Australia - Data Protection
History of Data Protection in AUSTRALIA
There existed very little data protection law in Australia until 1988. The data protection law that did exist was merely incidental provisions in other acts. In 1988, the Privacy Act was passed.
The Privacy Act contains eleven Information Privacy Principles that apply to Commonwealth and governmental agencies. The Privacy Amendment (Private Sector) Act 2000, which came into force on 21 December 2001 added ten National Privacy Principles that apply to the private sector and all health service providers. These are found in Schedule 3 of the amended Privacy Act.
The Australian Federal Privacy Commissioner has responsibilities under the Privacy Act.
Summary of Data Protection in AUSTRALIA
| Title of Data Protection Legislation | Privacy Act 1988 (as amended by the Privacy Amendment (Private Sector) Act 2000) |
| Name of supervisory authority | The Federal Privacy Commissioner |
| General Powers of supervisory authority |
Section 27(1) of the 1988 Act outlines the functions
of the Commissioner. These include:
-to investigate an act or practice of an agency that
may breach an Information Privacy Principle and, where the Commissioner
considers it appropriate to do so, to endeavour, by conciliation, to effect
a settlement of the matters that gave rise to the investigation; -to approve privacy codes and variations of approved privacy codes and to revoke those approvals; -to investigate an act or practice of an organisation that may be an interference with the privacy of an individual and if the Commissioner considers it appropriate to do so, to attempt, by conciliation, to effect a settlement of the matters that gave rise to the investigation; -to examine (with or without a request from a Minister) a proposed enactment that would require or authorise acts or practices of an agency or organisation that might, in the absence of the enactment, be interferences with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals and to ensure that any adverse effects of such proposed enactment on the privacy of individuals are minimised; -to promote an understanding and acceptance of the Information Privacy Principles and of the objects of those Principles and of the National Privacy Principles; -to prepare, and to publish in the way that the Commissioner considers appropriate, guidelines: (i) to assist organisations to develop privacy codes or to apply approved privacy codes; or (ii) relating to making and dealing with complaints under approved privacy codes; or (iii) about matters the Commissioner may consider indeciding whether to approve a privacy code or avariation of an approved privacy code; -to provide (on request or on the Commissioner's own initiative) advice to a Minister, agency or organisation on any matter relevant to the operation of this Act; -to conduct audits of records of personal information maintained by agencies for the purpose of ascertaining whether the records are maintained according to the Information Privacy Principles; -for the purpose of promoting the protection of individual privacy, to undertake educational programs on the Commissioner's own behalf or in co-operation with other persons or authorities acting on behalf of the Commissioner. Section 27(2) of the Act states that"The Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions under subsection (1)". |
| Who has standing to notify the supervisory authority of breaches? | Probably anybody. See Section 27(1)(a) of the Privacy Act, which states that the Commissioner can "investigate an act or practice of an agency that may breach an Information Privacy Principle". No mention is made of who can alert them to such breaches. |
| What are the penalties for data controllers if they breach the law? | The main punishment set out in the Australians Privacy Act is fines. Fines are used in a variety of situations; see, for example, sections 18c(4), 18e(4), 18l(2), 18n(2). In some circumstances, imprisonment can be used. See, for example section 46c (failure of a person guilty of an offence under the Act to attend a conference given by the commissioner), s65(1) (failure to attend a hearing before the commissioner or failure to make an affirmation when required to do so), s65(3) (giving false information), s66 (failure to give information). |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Not in the data protection legislation. |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. |
| Does the Data Protection Legislation cover the deceased? | The Australian Act refers to "natural persons". |
| Who is able to indirectly identify the data subject? | This is not mentioned in the Australian Act. |