Saturday, 24th of February, 2018

Privacy

Commonwealth - Privacy

Overview

The Commonwealth Privacy Act 1988 lays down strict privacy safeguards which Commonwealth (federal) and Australian Capital Territory (ACT) government agencies must observe when collecting, storing, using and disclosing personal information. The Act also gives individuals access and correction rights in relation to their own personal information. The Act also creates the Office of the Australian Information Commissioner.

The Act only applies to the wider community, including the private sector and state and local governments, in relation to specific categories of information: tax file number information, and consumer credit information. Other Commonwealth laws contain privacy provisions relating to information about health insurance claims, data matching, information about old criminal convictions. and personal information disclosed by telecommunications companies.

Privacy issues arise in a wide range of areas and circumstances. Privacy legislation deals mainly with information privacy – the handling of personal information. Other privacy issues include video surveillance, telephone interception or ‘bugging’, and physical intrusion into private spaces which often fall under criminal procedure legislation. The Privacy Commissioner’s office can provide general advice.

The Privacy Act has a number of major concerns which include protecting the personal information collected by Commonwealth Government departments and agencies; ensuring that Tax File Numbers (TFNs) are collected and used only for tax-related purposes; ensuring that an individual’s personal credit information is correctly managed and that personal privacy is not infringed; and the Act also gives people rights in relation to how their personal information is handled by many private sector organisations.

The private sector provisions of the Privacy Act aim to give people greater control over the way information about them is handled in the private sector by requiring organisations to comply with ten National Privacy Principles (NPPs), which are listed in the Privacy Principles section.

In summary, organisations now must take reasonable steps to make individuals aware that it is collecting personal information about them, the purposes for which it is collecting the information, and who it might pass the information on to.  There are some restrictions on the uses an organisation can make of personal information and on when an organisation can disclose personal information or transfer it overseas.

The Privacy Commissioner/The Office of the Australian Information Commissioner

Recent changes have seen an overlap between the websites of the Privacy Commissioner and the Office of the Australian Information Commissioner (OAIC). The functions of the Privacy Commissioner have been integrated into the OAIC, incorporating both Freedom of Information and Privacy issues into one office. Their contact details are available online.

Privacy Principles

There are two sets of standards in privacy principles. They are binding on the organisations to which they apply, and individuals can make a complaint if they believe that the principles have been breached.

The first is the Information Privacy Principles, which set standards required of Australian and ACT government agencies in their data collection, management and disclosure practices. The second is the National Privacy Principles which apply to private sector organisations. Again, individuals can make complaints if they believe their rights have been breached under the Privacy Principles as applicable to the public or private sector.

Information Privacy Principles

The ‘Information Privacy Principles’ for Commonwealth and ACT government agencies are currently available online. There are 11 principles in total, covering:

  1. Manner and purpose of collection of personal information: collection of information for a record or generally available publication must be for a lawful purpose and directly related to that purpose;
  2. Solicitation of personal information from a specific individual: ensure that the person is aware of the purpose for which the information is being collected, that it is authorised under law, and to who the information may be disclosed by the collector;
  3. Solicitation of personal information generally: where personal information is solicited for inclusion in a generally available publication, the collector shall take steps to ensure the relevance of information collected, and that the information does not unreasonably intrude upon the personal affairs of the individual;
  4. Storage and security of personal information: a record-keeper must ensure there are reasonable safeguards to prevent loss, unauthorised access, use, modification or disclosure, or any other misuse of information, by non-involved parties or by parties who have a limited right of access;
  5. Information relating to records kept by record-keeper: records of information kept must be accessible, except where the record-keeper is required or authorised to refuse access. Records must contain information on the nature and purpose of the information, classes of individuals concerned, and the age of the records. Persons entitled to access the information should be helped to obtain access;
  6. Access to records containing personal information: an individual should have access to their personal information as according to law. There may be a lawful reason to refuse access;
  7. Alteration of records containing personal information: a record-keeper must take reasonable steps to ensure the accuracy or information in a record, or to append a record to the original record indicating updates or changes;
  8. Record-keeper to check accuracy, etc. of personal information before use: a record-keeper must take reasonable steps to ensure the accuracy, completeness and up-to-date nature of records;
  9. Personal information to be used only for relevant purposes: information shall not be used except for a purpose to which the information is relevant;
  10. Limits on use of personal information: information can only be used for the purpose for which it was obtained unless the individual concerned consents to another use, the record-keeper believes use of the information is necessary in a situation threatening life or health of the individual, the law permits another use, or it is reasonably necessary for the enforcement of the criminal law; and
  11. Limits on disclosure of personal information: disclosure is limited to the purpose for which the information was obtained, consent of the individual concerned, and for similar reasons to those contained in Principle 10.

