WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Australia


Constitutional Privacy Framework

While privacy issues are now featured prominently in the daily news in Australia, the legal safeguards for personal information remain limited. Neither the Australian Federal Constitution nor the Constitutions of the six States and two Territories contain any express provisions relating to privacy.

However, in 2004 the Australian Capital Territory (ACT) became the first jurisdiction to incorporate a bill of rights. Section 12 of the Human Rights Act 2004 (ACT) creates a right of "privacy and reputation."[1081] The Human Rights Act incorporates international human rights standards into local ACT law by requiring all ACT laws to be interpreted consistently with human rights "as far as possible." The ACT Human Rights and Discrimination Commissioner has functions including reviewing the effect of ACT laws on human rights, reporting to the Attorney General. The Commissioner’s reports must later be tabled in the Legislative Assembly. However, the Commissioner does not have power to handle complaints.

The State of Victoria adopted a similar approach in 2006, with the public sector bound beginning January 2008 to observe a variety of civil and political rights, including the right to privacy, when they create laws, set policies and provide services. All new laws will require a Statement of Compatibility to tell Parliament whether they meet human rights standards. In exceptional circumstances Parliament may strike down a law that does not uphold human rights.[1082]

The Australian Constitution limits the legislative power of the Australian (federal) government, with areas not expressly authorized being reserved for the States.[1083] The constitutionality of federal laws imposing privacy rules on the private sector has been questioned, but not so far challenged. Most commentators believe that the federal government could base any private sector privacy law on a "cocktail" of constitutional powers including those giving authority over telecommunications, corporations and foreign affairs (e.g., treaties).

Data Protection Framework

Privacy Law in Australia comprises several federal statutes covering particular sectors and activities, some State or Territory laws with limited effect, and the residual common law protections.

In Australia there has until recently been no recognition of a general tort of protection of privacy. Very occasionally the common law been used in support of privacy rights through actions for breach of confidence, defamation, trespass or nuisance. The New South Wales Law Reform Commission was asked in 2006 to examine the desirability of developing a statutory tort of privacy.[1084] It is expected to report in 2008.

An affirmation of this common law right was issued in a 2007 Victorian County Court case, in which the ABC media organization was ordered to pay a rape victim AUD 234,190 (149,000 EUR) in damages after she was named on air.[1085] The damages were awarded for breach of privacy and breach of confidence caused by the unjustified publication, and related to post-traumatic stress, loss of earnings and medical expenses, as well as for hurt and distress, embarrassment, humiliation and shame. The ABC has announced it will appeal the ruling on the basis that no such tort of privacy exists in Australian law.[1086]

The principal federal statute is the Privacy Act of 1988,[1087] which has four main areas of application and which gives partial effect to Australia's commitment to the Organization for Economic Cooperation and Development (OECD) Guidelines and to the International Covenant on Civil and Political Rights (ICCPR), Article 17. It creates a set of 11 Information Privacy Principles (IPPs), based on those in the OECD Guidelines that apply to the activities of most federal government agencies. A separate set of rules about the handling of consumer credit information, added to the law in 1989, applies to all private and public sector organizations. The third area of coverage is the use of the government issued Tax File Number (TFN), where the entire community is subject to Guidelines issued by the Privacy Commissioner, which take effect as subordinate legislation. The fourth area of coverage, which only commenced in December 2001, is widespread private sector organizations regulated by the National Privacy Principles (NPPs). However, private companies can apply to the Privacy Commissioner for approval of a self-developed Code of Practice containing principles that are an "overall equivalent" to the NPPs. In addition, the Act provides for several broad exemptions for employee records; media organizations; political parties; and small businesses.

According to the Federal Government the small business exemption will exempt about 94 percent of all Australian businesses but only 30 percent of total business sales, an exception that includes many Internet companies.[1088] The breadth of the exemption for political parties was demonstrated in March 2005 when the Privacy Commissioner had to decline a request to investigate complaints regarding telemarketing activities during the campaign period for the October 2004 federal election, including the use of spam,[1089] and allegations that the Liberal Party had accessed silent telephone numbers to make political canvassing calls.[1090] The exemption also excludes from view the increasing use of databases by political parties to track voter preferences and create customized marketing material for voters.[1091]

There are also weaknesses in the enforcement regime including, for example, allowing privacy complaints to be handled initially by an industry-appointed code authority, although a right of appeal to the Privacy Commissioner was inserted by Opposition parties. The Act does, however, include an innovative principle of anonymity. However, the mere existence of the anonymity principle has not prevented the development of electronic road tolling systems that identify every vehicle, and the impact of this principle on the development of electronic health records, for example, remains to be seen.

The Privacy Act of 1988 has been widely criticized as failing to meet international standards of privacy protection. The 2004 amendments to the Privacy Act included extending correction rights to non-Australians, extending the scope of the transborder data flow control (Principle 9) to data about non-Australians, and ensuring that the Privacy Commissioner could approve Codes of Practice that voluntarily covered otherwise exempt acts and practices.[1092] The third and latest attempt at a comprehensive review of the Privacy Act by the Australian Law Reform Commission (ALRC) is not due to report its findings until 2008.[1093]

There are two other federal privacy-related laws for which the federal Privacy Commissioner is also the supervisory and complaint handling agency. The first one is Part VIIC of the Crimes Act,[1094] enacted in 1989, which provides some protection to individuals who have had criminal convictions in relation to so-called "spent" convictions (i.e., convictions for relatively minor offenses which they are allowed to "deny" or have discounted after a set period of time). The second one is the Data-Matching Program (Assistance and Tax) Act 1990[1095] that provides detailed procedural controls over the operation of a major program of information matching between federal tax and benefit agencies.

Data Protection Authority

The Office of the Federal Privacy Commissioner enforces the Privacy Act.[1096] The Office has wide range of functions, including handling complaints, auditing compliance, promoting community awareness, and advising the government and others on privacy matters. The Commissioner has so far approved three Codes of Practice under the private sector regime: for the General Insurance Industry, which has its own adjudicator for complaints, the Licensed Clubs in the state of Queensland, which defaults to the Privacy Commissioner for complaints, and the "Market and Social Research and Privacy Code" for the Association of Market Research Organisations.[1097] The Code provides some standards that are higher than the NPPs, including giving the data subject the right to choose whether to destroy or de-identify their information after use.[1098]

As of 2006, the Office had 40 full-time staff and seven part-time staff divided into four sections: Compliance, Policy, Corporate and Public Affairs, and the Executive.[1099] The number of complaints received in the period from July 2005 to June 2006 totaled 1,183, slightly less than the previous year. 62% of the complaints concerned application of the NPPs to the private sector; 14% concerned credit reporting; and 13% concerned the information privacy principles.[1100] The largest categories of complaints concerned the financial industry (202); followed by the Australian Government (159); the debt/credit industry (131); health service providers (123); telecommunications and Internet service providers (83); landlords and real estate agents (59); insurance organizations (41); and retail (31).[1101] In 2005-06 the Commissioner’s office also received 19,150 telephone enquiries. [1102]

Section 52 of the Privacy Act provides that the Commissioner may make formal determinations in relation to complaints investigated. The determination by the Commissioner may dismiss the complaint, or may find the complaint substantiated and declare that the respondent should cease to breach the Act, take any reasonable steps to redress damage suffered by the complainant, or pay compensation to the complainant. Importantly, Section 52 determinations are not legally binding on the respondent. The Commissioner, the complainant, or the adjudicator for an approved privacy code can commence proceedings in the Federal Court or Federal Magistrates Court for an order to enforce a determination.

In a rash of self-reporting of privacy breaches in mid-2006, Federal Government agencies Centrelink (the social security benefits agency), the Child Support Agency and the Australian Taxation Office each admitted they had found multiple cases of staff inappropriately accessing, amending, using and disclosing customer records. Centrelink found 600 staff over a two-year period had committed 790 breaches; of these, 19 were sacked and almost 100 resigned. The Child Support Agency discovered 405 breaches, including 69 cases where sensitive information including addresses was given to former spouses. At the Taxation Office, 16 of 27 offending staff were sacked or resigned.[1103]

The Victorian State Police have also been subject to a series of embarrassing privacy breaches. In 2005 the Office of Police Integrity called for the Police’s LEAP database to be scrapped because of a series of security breaches. The Office of Police Integrity itself later mistakenly posted LEAP files on more than 400 people to a single complainant, and an IBM technician authorised to audit the LEAP system accidentally emailed files on up to 1,000 people to a whistleblower. Another case saw details of a person's criminal record wrongly attributed to another person after a routine records check for an employer.[1104]


A complex mix of privacy standards applies to the telecommunications sector. The Telecommunications Act 1997[1105] contains a detailed list of exceptions from a basic presumption of confidentiality of customer records.[1106] These exceptions are similar to those in the Use and Disclosure Principles of the federal Privacy Act. An Industry Forum prepares detailed codes and guidelines, some of which are binding.[1107] A Code of Practice on the Protection of Customer Personal Information that was binding on all telecommunications carriers and service providers was de-registered once the private sector amendments to the federal Privacy Act took effect. The enforcement position remains confusing, with the Australian Communications and Media Authority (ACMA); the Telecommunications Industry Ombudsman and the Privacy Commissioner all having overlapping jurisdictions. There is also a binding Code of Practice on Calling Number Display (CND),[1108] which requires carriers to offer free per call and per line blocking (but only on an opt-out basis) and attempts to impose guidelines on telephone users' use of CND information. Other Codes deal incidentally with privacy issues such as directories, numbering and emergency calls.

