The Office of the Australian Information Commissioner has powers under the Privacy Act 1988 and other legislation to make or approve legally binding rules and guidelines. These are legislative instruments and are generally required under the Legislative Instruments Act 2003 to be registered and published on the Federal Register of Legislative Instruments and tabled in the Parliament.

To assist agencies and organisations, the OAIC also issues non-binding guidelines.

Credit-related research

The Privacy (Credit Related Research) Rule 2014 is a legislative instrument made under section 20M of the Privacy Act 1988.

The use or disclosure of de-identified information by credit reporting bodies when conducting credit related research is permitted when that research complies with this Rule and section 20M.

The Rule applies from 6 May 2014.

View the Privacy (Credit Related Research) Rule 2014 and its explanatory statement on the Federal Register of Legislation.

Data matching

The Guidelines for the Conduct of the Data-Matching Program provide for monitoring of technical standards for data-matching programs by the Privacy Commissioner and establish safeguards for individuals affected by the outcomes of data-matching.

View the Guidelines for the Conduct of the Data-Matching Program on the Federal Register of Legislation.

Genetic information

Use and disclosure of genetic information to a patient's genetic relatives under s 95AA of the Privacy Act: Guidelines for health practitioners in the private sector (2014) has been issued by the National Health and Medical Research Council with the approval of the Privacy Commissioner.

The guidelines are available on the Federal Register of Legislation. The section 95AA guidelines are also available on the National Health and Medical Research Council website Guidelines Approved under Section 95AA of the Privacy Act 1988 (Cth).

Human research ethics committees

The Guidelines approved under Section 95A of the Privacy Act 1988 (2014) (Section 95A guidelines) provide a framework for human research ethics committees to assess proposals to handle health information (without the consent of the subject).

This handling is for the purposes of research, the compilation or analysis of statistics, or health service management. The Section 95A guidelines also require that ethics committees weigh the public interest in those activities against the public interest in the protection of privacy.

The Section 95A guidelines are issued by the National Health and Medical Research Council and approved by the Privacy Commissioner under s 95A of the Privacy Act.

The Guidelines are available on the Federal Register of Legislation. The section 95A guidelines are also available on the National Health and Medical Research Council website Guidelines Approved under Section 95A of the Privacy Act 1988.

Medical research

The Guidelines under Section 95 of the Privacy Act 1988, 2014 have been issued by the National Health and Medical Research Council with the approval of the Privacy Commissioner. They outline requirements for the protection of privacy in the conduct of medical research.

Note that these guidelines were updated in November 2014 to address minor formatting and content errors in the previous version dated 12 March 2014.

The Guidelines are available on the Federal Register of Legislation. The section 95 guidelines are also available on the National Health and Medical Research Council website Guidelines Approved under Section 95 of the Privacy Act 1988.

Medicare Benefits and Pharmaceutical Benefits Programs

The National Health (Privacy) Rules 2021 regulate the way that Australian Government agencies link and store claims information obtained under the Medicare Benefits Program and the Pharmaceutical Benefits Program.

Among other things, section 135AA(5) of the National Health Act 1953 requires that these rules prohibit agencies from storing claims information obtained under the Medicare Benefits Program and the Pharmaceutical Benefits Program on the same database.

The National Health (Privacy) Rules are available on the Federal Register of Legislation.

Missing persons

The Privacy (Persons Reported as Missing) Rule 2014 is a legislative instrument made under s 16A(2) of the Privacy Act 1988 and applies for the purposes of permitted general situation 3 in the s 16A(1) table. The Rule applies from 12 March 2014.

The OAIC has also produced a Guide to the Privacy (Persons Reported as Missing) Rule 2014.

My Health Records

The My Health Records Act 2012 (My Health Records Act) establishes the My Health Record system. The My Health Record system contains online summaries of individual’s health information which can be viewed by their registered treating healthcare providers, including doctors, nurses and pharmacists across Australia.

The Australian Information Commissioner (the Information Commissioner) has various enforcement and investigative powers in respect of the My Health Record system, under both the My Health Records Act and the Privacy Act 1988.

Section 111 of the My Health Records Act provides for the Information Commissioner to make enforcement guidelines outlining how he or she will approach enforcement issues under the My Health Records Act and the Privacy Act. The Information Commissioner must then have regard to these guidelines in exercising his or her investigative and enforcement powers in relation to the My Health Record system. The purpose of these guidelines is to promote transparency in the Information Commissioner’s processes, given the Information Commissioner’s important role in relation to the My Health Record system.

The My Health Records (Information Commissioner Enforcement Powers) Guidelines 2016 and an explanatory statement can be found on the Federal Register of Legislation.

Tax file numbers

The Privacy (Tax File Number) Rule 2015 is a legislative instrument made under section 17 of the Privacy Act 1988.

This rule regulates the collection, storage, use, disclosure, security and disposal of individuals’ Tax File Number information. A breach of the TFN Rule is an interference with privacy under the Privacy Act. Individuals who consider that their TFN information has been mishandled may make a complaint to the Privacy Commissioner.

View the Privacy (Tax File Number) Rule 2015 and its explanatory statement on Federal Register of Legislation.