National Privacy Principles

The National Privacy Principles, applicable to private sector organisations are accessible online.

  1. Collection: what an organisation can collect, how to collect from third parties and, generally, what they should tell individuals about the collection.
  2. Use and disclosure: if certain conditions are met, an organisation does not always need an individual's consent to use and disclose personal information.  There are rules about direct marketing.
  3. Information quality: an organisation must take steps to ensure the personal information it holds is accurate and up-to-date, and is kept secure from unauthorised use or access.
  4. Security: as above
  5. Openness: an organisation must have a policy on how it manages personal information, and make it available to anyone who asks for it.
  6. Access and correction: this gives individuals a general right of access to their personal information, and the right to have that information corrected if it is inaccurate, incomplete or out-of-date.
  7. Identifiers: generally prevents an organisation from adopting an Australian Government identifier for an individual (e.g. Medicare numbers) as its own.
  8. Anonymity: where possible, organisations must give individuals the opportunity to do business with them without the individual having to identify themselves.
  9. Trans-border data flows: outlines how organisations should protect personal information that they transfer outside Australia.
  10. Sensitive information: sensitive information includes information such as health, racial or ethnic background, or criminal record.  Higher standards apply to the handling of sensitive information.

Protecting Private Information

Investigating Complaints and Preventing Breaches

The Privacy Commissioner, under the OAIC investigates complaints against agencies or organisations where an individual alleges a breach of the Privacy Act. There is also a power to investigate without a complaint being lodged, where a breach of the Privacy Act is suspected, for example where the media has highlighted a problem. Prevention of breaches is carried out by conducting audits, and monitoring government data-matching, as well as by issuing guidance material, such as the Privacy Principles, to keep standards up to the Privacy Act requirements.

Tax File Numbers

Tax File Numbers (TFNs) are unique numbers issued by the Australian Taxation Office to identify individuals, companies and others who lodge income tax returns with the office. Individuals who do not quote their TFN to employers and financial institutions have tax deducted from their income or interest payments at the highest marginal rate. Quotation of TFNs is also a condition of receipt of most Commonwealth government assistance payments.

The Privacy Commissioner has issued TFN Guidelines under section 17 of the Privacy Act. The guidelines are legally binding and aim to restrict the use of TFN information. Unauthorised use or disclosure of TFNs is also an offence under the Taxation Administration Act 1953 (Cth). The TFN rules are also partly contained in the Income Tax Assessment Act 1936.

The Data-Matching Program (Assistance and Tax) Act 1990 provides for and regulates the matching of records between the Australian Taxation Office and the assistance agencies using the tax file number in part of the process.

Credit Reporting

The Privacy Act at Part IIIA provides safeguards for individuals in relation to consumer credit reporting. In particular, it governs the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers. The Act ensures that the use of this information is restricted to assessing applications for credit lodged with a credit provider and other legitimate activities involved with giving credit. The legislation does not directly affect commercial credit information.

The key requirements of the Act include:

  • strict limits on the type of information which can be held on a person’s credit information file by a credit reporting agency, and limits on how long the information can be held on file;
  • limits on who can obtain access to a credit file held by a credit reporting agency - generally only credit providers may obtain access and only for specified purposes, whilst real estate agents, debt collectors, employers, and general insurers are barred from obtaining access;
  • purposes for which a credit provider can use a credit report obtained from a credit reporting agency limited to, among others:
  • assessing an application for consumer credit or commercial credit (but the credit provider must seek consent if they are using a consumer credit report to assess an application for commercial credit, or using a commercial report to assess an application for consumer credit),
  • assessing whether to accept a person as guarantor for a loan applied for by someone else,
  • collecting overdue payments;
  • prohibition on disclosure by credit providers of credit worthiness information about an individual, including a credit report received from a credit reporting agency, except in specified circumstances, which include: where the disclosure is to another credit provider and the individual has given consent, to a mortgage insurer or to a debt collector (but credit providers can only give limited information contained in or derived from a credit report issued by a credit reporting agency);
  • rights of access and correction for individuals in relation to their own personal information contained in credit reports held by credit reporting agencies and credit providers.

What does the Privacy Act mean to consumers?

The Act means consumers now have the right to know:

  • why a private sector organisation is collecting their personal information;
  • what information it holds about them;
  • how it will use the information; and
  • who else will get the information.

Except for some special circumstances, individuals have a right to get access to personal information an organisation holds about them and to have the information corrected or annotated if the information is incorrect, out-of-date or incomplete. Consumers can also make a complaint if they think their information is not being handled properly. A consumer could also apply to the Federal Court or the Federal Circuit Court for an order to stop an organisation from engaging in conduct that breaches the National Privacy Principles (NPPs).

Who does the Act apply to?

The Act applies to organisations in the private sector. An organisation can be an individual, a body corporate, a partnership, an unincorporated association or a trust. It covers:

  • businesses, including not-for-profit organisations such as charitable organisations, sports clubs and unions, with a turnover of more than $3 million;
  • federal government contractors;
  • health service providers that hold health information (even if their turnover is less than $3 million);
  • organisations that carry on a business that collects or discloses personal information for a benefit, service or advantage (even if their turnover is less than $3 million);
  • small businesses with a turn-over of less than $3 million that choose to opt-in;
  • incorporated State Government business enterprises;
  • any organisation that regulations say are covered.

Who is not covered?

The provisions do not apply to:

  • state or territory authorities, e.g ministers, departments, courts and local government councils;
  • political parties and acts of political representatives in relation to electoral matters;
  • most small businesses with an annual turnover of less than $3 million;
  • acts or practices in relation to employee records of an individual if the act or practice directly relates to a current or former employment relationship between the employer and the individual;
  • act or practices of media organisations in the practice of journalism.

How does the Act work?

The NPPs set the base line standards for privacy protection. Organisations may have and enforce their own codes. These codes must be approved by the Privacy Commissioner as having obligations at least equivalent to the NPPs and meet other requirements. The code must have an independent code adjudicator to handle complaints. If the code does not provide for a complaints handling mechanism the Privacy Commissioner is the code adjudicator. Organisations that do not have their own code must comply with the NPPs set out in the Privacy Amendment Act. The Privacy Commissioner handles complaints in these circumstances.

Other Privacy Legislation

Wrongful, quashed and spent convictions

The Commonwealth Spent Convictions Scheme under Part VIIC of the Crimes Act 1914 allows a person to disregard some criminal convictions after ten years (or five years in the case of juvenile offenders) and provides protection against unauthorised use and disclosure of this information. It covers convictions for minor federal, state and foreign offences, with the protections available varying according to which type of offence (federal, state or foreign) gave rise to the conviction. The scheme also covers pardons and quashed convictions.

There are some exclusions from the scheme, but they are very limited. Complaints about a breach of the provisions may be investigated by the Privacy Commissioner. 

There is no spent conviction legislation in Tasmania, however under the Anti-Discrimination Act 1998 (Tas) a person must not discriminate against another person on the ground of an irrelevant criminal record (s16(q)).

Telecommunications

The Telecommunications Act 1997 (Cth) contains a number of provisions dealing with the privacy of personal information held by carriers, carriage service providers and others.

Part 6 provides for the development of industry codes and standards in a range of consumer protection and privacy areas. The Privacy Commissioner must be consulted on any privacy codes. The codes are voluntary in the first instance, but breaches can be enforceable by the Australian Communications Authority.

Complaints - Privacy

Individuals may complain to the Federal Privacy Commissioner if they believe that their privacy has been infringed because of a breach of:

  • Information Privacy Principles (Cth government);
  • National Privacy Principles (private sector);
  • credit reporting provisions;
  • Tax File Number Guidelines;
  • Commonwealth Spent Convictions Scheme;
  • Pharmaceutical Benefits and Medicare Program Guidelines.

Contact information is available on the website of the Office of the Information Commissioner for privacy complaints. Phone enquiries can be made on 1300 363 992.

Metadata retention

 

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) requires  telecommunications providers to retain, for two years, a defined set of metadata about the circumstances of the communications made through their services.  

Metadata consists of information about the circumstances of a communication; not the substance of the communication.  For a telephone call, for example, metadata will include the phone numbers used to begin a conversation, but not what was actually said in the conversation.  Similarly, for an e-mail correspondence, metadata will consist in the e-mail addresses used, but not what was written in the exchange.  Metadata does not consist of web-browsing history.

As such, the set of metadata now required to be retained is of six types: 

1.  The identity of the subscriber to a communications service; 
2.  The source of the communication; 
3.  The destination of the communication; 
4.  The date, time and duration of the communication; 
5.  The type of the communication; and 
6.  The location of the equipment used in the communication.

More information about these types of metadata, including examples of what they consist in, may be accessed here.

Data that is retained by telecommunications providers is protected as "personal information" by the Privacy Act 1988 (Cth), and by the Australian Privacy Principles.  Personal information includes information about an identified individual, or an individual who is reasonably identifiable, no matter the form in which the information is kept.

The Commonwealth Attorney-General's website contains additional information on metadata retention, and its implementing legislation.

 

 

 

Tasmania - Privacy

Overview

In Tasmania, privacy is regulated by the Right to Information Act 2009 which is covered in the ‘Right to Information’ section, and the Personal Information Protection Act 2004. Other legislation that impacts on privacy includes the Telecommunications (Interception) Tasmania Act 1999, the Police Powers (Controlled Operations) Act 2006, and the Police Powers (Surveillance Devices) Act 2008.

The Tasmanian Ombudsman investigates complaints concerning all of these acts, and also reviews decisions issued under the Right to Information Act.

Privacy is important in all areas of the law, including the criminal law. It is a balance between the interests of the state in preventing and punishing crime, and the rights of citizens, no matter whether they are under investigation for possible criminal offences. Just as personal information held by government bodies is protected from general and unregulated dissemination, so is information held by the police where that information has been obtained by an invasion of privacy, such as by use of a surveillance device. Rights of access to such information are diminished because of the necessity of the administration of justice, in contrast to the access permitted to private citizens seeking disclosure from government authorities concerning their personal information.

Personal Information Protection Act 2004 (Tas)

The Personal Information Protection Act (the PIP Act) is subordinate to other legislation where its provisions are inconsistent with other legislation. This means that the Right to Information Act will take precedence over the PIP Act if there is an inconsistency in the provisions.

The PIP Act allows a person to apply for and have access to personal information held by a personal information custodian (Schedule 1 – Clause 6). There are three points to address in terms of this right to apply for access. Firstly, an application isn't guaranteed to result in access. Access MAY be granted, but it is not a MUST. Secondly, access to personal information is not access to the document that contains the personal information. Personal information, when provided under a request through the PIP Act, will usually be provided in the form of an extract of the document containing the information. This personal information can be both or either information or an opinion about a person. Furthermore, the person's identity must be apparent or reasonably ascertainable (Guideline 1/2013). Thirdly, ‘personal information custodian’ (PIC) is a very broad term, and can refer to:

  • A public authority
  • Any body, organisation or person who has entered into a personal information contract relating to personal information
  • A prescribed body

In relation to the second dot point, a personal information contract can be between a government body/public authority, such as the Hobart City Council or DPIPWE, and a private company. For example, the HCC might enter into a contract with a private company to collect and store information on dog owners. This would mean that the private company would be a personal information custodian for the purposes of a person who wants to access information stored about them and their ownership of dogs.

A request to a PIC to access personal information must be in writing. You may also request that information held is amended if you find it is incorrect (s17A). If a personal information custodian refuses your request to see your personal information or does not respond within 20 working days then on receipt of a second written request they must treat your request as an application for assessed disclosure under the Right to Information Act 2009 and the timelines and review rights under that Act apply. At the end of the process, if there has been no grant of access, an applicant can make a complaint to the Ombudsman, be it either under section 44 of the Right to Information Act 2009 or the PIP Act section 18.

The PIP Act has two sets of personal information: personal information collected before the commencement of the Act, and personal information collected after. Personal information collected after the commencement of the Act is to be treated in accordance with all the principles set out in Schedule 1 of the Act (s6). The principles exclusive to information collected after commencement are:

  • A personal information custodian must not collect personal information unless the information is necessary for one or more of its functions or activities
  • A personal information custodian must not assign a unique identifier to an individual unless it is necessary for it to carry out any of its functions efficiently.
  • Anonymity: Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with a personal information custodian.
  • A personal information custodian must not collect sensitive information about an individual unless the individual has consented, or the collection is required or permitted by law; or the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual.