Complaints were made in 2003 to both the ACA (as the ACMA was then known) and the Privacy Commissioner about the use by ISPs of "blocked" CND information (including on silent lines).[1109] The ACA investigation found unlawful conduct, but declined to take action. Findings by the Privacy Commissioner, and by the Ombudsman in relation to the ACA’s failure to act, are awaited. The ACMA has also investigated the use of telephone directory data and in May 2005 issued a draft Standard, with a further revised draft issued in April 2006.[1110]

The Telecommunications (Interception) Act of 1979[1111] regulates the interception of telecommunications. A warrant is required under the Act and it also provides for detailed monitoring and reporting. However, the Interception Act safeguards need to be read alongside Part 15 of the Telecommunications Act 1997 that places obligations on telecommunications providers to provide an interception capability and positively assist law enforcement agencies in relation to interception. There have been several changes to the interception regime in recent years, including broadening the range of offenses for which warrants can be obtained; allowing more law enforcement agencies to apply for warrants and more of them to execute warrants themselves; and transferring the warrant issuing authority from federal court judges to designated members of the Administrative Appeals Tribunal (who are on term appointments rather than tenured and are arguably less independent). Significant loopholes exist within the legislation, and uncertainty in relation to allowable "participant monitoring."[1112]

Telecommunications interception activity continues at a high level. In 2005-06, the number of warrants issued for telecommunications intercepts was 2,934, of which only 5 were withdrawn or refused.[1113] Statistics are not yet available on the numbers of warrants issued to access emails and text messages, under new stored communications warrant powers passed by Parliament in March 2006.[1114] The new powers extend to all the communications of ‘innocent’ people, known as B-parties, who have communicated with someone suspected of a crime. The Government does not need to tell B-parties that their communications have been monitored.[1115]

Additional federal legislation has further weakened surveillance protections. The Surveillance Devices Act 2004 increased the number of offenses for which surveillance may be initiated by law enforcement and anti-corruption agencies (both Federal Government and State/Territory agencies), and broadened the justifications beyond criminal matters to also include child recovery.[1116] The types of surveillance available are data surveillance, listening devices, optical surveillance and tracking devices. Warrants may be issued by a judge, a member of the Administrative Appeals Panel, or even, in exceptional circumstances, by a senior public servant.

The first annual report on the operations of the Surveillance Devices Act, produced by the Attorney-General’s Department, noted that in the six and a half months of operation to July 2005, 235 warrants were issued to the Australian Federal Police, and a further 22 to the Australian Crime Commission. No applications for warrants were refused.[1117] A further 33 tracking device authorisations were made within those two agencies, without seeking a warrant; again, no requests were refused. The warrants and authorisations led to 73 arrests and 71 prosecutions, but only 5 convictions during the reporting year.

The Crimes Act[1118] also contains a range of other privacy related measures, such as offenses relating to unauthorized access to computers, unauthorized interception of mail and telecommunications and the unauthorized disclosure of Commonwealth government information.[1119]

In September 2003, an online censorship bill was passed, allowing the Australian Broadcasting Authority and the Office of Film and Classic Literature to withhold information regarding what online information is being restricted.[1120] The amendments to the Freedom of Information (FOI) Act prevent public scrutiny (and potential criticism) of the operation of the Federal Internet censorship regime that became operative on January 1, 2000. The Act restricts the details regarding the net blocking system that restricts access to material that is "objectionable" or "unsuitable for minors."[1121] Under Australia's FOI law, the agencies may withhold information regarding their practices and the details of their agency operations. Earlier in 2003, Electronic Frontier Australia (EFA) and other civil liberties groups had opposed the Internet content regime put in place under the Broadcasting Services Act, and had tracked the operation of the laws through FOI applications.[1122]

Unsolicited Commercial E-mails ("Spam")

Spam legislation (Spam Act 2003) became effective April 2004, outlawing unsolicited marketing messages on electronic mediums including email, SMS (short message service), MMS (multimedia messaging service), and instant messaging; requiring opt-out facilities and an accurate sender address.[1123] Penalties range up to AUD 1.1 million (~USD 832,000) for businesses that repeatedly violate the law. Emailers must have prior consent of the recipient, although consent can be inferred from prior conduct and relationships.[1124] The Australian Communications and Media Authority will enforce the law, which has begun establishing enforcement capabilities, although early goals target compliance rather than prosecution.[1125] Civil liberties organizations have criticized the Spam Act because the search and seizure provisions allow some government employees and police to seize an individual's computer without a search warrant.[1126]

The first infringement notice issued under the Spam Act resulted in a car sales company paying a AUD 6,600 (~USD 5,000) fine for unwanted SMS text messages that were sent to the mobile telephones of people who had listed their numbers in classified advertisements to sell their cars.[1127] In the first two years of operation of the Spam Act, ACMA issued formal warning letters to 10 companies, entered into enforceable undertakings with five companies, issued 13 infringement notices, and launched its first major prosecution.[1128] ACMA claims that since the introduction of the Spam Act, spam received in Australia has fallen by 50%.[1129]

In October 2006 ACMA won a landmark prosecution against Clarity1 Pty Ltd, which was alleged to have sent out at least 231 million commercial emails in the first twelve months after the Spam Act commenced, with most of these messages unsolicited and in breach of the Act. The company was ordered to pay AUD $4.5 million, and the company’s director was ordered to pay a further AUD $1 million.[1130]

