What does the Privacy Act mean to consumers?
The Act means consumers now have the right to know:
- why a private sector organisation is collecting their personal information;
- what information it holds about them;
- how it will use the information; and
- who else will get the information.
Except for some special circumstances, individuals have a right to get access to personal information an organisation holds about them and to have the information corrected or annotated if the information is incorrect, out-of-date or incomplete. Consumers can also make a complaint if they think their information is not being handled properly. A consumer could also apply to the Federal Court or the Federal Circuit Court for an order to stop an organisation from engaging in conduct that breaches the National Privacy Principles (NPPs).
Who does the Act apply to?
The Act applies to organisations in the private sector. An organisation can be an individual, a body corporate, a partnership, an unincorporated association or a trust. It covers:
- businesses, including not-for-profit organisations such as charitable organisations, sports clubs and unions, with a turnover of more than $3 million;
- federal government contractors;
- health service providers that hold health information (even if their turnover is less than $3 million);
- organisations that carry on a business that collects or discloses personal information for a benefit, service or advantage (even if their turnover is less than $3 million);
- small businesses with a turn-over of less than $3 million that choose to opt-in;
- incorporated State Government business enterprises;
- any organisation that regulations say are covered.
Who is not covered?
The provisions do not apply to:
- state or territory authorities, e.g ministers, departments, courts and local government councils;
- political parties and acts of political representatives in relation to electoral matters;
- most small businesses with an annual turnover of less than $3 million;
- acts or practices in relation to employee records of an individual if the act or practice directly relates to a current or former employment relationship between the employer and the individual;
- act or practices of media organisations in the practice of journalism.
How does the Act work?
The NPPs set the base line standards for privacy protection. Organisations may have and enforce their own codes. These codes must be approved by the Privacy Commissioner as having obligations at least equivalent to the NPPs and meet other requirements. The code must have an independent code adjudicator to handle complaints. If the code does not provide for a complaints handling mechanism the Privacy Commissioner is the code adjudicator. Organisations that do not have their own code must comply with the NPPs set out in the Privacy Amendment Act. The Privacy Commissioner handles complaints in these circumstances.