Information collected before the commencement of the Act is to be governed in accordance with principles 2, 3, 4, 5, 6 and 9 only.

There is a requirement in the Act that all personal information custodians comply with these Personal information protection principles (ss16 and 17). Complaints are managed by the Ombudsman.

There are exemptions to the provisions of the Act. These are:

  • Courts and tribunals;
  • Public information;
  • Law enforcement information where non-compliance is reasonably necessary for law enforcement functions and activities;
  • Employee information;
  • Unsolicited information – information given without being sought to a public information custodian; and
  • The use of information for basic purposes, such as storage, communication with a public sector body, and the information is basic personal information (such as name and age).

Criminal Procedure Legislation

The Telecommunications (Interception) Tasmania Act 1999, the Police Powers (Controlled Operations) Act 2006, and the Police Powers (Surveillance Devices) Act 2006 are statutes that concern criminal procedure: the activities of police in investigating criminal matters.

Police powers under these Acts tend to be concerned with listening to, observing, or recording the interactions of people, some of who will be under a criminal investigation, and others who are incidental to that criminal investigation by association. The Telecommunications (Interception) Tasmania Act 1999 enables the Tasmania Police Service to be classified as an agency for the purposes of the Commonwealth Act of the same name. The Commonwealth Act creates powers to intercept telecommunications, i.e. listen to conversations. The Tasmanian Act creates obligations to do with storage of records, inspection of records, and the keeping and destruction of restricted records. A restricted record is a record in the possession of the Tasmania Police, created pursuant to the Act.

Section 8 of the Telecommunications Act stipulates that restricted records are required to be kept in secure place to prevent access by people not entitled to deal with it, and these records must be destroyed once the Commissioner of Police is satisfied that there is no likely permitted use for the records.

The Police Powers (Controlled Operations) Act 2006 concerns operations conducted or intended to be conducted for the purpose of obtaining evidence that may lead to a prosecution of a person for a relevant offence, that also involves or may involve controlled conduct. Controlled conduct is conduct that would otherwise constitute a criminal offence. This Act involves authorisation of, for example, undercover officers to engage in criminal conduct in an investigation, or even something as simple as trespass. Obviously, this can impinge on the privacy of people investigated.

There are strict requirements for authorisation of controlled operations (s9). Enough information must be provided to allow the decision maker to decide whether or not to grant the application. This would be information that illustrated the likelihood of obtaining evidence, the type of offences suspected, and the public interest in preventing the continuation of the offences.

Importantly, the Act contains provisions to do with record keeping (Part 4, Division 2), and unauthorised disclosure of information (s26). A person investigated and a person investigating have protection in that a person who discloses any information to do with a controlled operation is guilty of an offence punishable by up to 2 years imprisonment. Document keeping requires record keepers to maintain all the documentation relating to authorisation of controlled operations under the Act. However, there are no requirements for destruction of documents.

The Police Powers (Surveillance Devices) Act 2006 contains controls on the use, communication and publication of information obtained through use of a surveillance device warrant issued under the Act. Section 33(1) is directed toward where information, whether protected or not, is published, whether or not it jeopardises an investigation. The penalty is up to 2 years imprisonment. Section 33(2) where publication of information prejudices or will prejudice the effective conduct an investigation or the health and safety of any person attracts a maximum penalty of 10 years imprisonment. Both provisions require intentionality of the act or recklessness. These provisions do not apply to information that has been disclosed in court or have entered the public domain (s33(3)). Section 34(1)(b) provides for the destruction of records or reports obtained by use of a surveillance device if it is not likely to be used for an investigation, making a decision to prosecute or other deliberations, investigation of a complaint, or any criminal proceeding (see: s33(4)).

Complaints - Privacy

Complaints about privacy involving state organisations can be made to the State Ombudsman.

Disclaimer

This does not constitute legal advice and the Tasmanian Law Handbook should not be used as a substitute for legal advice. No responsibility is accepted for any loss, damage or injury, financial or otherwise, suffered by any person acting or relying on information contained in it or omitted from it.