In May 2007 a Do Not Call register was launched, with 50,000 registrants in the first few hours alone. Unlike similar schemes in the UK and USA, telemarketing firms in Australia will, from June 2007, need to provide their databases to the register, and the register operators will ‘wash’ the databases for them – for a fee.[1131] Companies contacting people who have listed themselves on the register face fines of up to AUD $1.1 million. However, exempt groups, which include charities, political parties, social researchers and educational institutions, are said to account for 80% of the 800 million telemarketing calls made each year.[1132]

Health privacy

The National E-Health Transition Authority (NeHTA) was created in July 2005 to develop national health information management and information and communication technology standards and specifications. NeHTA is jointly funded by the States, Territories and Australian Governments, and its governance ensures equal participation by all jurisdictions.[1133]

NeHTA is working on a number of initiatives, many of which are the necessary first steps towards a national electronic health records system – things like ensuring different IT systems are interoperable, that there is a system for identifying patients and clinicians accurately and uniquely, and that everyone uses the same ‘language’ when describing medical conditions and medicines. One of NeHTA’s projects is to develop a national model of E-Health Consent for the States and Territories to follow when implementing their systems. That model has not yet been finalised. A key question will be whether the model will follow an “opt in” or an “opt out” model of consent.

Meanwhile the New South Wales State Government has been working on its own electronic health records project, Healthelink.[1134] Despite the NSW health privacy law requiring express consent before a patient is placed on a system to link electronic health records across organizations, it was revealed in June 2005 that pilots planned for late 2005 were being developed instead on the basis of a compulsory record, with only an "opt out" choice as to the sharing of the record with other health service providers.[1135] The Government exempted itself from the “express consent” requirement by way of regulation, and began the pilots in 2006. Participation by General Practitioners has been low because of their privacy concerns about the system’s design.[1136]

An emerging health privacy issue is the use of software in General Practitioners’ offices, which automatically extract patient data, for sale to pharmaceuticals companies. The Federal Privacy Commissioner dismissed a complaint because the patient data was being de-identified.[1137] However, the political reaction to the Commissioner’s decision was strong enough that she made a clarifying media statement.[1138] The federal Minister for Health, the Opposition’s Shadow Minister, and minor parties, all criticized the practice based on the risk of de-identification.[1139]

A major report on genetic privacy was issued in March 2003 by the Australian Law Reform Commission and the Australian Health Ethics Committee of the National Health and Medical Research Council. "Essentially Yours" makes 144 recommendations about the ethical, legal and social implications of genetic privacy.[1140] The report recommends that privacy laws be harmonized and tailored to address the particular challenges of human genetic information, including extending protection to genetic samples, and acknowledging the familial dimension of genetic information. Employers should not be permitted to collect or use genetic information – except in those rare circumstances where this is necessary to protect the health and safety of workers or third parties, and the action complies with stringent standards set by a new Human Genetics Commission of Australia (HGCA). The insurance industry should be required to adopt a range of improved consumer protection policies and practices with respect to its use of genetic information (including family history) for underwriting purposes. A new criminal offense should be created to prohibit someone submitting another person's sample for genetic testing knowing that this is done without consent or other lawful authority. DNA parentage testing should be conducted only with the consent of each person sampled (or both parents in the case of young children), or pursuant to a court order.

The Australian Government is preparing a response to the "Essentially Yours" report, although a number of recommendations have already been acted on.[1141]

Financial privacy

A new legislative framework for widespread financial surveillance and secret reporting has recently been put in place.  The proposed Anti-Money Laundering and Counter-Terrorism Financing Act 2006 imposes a number of obligations on businesses when they provide certain services, including customer due diligence (identification, verification of identity and ongoing monitoring of transactions), reporting (suspicious matters, threshold transactions and international funds transfer instructions), and record keeping. The Act is due to commence in December 2007.

The first series of reforms covers the financial sector (including banks, credit unions and building societies), as well as gaming services (casinos, clubs and wagering service providers) and bullion dealers. The second series of reforms will cover real estate agents, dealers in precious metals and dealers in precious stones and a range of non-financial transaction provided by accountants, lawyers and trust and company service providers.[1142]

Law Enforcement & Security

In 2001 the Prime Minister announced the establishment of a national digital database of DNA and fingerprint samples in order to facilitate law enforcement.[1143] CrimTrac, a Commonwealth agency, coordinates the national DNA database system. The system when fully operational will enable the comparison of DNA profiles across all Australia's jurisdictions for law enforcement purposes. Commonwealth, State and Territory legislation underpin the system. A Report of a Review of Part 1D of the Crimes Act 1914 (the relevant federal law) was tabled in Parliament on 15 May 2003. The Review found that the national system is not yet operational and only one jurisdiction (New South Wales) has loaded profiles onto the relevant CrimTrac database known as the National Criminal Investigation DNA Database (NCIDD).

While there has been relatively little experience of the operation of Part 1D, the Review has recommended improved accountability arrangements both within and across Australia's jurisdictions. The Review sees effective accountability mechanisms as crucial to maintaining public confidence in the use of DNA analysis for law enforcement purposes. The Review recommends that the external scrutiny mechanisms be based upon existing cooperation between Australian Ombudsmen with involvement of Privacy Commissioners and other monitoring bodies. Under legislation proposed by the Victoria Law Reform Committee, suspected thieves would be required – if compelled by police via a court order – to submit DNA samples.[1144] Currently only suspects of more serious crimes, such as rape and murder, can be required to submit DNA.[1145]

Legislative amendments in 2002 and 2003 have given the Australian Security Intelligence Organization (ASIO) significant and highly controversial new powers, including the ability to detain and question individuals suspected of having information relevant to terrorism. Despite extracting many concessions and additional safeguards from the government, the Opposition allowed the final changes through in June 2003 without ruling out the possibility of indefinite detention without charges under repeated warrants. The amendments allow ASIO to detain and question a journalist who may have information regarding suspected terrorists gained through her interviews and contacts; refusing to cooperate could result in a five-year imprisonment.[1146] While the amendments included a sunset clause, which lapsed in July 2006, the laws have been renewed. The budget for ASIO has doubled since September 11, 2001, after receiving an AUS 131 million boost in 2004.[1147]

Identity Management and Biometrics

In November 2003, Australia introduced the "M-Series" tamper resistant passports.[1148] In order to meet the requirements of the United States Visa Waiver Program, the Australian government fast-tracked legislation amending the Australian Passports Act in order to provide facial biometric features in passports.[1149] A Passports Legislation Consultation Group was established, including members from privacy and human rights groups as well as travel, financial and biometrics industries.[1150]

The federal Department of Foreign Affairs and Trade began issuing biometric e-passports, incorporating an unencrypted RFID chip in October 2005, to meet the demands of the US.[1151] Privacy advocates warned of the dangers of "skimming" and "eavesdropping."[1152] The Department finally acknowledged these concerns and changes were made to the e-passport’s design.[1153]

The Australian Government, in conjunction with the States and Territories, developed a National Identity Security Strategy in 2005. The projects under way under the auspices of this strategy include the development of a common range of proof of identity documents which government agencies will be able to use to identify clients who register with them for services, the identification of appropriate security standards on those key proof of identity documents, the identification of key data matching elements to improve the integrity of identity information held on existing government databases; and authentication of individuals accessing services.

A further project being developed under the National Identity Security Strategy is the Document Verification Service (DVS). The DVS has been described as an online service to check the validity of proof of identity documents against the issuing agency. The DVS project is therefore about flushing out fake foundation documents, such as a fake driver's license or birth certificate, which is then used to apply for a passport or for social security benefits.[1154]

The Australian Government announced in the 2006–07 Budget that the DVS will be rolled out with funding of $28.3 million, building on a prototype service trialed during 2006. The DVS is intended to be a secure, electronic, online system accessible by all key Australian Government, State and Territory agencies, and potentially by the private sector. Agencies authorized to use the DVS will be able to check in real time whether a document presented to them as a proof-of-identity by an individual applying for high value benefits and services was issued by the relevant agency, and that the details on the document are true and accurate. [1155]

Very little information about the DVS is available publicly, and no independent Privacy Impact Assessment has been done. Any internal privacy impact assessment, or evaluation of the pilot (if either has even been done), has not been published.[1156] Amendments to electoral laws commencing in April 2007 will require new forms of ‘proof of identity’ for people wishing to enroll to vote, re-enroll, or change their address or other details.[1157]

In April 2005, the NSW Government introduced a new law, to allow the motor vehicle and driver-licensing agency, the Roads and Traffic Authority, to start issuing photographic identity cards to non-drivers. The Photo Card Act 2005 allows the Authority to hold personal information about non-drivers on the same database as for all drivers in the State, and to issue cards using the same unique numbering system.[1158] The Australian Privacy Foundation campaigned against the proposal, seeing it as introducing a State-based universal identity card by stealth.[1159]

The Access Card

The Australian Government announced in April 2006 that it would introduce a new ‘Access Card’ in 2008. The Access Card is intended to replace a number of existing cards, including the universal Medicare health benefits card, and various social security benefit cards issued by Centrelink and the Department of Veterans’ Affairs. The card would be compulsory from 2010 for anyone who wished to access any of his or her health or social security entitlements.[1160]

The Government proposes to use smart card technology to hold large amounts of data on a chip inside the card. In addition, some information would be clearly visible on the face and back of the card, including the cardholder’s name, photograph, signature and card number.

The Access Card would be supported by a new centralised, national population database, the Access Card Register. The database would hold details of children as well as adults, but only adults would be issued with a card (with some exceptions). The database would include biometric photographs, with the intended purpose being facial recognition for a variety of benefits administration, immigration and general law enforcement purposes. Registration for the card is intended to begin in 2008, and will require adults to attend a government office, prove their identity, and be photographed.

A wide variety of groups has criticized the proposal as a de facto national ID card.[1161] In March 2007 the authorizing legislation was withdrawn from the Senate by the Government, following unanimous criticism from a multi-party Senate Committee.[1162] The Government has announced its intention to re-introduce legislation in June 2007.

Open Government

The federal Freedom of Information Act of 1982[1163] provides for access to government records, requiring agencies to respond within 30 days to requests.[1164] The FOI Act is the mechanism through which the access right in the Privacy Act is implemented for public sector agencies. The Commonwealth Ombudsman promotes the FOI Act and handles complaints about procedural failures. Merits review (appeal) of adverse FOI decisions is provided by the Administrative Appeals Tribunal, with the possibility of further appeals on points of law to the Federal Court. Budget cuts have severely restricted the capacity of the Attorney General Department and Ombudsman to support the Act and there is now little central direction, guidance or monitoring. In 2002-2003, there were 41,481 requests, an 11 percent increase over the previous year; of those finalized, 71 percent were granted in full, 23 percent granted in part, and 6 percent refused.[1165] Nearly 92 percent of the requests were for personal information, mostly to the Department of Veterans' Affairs, the Department of Immigration and Multicultural and Indigenous Affairs (DIMIA), and Centrelink (a government agency delivering a range of Commonwealth services).[1166] In 2001, the Senate held an inquiry into whether to adopt changes recommended by a 1995 report critical of the FOI law, but no substantive changes have since been made to the law.[1167]

State and Territory Laws

The Australian States and Territories have varying privacy laws. New South Wales (NSW), the most populous State, passed the Privacy and Personal Information Protection Act 1998 (PPIP Act) which applies (since July 2000) to most state government agencies and all local councils, although there are numerous and generous exemptions, and agencies can apply for temporary directions, regulations or Codes of Practice that can weaken the principles.

The PPIP Act is based on a set of OECD-style Information Protection Principles and requires all government departments and agencies to develop a Privacy Management Plan demonstrating their compliance plans. It also allows for the development of Codes of Practice that weaken the Information Protection Principles, and several such Codes have already been made.[1168]

The NSW Attorney General’s Department in 2004 conducted a statutory five-year review of the PPIP Act, but its results have not been released.[1169] The NSW Privacy Commissioner commented on the legislation in a comprehensive submission in June 2004.[1170] The New South Wales Law Reform Commission has since been asked to review the Act, and is due to report in 2008.[1171]

In 2002, a new health-specific law, Health Records and Information Privacy Act 2002 (HRIP Act), took health information out of the scope of the PPIP Act. Instead, health information is regulated by 15 Health Privacy Principles, which apply to the private sector as well as State and local government agencies.[1172] The HRIP Act commenced on September 1, 2004.

NSW enacted a Workplace Video Surveillance Act[1173] in 1998 (partly in response to a Privacy Committee report). This was replaced in 2005 with the broader Workplace Surveillance Act 2005, which covers camera surveillance, email and internet monitoring and location tracking in the workplace. The Australian Privacy Foundation has criticized the Act as weak in its level of actual privacy protection, and difficult in terms of implementation for employers.[1174]

In an interim report issued publicly in early 2002,[1175] the NSW Law Reform Commission reviewed the laws governing surveillance more generally, including the operation of the existing Listening Devices Act 1984.[1176] The Law Reform Commission completed its review and reported to the Attorney General in May 2005, but after two years the Attorney General has still not yet approved the report for publication.[1177]

In July 2002, the Office of Information Technology (OIT), an agency of the state government of NSW, issued guidelines pursuant to the Privacy and Personal Information Protection Act of 1998. The guideline states that as a matter of good practice, each agency should have a designated privacy contact officer. It adds that the obligations of the chief information officer in each agency include ensuring there is a privacy management plan. The responsibilities of other staff, including librarians, web managers, human resources managers and records managers, are also described.[1178]

The State of Victoria has enacted the Information Privacy Act 2000, which applies privacy principles (an almost exact copy of the NPPs in the federal Act) to most state government agencies and local councils. There are relatively few exemptions and while there is provision for Codes of Practice, they cannot weaken the principles. The Act created an office of Privacy Commissioner,[1179] very active so far, with a monitoring, enforcement and education role, and to conciliate complaints.

The Victorian Civil and Administrative Tribunal can determine unresolved complaints. Victoria has also passed the Health Records Act 2001 to complement the information privacy legislation by requiring Victorian health service providers to handle health information responsibly. The Health Records Act also gives patients a right of access to their records held by private practitioners. The Victorian Law Reform Commission[1180] received a reference in April 2001 to review the coverage of privacy law in Victoria. It published its final report on workplace privacy in October 2005, and is now turning its attention to surveillance in public places.[1181]

The government of the Australian Capital Territory (ACT), which used to be a local authority under Commonwealth (federal) law, and was consequently covered by the federal Privacy Act, achieved self-government as a separate Territory in 1989. The Privacy Act was amended to continue coverage, intended as an interim measure, but this remains the position, with the Federal Privacy Commissioner in effect serving also as the ACT's Commissioner, responsible to its own government. However, in 1997 the ACT government passed its own Health Records (Access and Privacy) Act,[1182] which applies to personal health information held by anyone in the public or private sector. Its provisions are similar to those of the IPPs in the Privacy Act, and supersedes them for ACT government agencies in this area of data handling.

The self-governing Northern Territory has enacted a combined privacy and FOI law – the Information Act 2002,[1183] which took effect in July 2003. The Office of the Information Commissioner was established in 2004.[1184]

Queensland had a purely advisory Privacy Committee from 1984 to 1991[1185] and has a limited privacy statute[1186] covering the use of listening devices, credit reporting (operating alongside the 1989 amendments to the federal Privacy Act) and physical intrusions into private property. In April 1998, after a yearlong review, a Parliamentary Committee recommended comprehensive privacy legislation for the public sector.[1187] The government indicated that it intended to legislate but no timetable has been set, and in 2001 the government adopted privacy principles on a hopefully interim non-statutory basis.[1188]

In Tasmania, the Personal Information Protection Act 2004 came into effect in September 2005.[1189] The Act covers state government and local councils in Tasmania. It does not establish a position of Privacy Commissioner, but gives complaint-handling responsibilities to the Tasmanian Ombudsman. The Minister can make public interest determinations allowing organizations to be exempt from any or all provisions of the Act. The Act covers health information and applies to deceased persons for 25 years after death.

The other states, South Australia and Western Australia, also operate administrative schemes based on variations of the standard sets of privacy principles.[1190] In May 2003, the Western Australian government released a discussion paper[1191] proposing a public sector privacy law.

All of the States and Territories also have FOI laws that include rights for individuals to access and correct personal information about themselves.[1192]

[1081] Section 12 states: Everyone has the right - (a) not to have his or her privacy, family, home or correspondence interfered with unlawfully or arbitrarily; and (b) not to have his or her reputation unlawfully attacked. See <>.

[1082] The Victorian Charter of Human Rights and Responsibilities is administered by the Victorian Equal Opportunity & Human Rights Commission <>.

[1083] The Commonwealth of Australia Constitution Act <>.

[1084] See <>.

[1085] Jane Doe v ABC [2007] VCC 281.

[1086] See <,21985,21575695-662,00.html>.

[1087] Privacy Act 1988 (Cwth) <>.

[1088] See Patrick Gunning, Central Features of Australia's Private Sector Privacy Law, Privacy Law and Reporter, Vol. 7, No. 10 1 (2001). Back issues available at <>; Global Privacy Law Update, The Computer Lawyer Vol. 20 No. 6 (Privacy), June 2003, at 1.
[1089] Mike Seccombe, “PM pays his son to dish up spam,” Sydney Morning Herald, August 27, 2004.
[1090] See <>.
[1091] Max Suich, “2004: Big Brother is watching you,” The Age, September 24, 2004; and Peter van Onselen and Wayne Errington, “Cheap way to pitch the budget,” Sydney Morning Herald, May 23, 2005, at 11.

[1092] Letter from Timothy Pilgrim, Acting Federal Privacy Commissioner for Australia, to Patrick Mueller, Law Clerk, Electronic Privacy Information Center, June 18, 2004 (on file with EPIC).
[1093] See <>.

[1094] <>.
[1095] <>.

[1096] See <>.
[1097] See <>.
[1098] Press Release, Office of the Federal Privacy Commissioner, Privacy Commissioner Approves Market Research Code (August 3, 2003) <>.

[1099] Letter from Timothy Pilgrim, Acting Federal Privacy Commissioner for Australia, to Patrick Mueller, Law Clerk, Electronic Privacy Information Center, June 18, 2004 (on file with EPIC).
[1100] Id.
[1101] Id.
[1102] Id.

[1103] “Centrelink staff sacked for privacy breaches”, ABC News Online, 23 August 2006,; "Eyeing Big Brother", The Canberra Times, 26 August 2006; “Tax office sacks ‘spies’”, The Australian, 29 August 2006, p.1; “Federal blitz on snoops boosted”, The Australian, 29 August 2006, p.33; and “No leaks but 27 stickybeaks inside ATO”, Australian Financial Review, 30 August 2006, p.4.

[1104] Victoria, Office of Police Integrity, Investigation into Victoria Police’s Management of the Law Enforcement Assistance Program (LEAP), March 2005, available at <>; and Vanessa Burrow, “Police sorry for LEAP bungle”, The Age, 16 May 2006.

[1105] <>.
[1106] Id. Part 13.
[1107] See <>.
[1108] Code C 522. See <>.

[1109] <>.
[1110] Telecommunications (Use of Integrated Public Number Database) Industry Standard 2005 at <>.

[1111] Telecommunications (Interception) Act 1979 <>.
[1112] Section 6 (2) of the Act is very unclear. An industry working party is currently reviewing Guidelines on 'participant monitoring'. See ACIF Guideline G516 <>.

[1113] Telecommunications (Interception and Access) Act 1979 Annual Report for Year Ending 30 June 2006 <$file/Final+TIA+Act+Annual+Report+-+2005-2006-1.pdf>.
[1114] Julian Bajkowski, “Criminals get the mobile phone bug”, Australian Financial Review, 11 May 2007, p.68.
[1115] George Williams & David Hume, “Watch what you say”, Sydney Morning Herald, 3 April 2006.

[1116] See <>. See also <>.

[1117] Australian Attorney-General’s Department, “Surveillance Devices Act 2004: Report for the year ending 30 June 2005”.

[1118] Crimes Act 1914 (as amended) available at: <>.Act, 1989 <>.
[1119] See <>.

