Introduction:
Australia follows a federal form of government with a national government for the Commonwealth of Australia and separate state governments for the states of New South Wales, Victoria, Queensland, South Australia, Western Australia, Tasmania, Northern Territory and Australian Capital Territory.
The federal government enacts its own laws while each of the state governments enacts laws as per its own unique requirements.
Today, we shall understand some of the important provisions of the Privacy Act, 1988 which is the federal legislation for data protection in force in Australia.
The Privacy Act, 1988:
It came into force to protect the personal information of individuals collected by business entities and federal government agencies. It is to be read along with the state legislations that are in force.
Which entities are within the scope of the Privacy Act?
The Act applies to APP entities(APP is the abbreviated form of Australian Privacy Principles). The APP entities that come within the purview of the Act are:
-Individuals
-Private sector entities with an annual turnover of more than AUD 3 million
-Commonwealth Government and Australian Capital Territory government agencies.
Which entities are excluded from the scope of the Privacy Act?
-A small business operator with an annual turnover of less than AUD 3 million
-A registered political party
-A state or territory authority
The Privacy Act is based on 13 Australian Privacy Principles. These Privacy Principles help us understand the obligations of the APP entities and the rights of the individuals whose information is being collected by the APP entities.
Apart from personal information, the Privacy Act also takes into consideration sensitive information which is different from personal information. Personal information is any data that can be used to identify an individual while sensitive information comprises of racial or ethnic origin, political opinions, professional or political or religious affiliations, sexual orientation, health records, biometrics etc. It is very evident that a breach of the sensitive information can have far reaching negative consequences for the individual.
Hence, the penalties that are levied on entities are severe in nature. In case of a breach, a corporate entity has to pay upto AUD 1.8 million and a non-corporate entity upto AUD 360,000.
The Privacy Act also provides for credit reporting and sets out how entities can deal with credit related personal information.
Conclusion:
From the above, it can be seen that the Privacy Act has broad ranging provisions. In December 2020, the fines under the Privacy Act are said to have increased five fold with an increased budget provided to the Office of the Australian Information Commissioner. This will lead to stricter compliance by entities that are within the ambit of the Act.
References: