This information sheet aims to help organisations work out if the private sector provisions in the Privacy Act 1988 (Cth) (the Privacy Act) apply to them.
It lists the type of entities that the Privacy Act will apply to and those that will be exempt from its coverage. This information sheet also describes the acts and practices of organisations that are exempt from coverage of the Privacy Act.
Entities covered by the Privacy Act
The private sector provisions in the Privacy Act apply to 'organisations'. Section 6C of the Privacy Act sets out the types of entities that may be an organisation. These are:
- an individual;
- a body corporate;
- a partnership;
- any other unincorporated association; and
- a trust
(These terms are explained in more detail in the last section of this information sheet.)
Section 6C(1) of the Privacy Act further qualifies the term 'organisation' by stating that some of these entities are not organisations (and so are not covered by the private sector provisions). The following entities are not deemed to be organisations for the purpose of the Privacy Act.
- The entity carries on a small business and meets the test to be a small business operator (refer below).
- The entity is a registered political party.
- The entity is a Commonwealth Government 'agency'.
- The entity is a State or Territory authority or a prescribed instrumentality of a State or Territory.
Entities not covered by the Privacy Act
Small business operators
A small business with an annual turnover of $3 million or less is a small business operator and so not covered by the Privacy Act unless it:
- is related to a business (that is, its holding company or any subsidiary company) that has an annual turnover of greater than $3 million;
- provides a health service and holds health information other than in an employee record;
- discloses personal information about another individual to anyone else for benefit, service or advantage (unless it does so with the consent of the individual concerned or is required or authorised to do so under legislation);
- provides a benefit, service or advantage to collect personal information about another individual from anyone else (unless it does so with the consent of the individual concerned or is required or authorised to do so under legislation);
- is a contracted service provider for a Commonwealth contract (even if it is not a party to the contract);
- is a reporting entity for the purpose of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), in respect of the activities they carry out to comply with their AML/CTF obligations (for further information see s. 6E(1A) of the Privacy Act);
- is prescribed by regulation* or
- opts in to the legislation.
[*Note: The regulations have prescribed the operations of residential tenancy databases operators.]
Good practice tip - small business operators can opt in to the Privacy Act
Although the Privacy Act does not apply to small business operators, a small business operator may want to take advantage of the benefits that can flow from complying with the legislation. The benefits could include increased consumer confidence and trust in its operations. The Privacy Act provides a mechanism to allow an organisation that is a small business operator to opt in to the Privacy Act. A small business operator that is covered by the Privacy Act because it has opted in remains covered until it specifically opts out. A list of those businesses who have opted in can be viewed here.
Registered political parties
Registered political parties are excluded from the definition of organisation and so are not subject to the private sector provisions. The Privacy Act defines a registered political party as one that is registered under Part XI of the Commonwealth Electoral Act 1918. The acts and practices of political representatives are also not subject to the Privacy Act, as described below.
Commonwealth government agencies
Commonwealth government agencies are already covered by the Privacy Act and so are not covered by the private sector provisions.
These agencies include:
- federal government departments; and
- bodies and tribunals set up for a public purpose by federal government laws.
Some types of organisations, even if set up by federal government law, are not agencies. These include:
- incorporated companies;
- incorporated societies; and
- incorporated associations.
State or Territory authorities and prescribed instrumentalities
The Privacy Act does not cover most State and Territory government bodies, such as government departments, agencies, authorities and local government.
However, State or Territory bodies that are incorporated companies, societies or associations are deemed to be organisations for the purposes of the Privacy Act and will be subject to the legislation. There is a provision in the legislation for these bodies to be prescribed out of the coverage of the Privacy Act but only on request from the State or Territory and only after the Minister has considered a number of issues outlined in the legislation.
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)
Small businesses that are reporting entities as defined by the AML/CTF Act will be treated as organisations for the purposes of compliance with the Privacy Act and the National Privacy Principles (NPPs), in respect of the activities they carry out to comply with their AML/CTF obligations.
It may be beneficial for reporting entities to consider whether to apply the NPP obligations to all their business activities.
The Office's Privacy and AML/CTF webpage has further information designed to help small businesses with their Privacy Act obligations.
Residential Tenancy Databases
Small businesses that operate a residential tenancy database have been brought into the Privacy Act by the Privacy (Private Sector) Amendment Regulations 2007 (No.3) in relation to the operation of those databases. The regulation defines a residential tenancy database as a database:
- that stores personal information in relation to an individual's occupation of residential premises as a tenant; and
- that can be accessed by a person other than the operator of the database or a person acting for the operator.
Acts and practices not covered by the Privacy Act
Certain acts and practices of organisations are also exempt from the coverage of the Privacy Act (section 7B).
Acts and practices of employers in relation to employee records
In some circumstances, the handling of employee records in relation to current and former employment relationships by an employer is exempt from the National Privacy Principles (NPPs) (section 7B(3)).
Background to the exemption
At the time the private sector amendments passed through Parliament in December 2000, the Attorney-General stated that:
'While employee records deserve privacy protection, it is the Government's view that such protection is more properly a matter for Workplace Relations legislation.... The Government will review existing Commonwealth, State and Territory laws to consider the extent of privacy protection for employee records and whether there is a need for further regulation.'
In the meantime, the Commissioner encourages employers to consider the privacy of their employee records even if their acts and practices in relation to them are covered by this exemption.
Acts and practices directly related to the employment relationship
To be exempt, an act or practice relating to the employee record must be directly related to the employment relationship. This means that acts or practices of an employer that are outside the scope of the employment relationship are not exempt. For example, an employer could not sell a list of employees to another organisation for marketing purposes.
Current or former employment relationship
The act or practice must also be directly related to a current or former employment relationship. This does not cover future employment relationships. This means that personal information collected from prospective employees who are subsequently not employed by an organisation, such as unsuccessful job applicants, will not be covered by the employee records exemption.
However, once an employment relationship is formed with an individual, the records the employer holds relating to that individual's pre-employment checks become exempt.
An employee record means a record of personal information relating to the employment of the employee (section 6(1)). It includes health information about an employee and personal information relating to:
- the engagement, training, disciplining, resignation or termination of employment of an employee;
- the terms and conditions of employment of an employee;
- the employee's performance or conduct, hours of employment, salary or wages, personal and emergency contact details;
- the employee's membership of a professional or trade association or trade union membership;
- the employee's recreation, long service, sick, maternity, paternity or other leave; and
- the employee's taxation, banking or superannuation affairs.
Employers may not be able to assume that all the information they hold that relates to an individual employee would be an employee record. For example, emails that an employee has received from third parties outside the organisation may not necessarily be an employee record. Depending on the circumstances, the exemption may also not cover the content of many other employee emails.
Contractors of employers
This exemption does not cover contractors and subcontractors when they handle the personal information of the employees of another organisation, notwithstanding those contractual arrangements. In many circumstances, the employee records exemption may not apply to organisations that provide recruitment, human resource management services, medical, training or superannuation services under contract to an employer.
An organisation that collects employee records about a person from the organisation employing that person will have to comply with the notice requirements of NPP 1. This exemption does not cover workers' compensation insurers that are not the employer of an individual.
Acts and practices of media organisations
The Privacy Act exempts acts and practices engaged in by media organisations in the course of journalism (section 7B(4)). A media organisation is an organisation whose activities consist of the collection, preparation and dissemination of news, current affairs, information or documentaries. The media organisation can claim the exemption if it is publicly committed to observing published, written standards that deal with privacy in the context of the activities of a media organisation.
Acts and practices of political representatives
The Privacy Act exempts the political activities of political representatives, meaning Members of Parliament or councillors of a local government authority, from complying with the NPPs (section 7C). Exempt political activities are acts or practices carried out in connection with an election under an electoral law, a referendum under Commonwealth, State or Territory law, or the participation of a political representative in other aspects of the political process.
The activities of contractors for political parties and representatives may also be exempt under the Privacy Act. The acts or practices of a contractor will be exempt if they are carried out for the purposes of meeting an obligation under a contract between the contractor and a registered political party or political representative and are connected to an election, referendum or participating in the political process by the registered political party or political representative.
Activities related to a State or Territory contract
The Privacy Act exempts the acts and practices of contracted service providers for a State or Territory contract when those acts or practices are directly or indirectly related to meeting obligations under the contract (section 7B(5)).
More information about entities that may be an organisation
This section gives more information about entities that section 6C of the Privacy Act says may be an 'organisation'. Note that these entities may not be an 'organisation' if the entity is a small business operator or a registered political party. Also, some of the acts or practices of the organisation could be exempt as outlined above.
The Privacy Act does not cover the collection, use and disclosure of personal information by an individual unless it is done in the course of running a business. The Privacy Act does not apply to personal information that individuals collect, hold, use or disclose for the purposes of their personal, family or household affairs. The activities of individuals operating a business in their own names may be subject to the Privacy Act unless the business is a small business operator or one of the other exemptions applies.
A body corporate is any entity that has a legal personality under Australian law or the law of another country. For example in Australia this would include entities registered as a company under the Corporations Law; incorporated associations; and can include not for profit entities.
Any act done or practice engaged in by one of the partners in a partnership is deemed to be an act or practice of the organisation. Obligations under the Privacy Act are imposed on each partner but may be discharged by any of the partners.
An unincorporated association would include a cooperative. The Privacy Act also covers acts or practices engaged in by an individual when undertaken in the capacity of a member of the committee of management. Obligations under the Privacy Act are imposed on each member of the committee of management but may be discharged by any of the members of that committee.
For the purposes of the Privacy Act, an act done or practice engaged in by a trustee is taken to have been done or engaged in by the trust. The Privacy Act imposes obligations on each trustee but they may be discharged by any of the trustees.
About Information Sheets
Information sheets are advisory only and are not legally binding. The NPPs in Schedule 3 of the Privacy Act do legally bind organisations.
Information sheets are based on the Office of the Privacy Commissioner's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.
Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.
Organisations may also wish to consult the Commissioner's guidelines and other information sheets.
|Office of the Privacy Commissioner|
|ISBN 1- 877079- 33- 2|
|Privacy Enquires Line 1300 363 992|
(Local call cost but calls from mobiles and pay phones may incur higher charges)