[1120] <>.
[1121] Electronic Frontiers Australia, "Internet Censorship in Australia" (December 20, 2002), available at <>.
[1122] Simon Hayes, "Net Anti-FOI Bill Set to Fail," Australian IT, April 15, 2003 <,7204,6283083%5E15319%5E%5Enbv%5E15306,00.html>.

[1123] Spam Act 2003 (2003) (Cwth) <>.
[1124] Edward Manda, "Act Won't Slam the Door on Spam, but It Will Help," The Australian, April 20, 2004, at 35.
[1125] Australia Readies for New Spam Act as Official Releases Guide for Businesses, Privacy and Security Law Report, Vol. 3, No. 10 at 270 (2004); "Australia Spam Authorities Target Repeat Offenders," Precision Marketing, February 27, 2004, at 9.
[1126] Electronic Frontiers Australia, "Analysis of Spam Bills 2003" (November 1, 2003) available at <>.

[1127] Kirsty Needham, “SMS campaign backfires as car firm is fined for sending spam,” The Sydney Morning Herald, April 6, 2005, at <>.
[1128] “Nuisance timeline”, Computerworld, 7 June 2006, p.24.
[1129] Rachel Lebihan, “Spammers in the works, in law debate”, Australian Financial Review, 13 January 2006, p.55.

[1130] See <>.

[1131] Neil Shoebridge, “Marketers call ACMA on register fees”, Australian Financial Review, 2 April 2007, p.49.
[1132] Neil Shoebridge, “Register fails to answer call”, Australian Financial Review, 19 March 2007, p.49.

[1133] See <>.

[1134] <>.
[1135] Ruth Pollard, “Privacy alert: every patient on database”, Sydney Morning Herald, June 1, 2005, at 1.
[1136] <>

[1137] <>.
[1138] <>.
[1139] See <>; <>.

[1140] Essentially Yours: The Protection of Human Genetic Information in Australia, available at <>.

[1141] <>

[1142] <>.

[1143] "Australia Launches DNA Database to Fight Crime," Reuters, June 20, 2001.

[1144] Misha Ketchell, "Plan to Take DNA From Theft Suspects," The Age, March 4, 2004.
[1145] Id.

[1146] Simeon Beckett, "New Terrorism Law Raises Spectre of Agency Abuse," Sydney Morning Herald, June 26, 2003, at 13.
[1147] Mark Forbes, Michelle Grattan, "PM Gives $232m For The 'Fight of Our Lives,'" The Age, May 6, 2004 <>.

[1148] James Pearce, "New AU High Security Passport Omits Biometrics," ZDNet Australia, November 28, 2003 <>.
[1149] Karen Dearne, "Canberra Faces up to Security," AustralianIT, February 24, 2004 <,7204,8767093%5e15841%5e%5enbv%5e,00.html>.
[1150] "New Law to Step up Australian Passport Security, Increase Penalties," BBC Monitoring International Reports, February 17, 2004.

[1151] Jeanne-Vida Douglas, “ePassports on course for October launch,” The Australian Financial Review, June 14, 2005, at 39.
[1152] See <>.
[1153] Rachel Lebihan, "Two Steps forward, One back in e-Passport Saga," The Australian Financial Review, May 17, 2005, at 34.

[1154] See <>.

[1155] See <>.

[1156] See <>.
[1157] See <>.

[1158] <>.

[1159] <>.

[1160] See <>.

[1161] See <>.
[1162] See <>.

[1163] Freedom of Information Act 1982 <>, Freedom of Information (Fees and Charges) Regulations 1982 <>, Freedom of Information (Miscellaneous Provisions) regulations 1982 <>.
[1164] David Banisar, The Global Survey: Freedom of Information and Access to Government Records Around the World (May 2004) at 11-12 <>.
[1165] Australia Attorney-General's Department, Freedom of Information Act 1982 Annual Report 2002-2003, October 24, 2003, available at <>.
[1166] Id.
[1167] Banisar, supra.

[1168] See <>

[1169] <>.
[1170] <>.
[1171] See <>.

[1172] <>.

[1173] Workplace Video Surveillance Act 1998 <>.

[1174] <>.

[1175] Law Reform Commission, Report 98 (2001) - Surveillance: an interim report <>.
[1176] Listening Devices Act 1984 <>.
[1177] See <>.

[1178] "Data Protection: Australian State Issues New Guidelines To Help Government Manage Private Data," Privacy Law Watch, August 6, 2002. The OIT Guidelines are available at <>.

[1179] Homepage <>.

[1180] Homepage <>.
[1181] <>.

[1182] <>.

[1183] <>.
[1184] See <>.

[1185] Privacy Committee Act 1984 (Qld).
[1186] Invasion of Privacy Act 1971 (Qld).
[1187] Privacy in Queensland, Report No 9, Legal Constitutional and Administrative Review Committee, April 1998, available at <>.
[1188] <>.

[1189] See <>

[1190] <> (Tasmania); <> (South Australia); and <> (Western Australia).
[1191] <>.

[1192] For an overview of FOI laws in Australia and links to relevant government sites, see generally the University of Tasmania's FOI Review web page <>.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback