal information, including health information, by the Queensland public sector. Queensland Health’s website has a comprehensive list of privacy and confidentiality contact officers for public hospitals throughout the state. The Queensland Office of the Information Commissioner receives and conciliates complaints related to the privacy of health information. Queensland’s Health Ombudsman can also receive and investigate complaints about health services and health service providers, including registered and unregistered health practitioners.
The Personal Information and Protection Act 2004 (Tas) covers the Tasmanian public sector including public hospitals. The Office of the Ombudsman and Health Complaints Commissioner of Tasmania can receive and investigate complaints in relation to complaints under the Act.
The state public sector in South Australia does not currently have a legislative privacy regime. However, South Australian government agencies are required to comply with a set of Information Privacy Principles – PC012 Information Privacy Principles Instruction. The Privacy Committee of South Australia oversees the implementation of these Information Privacy Principles by the South Australian public sector.
In addition, the South Australian Department of Health and Department of Families and Communities have developed a Code of Fair Information Practice which outlines what the Departments and their service providers should do, and what clients can expect, in protecting personal information. The Code also has its own set of privacy principles which have specific requirements for the handling of health information.
The handling of personal information by public sector employees is also addressed in the Health Care Act 2008 (SA). A public health sector employee can be fined up to $10,000 if any personal information relating to a client is divulged inappropriately.
The Health and Community Services Complaints Commissioner also receives complaints about government, private and non-government health and community services.
The state public sector in Western Australia does not currently have a legislative privacy regime. Various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information Act 1992 (WA) overseen by the Office of the Information Commissioner (WA). The Health and Disability Services Complaints Office (HaDSCO) is an independent statutory authority that also handles complaints relating to health and disability services in Western Australia.
International privacy law
The OAIC participates in several international forums and arrangements to:
- promote best privacy practice internationally
- address emerging privacy issues in our region
- cooperate on cross-border privacy regulation and enforcement matters.
Further information about the OAIC’s international activities can be found in the Networks section of this site.