The Privacy Act 1988 sets out people’s rights in relation to the collection, use and sharing of their personal information. Most Australian and Norfolk Island Government agencies and some private sector agencies are bound to privacy protections under the Australian Privacy Principles contained in schedule 1 of the Privacy Act.
The Australian Privacy Principles cover:
- how personal information is collected;
- storage and security of personal information;
- accuracy and completeness of personal information;
- use of personal information and its disclosure to third parties or overseas; and
- the general right of individuals to access and correct their own records.
State and territory government agencies, except Western Australia (WA) and South Australia (SA), are bound by their state privacy legislation. Confidentiality provisions and privacy principles provided in the WA Freedom of Information Act 1992 apply to WA government agencies. SA has issued an administrative instruction requiring government agencies to comply with IPPs and has also established a privacy committee. SA also has a Code of Fair Information Practice based on the NPPs which applies to the SA Department of Health.
Privacy Impact Assessments
Data custodians and/or integrating authorities should consider whether a Privacy Impact Assessment is needed before a project proceeds. Generally the decision of whether or not to conduct a Privacy Impact Assessment should be guided by the advice of the Office of the Australian Information Commissioner.
More information about Privacy Impact Assessments can be found on the Privacy Impact Assessment page.
Guidelines for handling personal information security breaches
In the event of a breach of data confidentiality involving data relating to individuals or organisations, it is recommended that the Office of the Australian Information Commissioner’s Data breach notification: a guide to handling personal information security breaches is followed. This voluntary guide outlines several key steps in responding to a breach or suspected breach of personal information security as well as, in some circumstances, the preparation and implementation of data breach policies and response plans. In general, if there is a real risk of serious harm as a result of a data breach, the affected individuals, organisations and the Office of the Australian Information Commissioner (OAIC) should be notified.
More information and advice on handling information security breaches can be found in the Data breaches section.
For more information on legal and policy considerations see:
- Authorisation to release identifiable data
- Protections prohibiting disclosure of identifiable data
- Privacy Act 1988