On this page
Who has rights under the Privacy Act?
The Privacy Act 1988 (Privacy Act) regulates the way individuals’ personal information is handled.
As an individual, the Privacy Act gives you greater control over the way that your personal information is handled. The Privacy Act allows you to:
- know why your personal information is being collected, how it will be used and who it will be disclosed to
- have the option of not identifying yourself, or of using a pseudonym in certain circumstances
- ask for access to your personal information (including your health information)
- stop receiving unwanted direct marketing
- ask for your personal information that is incorrect to be corrected
- make a complaint about an entity covered by the Privacy Act, if you consider that they have mishandled your personal information.
Who has responsibilities under the Privacy Act?
Australian Government agencies (and the Norfolk Island administration)and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions.
Some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act including:
- private sector health service providers. Organisations providing a health service include:
- traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional
- complementary therapists, such as naturopaths and chiropractor
- gyms and weight loss clinic
- child care centres, private schools and private tertiary educational institutions.
- businesses that sell or purchase personal information
- credit reporting bodies
- contracted service providers for a Commonwealth contract
- employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
- businesses that have opted-in to the Privacy Act
- businesses that are related to a business that is covered by the Privacy Act
- businesses prescribed by the Privacy Regulation 2013.
In addition, particular acts and practices of some other small business operators are covered by the Privacy Act including:
- activities of reporting entities or authorised agents relating to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and its Regulations and Rules
- acts and practices to do with the operation of a residential tenancy database
- activities related to the conduct of a protection action ballot.
The Privacy Act also covers specified persons handling your:
- consumer credit reporting information, including credit reporting bodies, credit providers (which includes energy and water utilities and telecommunication providers) and certain other third parties
- tax file numbers under the Tax File Number Guidelines
- personal information contained on the Personal Property Securities Register
- old conviction information under the Commonwealth Spent Convictions Scheme
- ehealth record information under the Personally Controlled Electronic Health Records Act 2012 and Individual Healthcare Identifiers under the Healthcare Identifiers Act 2010
Who doesn't have responsibilities under the Privacy Act?
The Privacy Act does not cover:
- State or territory government agencies, including state and territory public hospitals and health care facilities (which are covered under state and territory legislation) except:
- individuals acting in their own capacity, including your neighbours
- universities, other than private universities and the Australian National University
- public schools
- in some circumstances, the handling of employee records by an organisation in relation to current and former employment relationships
- small business operators, unless an exception applies (see above)
- media organisations acting in the course of journalism if the organisation is publicly committed to observing published privacy standards
- registered political parties and political representatives.
Privacy laws applying to ACT public sector agencies
From 1 September 2014, the Information Privacy Act 2014 (ACT) applies to ACT public sector agencies.
The Information Privacy Act includes a set of Territory Privacy Principles (TPPs) that cover the collection, use, disclosure, storage, access to, and correction of, personal information. The TPPs are similar to the Australian Privacy Principles.
The Australian Privacy Commissioner is exercising some of the ACT Information Privacy Commissioner’s functions. These responsibilities include investigating privacy complaints about ACT public sector agencies, and receiving data breach notifications from Act public sector agencies. For more information, see Australian Capital Territory Privacy.