Introduction

This document provides access to laws of the Australian Commonwealth that are relevant to privacy, and that have application to the federal public sector, and some of the private sector nation-wide. If you’re aware of errors or omissions, please let us know.

If you’re looking for the laws of a State or Territory, those details are in another document. See: N.S.W., Victoria, Queensland, Western Australia, South Australia, Tasmania, A.C.T., Northern Territory.

This page contains the following sections:


The Privacy Act 1988, as amended (esp. in 1990, 2000 and 2012)

The primary statute is the Privacy Act 1988. The original version applied to the Commonwealth public sector. It was amended in 1990 to apply also to the credit reporting industry. It was then further amended in 2000 to apply to much of the private sector.

The original statute was adequate, and the 1990 credit reporting amendment was reasonably strong. The 2000 private sector amendment, on the other hand, was so bad that some people thought that it was the world’s worst privacy legislation. Subsequently, the NSW Act challenged it for that mantle. But then the 2012 amendments were passed, which make the Privacy Act (Cth) unequivocally the most privacy-hostile data protection law in the world.

The law has all manner of exceptions, exemptions, authorisations and designed-in loopholes scattered through it, and the complexities are such that there are many unintended loopholes, ambiguities and uncertainities as well. Its effect has also been greatly weakened by large numbers of exceptions and authorisations written into other legislation. Corporations and expensive lawyers and consultants spend a lot of time wading through the verbiage in order to find multiple ways in which organisations can breach data privacy, but avoid breaching data privacy law.

Here’s the current Privacy Act, as very heavily amended since its original passage in 1988.

Here is the official but less usable version. Typical of the AGD’s privacy-hostility was its refusal to make the 2012 consolidated Act available to the public until the morning in March 2014 that the vastly-amended law came into effect. That appears to be a simply reprehensible position to adopt. The explanation is that, since 2001, the AGD has been completely taken over by shorn-headed national security devotees.

Here’s an OAIC page that provides an overview of its interpretation of the Act.

Here are the new, greatly-weakened Australian Privacy ‘Principles’, wef 12 March 2014.
They’re a monstrous 5,000 words, and contain all manner of concessions to business and government, at great cost to privacy. The public sector IPPs (1989-2014) were already very long, for a body of ‘principles’, at 1,600 words – but that was because they contained so many exemptions and exceptions. The private sector NPPs (2001-2014) were 3,200 words – because they contained even more exemptions and exceptions. Here are:

  • The APPs as provided by the OAIC in Feb 2013, in HTML, and in PDF
  • The OAIC’s Guidelines on the APPs, released 21 Feb 2014, in HTML, and also in PDF
  • As enacted, in the incomprehensible form that legislative draftspeople typically use, presumably so as to avoid parliamentarians and the public understanding what the public service is up to. The Principles start half-way through that document

Important prior documents, 1988-2014:

The Attorney-General’s Department’s ComLaw database can also be used, by searching on ‘Privacy Act’, and then sifting through the hundreds of hits to find the particular document and version that you want.

The Privacy Act granted the National Health and Medical Research Council the extraordinary power to issue its own guidelines. For these, see:


Surveillance Laws

There’s a vast array of legislation that authorises surveillance by Commonwealth agencies, much of it enacted since September 2001, most of it grossly excessive, and most of it subject to seriously inadequate controls. Valuable summaries are provided by the Commonwealth Parliamentary Library, but they keep disappearing every few years, because web-site re-designs are conducted with a cavalier attitude to history, and information policy standards in government seem to be non-existent, or else seriously inadequate. Checks in November 2013 and March 2017 found these two:

Here’s an enumeration of the 65 ‘counter-terrorism’ statutes 2001-15, a categorisation of their provisions, a list of the resulting compromises to human rights, and assessment of the extent to which PIAs were performed.

Statutes of particular relevance are:

Relevant organisations include:


Attempts to Achieve a National Id Scheme

Here’s some documentation re the first 25 years’ attempts to impose a National ID Scheme (c.1985-2010):

  • A history of the failed Australia Card proposal (1985-87), here
  • Histories of the early phases of the Tax File Number (1988-91), here and here
  • A history needs to be written about the consolidation of all Tax and Social Welfare Identifiers by Centrelink (1997-)
  • Histories of three further failed projects (2004-06), here
  • A history of the early phases of the Document Verification System (DVS – 2005-06), here
  • A history of the failed Access Card proposal (2006-07), here
  • A note on the first attempt at a single-signon for all Australians (2007), here
  • A note on the merger of Centrelink and Medicare into a super-Dept of Human Services (2011), here

Here are some extant id-related schemes, which are subject to some regulatory constraints, many woefully inadequate:

  • The Australian Passports Act, associated processes, records and biometrics. Some early information is here
  • Conversion of Births, Death and Marriages Registries from services to surveillance tools
  • The National Exchange of Vehicle and Driver Information System (NEVDIS)
  • The Document Verification System (DVS)
  • The Face Verification System (FVS)
  • Australia Post’s National Population and Address Database, onsold to government agencies and business enterprises
  • Imposition of a Unique Student Identifier (USI), intended for lifetime application, but apparently without any legislative authorisation or controls
  • Imposition of a Health Identifier (IHI), documentation here
  • Conversion of the Census from anonymous statistics to a national databank. See here and here
  • Many Attempts at a Centralised Portal, most recently myGov
  • Many Attempts to impose a Digital Identifier on each person, for use with all Agencies, incl. TDIF (2015-17)

A phantom organisation exists called the National Statistical Service, which is a community of government agencies that expropriate personal data and make it available for research. It appears to be primarily ABS, with AIHW and AIFS – which are designated by another phantom organisation called the ‘Cross Portfolio Data Integration Oversight Board’, under an “interim accreditation scheme”, as ‘Data Linkage Integrating Authorities’. But every agency is invited to be involved and donate ‘their’ data-holdings about people. It appears that the ‘National Statistical Service’ is a backdoor mechanism being used to establish and maintain a Danish-style national databank containing everything available about every Australian resident.


Law Enforcement Data

Crimtrac (1990-2016), now part of the Australian Criminal Intelligence Commission, operates criminal records, criminal intelligence records and biometrics records, and would love to operate an ANPR-based national traffic surveillance network as well.


Communications

The Post

Electronic Communications, including the Internet

Telephony Generally

  • Calling Number Display / Calling Line Identification (CND / CLI)
  • Integrated Public Number Database (IPND) – more disastrously bad ‘regulation’
  • Do Not Call Register Act 2006 – after some difficulties, another of the rare successes

Mobile / Celular Telephone

Categories of Unpleasant Cyberspace Behaviour (See here)

  • Crimes
    • Assault
    • Incitement to Violence
    • Illegal Pornography (in Australia, for example, this is pornography that involves any of violence, apparent absence of consent, children or animals)
    • Grooming
    • Harassment
    • Stalking
    • Preparation for Criminal Acts
  • ‘Computer Crimes’
    • Unauthorised impairment of data held in computer storage
    • Unauthorised impairment of electronic communications
    • Unauthorised access, modification or impairment to commit a serious offence
  • ‘Cybercrimes’
    • Online Grooming
    • ‘using a carriage service to make a threat’ (s.474.15)
    • ‘using a carriage service to menace, harass or cause offence’ (s.474.17)
    • Cyber-Stalking
  • ‘Attack Speech’
    • Intentional Misinformation
    • Trolling (messages designed to provoke emotions and cause disruption)
    • Flaming
    • Offensive communications and insults
    • Humiliating content
    • Intimidatory content
    • Cyber-Bullying
  • Other Forms
    • Impersonation
    • Sexting
    • Revenge Porn

Taxation and Social Welfare


Health

A centralised eHealth record has been imposed on Australians, originally misnamed the ‘Personally Controlled Electronic Health Record’ (PCEHR), subsequently re-born as ‘MyHR’. It is not designed to support patient health care, and is of little use to patients or clinicians. Its purpose is to greatly increase the availability to federal bureaucrats of personal health care data, for such uses as statistics for the Minister’s office, waste and fraud control, and research. The scheme is all about expropriation of personal data by the public service.

The Australian Institite of Health & Welfare (AIHW) expropriates vast quantities of highly sensitive personal data from a wide variety of sources, including hospitals, stores it in a database, and makes it available to researchers as identified or at least readily re-identifiable personal data. (I’m currently unclear what the legal authority is, and what the legal protections are).

Some limited protections for data expropriated for research were created in 1981 by the Epidemiological Studies (Confidentiality) Act (Cth); but under s.35 of its 1987 Act, AIHW is exempted from them.

The relevant agencies appear to be bound by the Medicare and Pharmaceutical Benefits Programs Privacy Guidelines which were issued under s.135AA of the National Health Act in 2008 (and have been unchanged since). The Rules come within the purview of the Commissioner under s.135AB.

The Privacy Act granted the National Health and Medical Research Council the extraordinary power to issue its own guidelines. For these, see:

Attempts to force the Parliament to enact a Genetic Privacy and Non-Discrimination Bill failed in 1998, 2000, 2002, 2004 and 2008. It’s unclear to what extent the Recommendations of the ALRC in 2003 have been implemented. The field may well be wide open for expropriation of genetic data by government agencies, by corporations such as insurance companies, family history companies and pathology services, and by all entities as employers.


Employment

Employers have a complete holiday from the Privacy Act by virtue of s.7B(3), on the pretext that employees’ privacy is covered by other laws. It isn’t.

Re Email, see here

Re Substance Abuse Testing, see here

Re Biometrics, see here

Re Genetics, it’s unclear to what extent the 2003 Recommendations of the ALRC have been implemented. Employers may well have carte blanche to abuse their employees’ privacy in this area

Workplace visual surveillance is authorised in several jurisdictions, and with seriously inadequate controls.

The Australian Government Security Vetting Agency (AGSVA) subcontracts security vetting processes for a remarkably high percentage of Clth goverment employees, direct contractors, and employees and contractors of contractors (>350,000 it seems, incl. temporary accounts payable clerks, plumbers and field workers, all in non-sensitive agencies). Baseline Vetting is moderately intrusive, and it gets progressively worse at Negative Vetting levels 1 and 2, and Positive Vetting. It appears that there may not be any parliamentary authority for these intrusions, and that the entire scheme may be predicated on the conditions of engagement imposed on employees and contractors.


Education

There are ongoing endeavours to impose a single, lifelong identifier on every individual, called the Unique Student Identifier (USI). A system is in place, and appears to be being imposed using the usual monetary incentive/disincentive mechanism applied by government agencies. No enabling legislation appears to exist. A Student Identifiers Bill was introduced in 2013 but did not progress. So it is unclear what, if any, safeguards exists for this invasive and unapproved scheme.

There appears to be ongoing endeavours to achieve a centralised national scheme of records about every individual.

Various national and State/Territory occupational registers exist, generally subject to reasonable safeguards.


Social Behaviour

Incitement to violence is a criminal act called ‘urging violence’, under s.80.2A, B of the Criminal Code (Cth).

Bullying of a serious nature is at least theoretically subject to prosecution as assault.

Re harassment, see ALRC Report 123 (2014), s.15.

The generation of anxiety in a person, through an act that “offends, insults, humiliates or intimidates” on the basis of “race, colour or national or ethnic origin” is subject to regulation in some circumstances through the Racial Dicrimination Act s.18C-18D.

A phantom organisation called the National Statistical Service is a community of government agencies that expropriate personal data and make it available for research. It appears to be primarily ABS, with AIHW and AIFS – which are designated by another phantom organisation called the ‘Cross Portfolio Data Integration Oversight Board’, under an “interim accreditation scheme”, as ‘Data Linkage Integrating Authorities’. But every agency is invited to be involved and donate ‘their’ data-holdings about people. It appears that the ‘National Statistical Service’ is a backdoor mechanism being used to establish and maintain a Danish-style national databank containing everything available about every Australian resident.

In addition, the Australian Instutute of Family Studies (AIFS) appears to maintain at least one dataset which appears to contain data expropriated by the Dept of Social Security, and which appears to be highly privacy-intrusive, and which is accessed by many scores of organisations and many hundreds of researchers.

A vast amount of data, some effectively de-identified, some not, and some apparently identified, has been expropriated and consolidated in the Australian Data Archive, a resource available to social scientists. It is unclear under what, if any, authority it operates, and what safeguards apply.

In August 2016, the Census was converted was abruptly converted, without public consultation or even parliamentary debate, from an anonymous statistical survey of the population to a consolidated, longitudinal database of personally identified information, with data to be expropriated from agencies’ administrative data holdings and added into the ABS-maintaned data warehouse. A larger breach of public trust is difficult to imagine. The public has been taught to avoid, obfuscate and falsify data that it provides to government agencies. See here and here.


Financial Transactions

ATM and EFTPOS transaction data appears to be readily available to law enforcement agencies. The tracking value has massively intensified since 2013, with the explosion in uptake of contactless card payments.

Austrac financial transaction tracking, and associated identification requirements:

The Privacy Act’s Part IIIA was amended in 2012 to destroy the 1989 provisions that constrained the operations of credit bureaux, and to provide authorisation for credit bureaux to gather highly detailed personal data, and sell it back to lenders, subject to seriously inadequate regulatory mechanisms. The near-monopoly operator Veda was promptly taken over by US behemoth Equifax, ensuring a massive leap in the sale, rental and profile-consolidation of Australian consumers.


Transportation

The international Passenger Movements System is operated by the Dept of Immigration, or whatever para-military title it may be operating under at any given time. This is linked with passenger name record (PNR) systems. For information on the appalling process and outcomes in relation to disclosure of passenger data, see APF submissions of 19 Sep 2011 and 27 Sep 2011.

The Dept of Immigration (replace with current name) operates a Movement Alert List (MAL). In late 2013, a Departmental document of mid-2011 – mirrored here – disclosed that the MAL contained an extraordinary “647 000 identities, of which 49 per cent are national security alerts of interest”.

There have been considerable endeavours by Crimtrac, now ACIC, to stimulate the use of ANPR to build a national database for traffic surveillance.

A further element of the surveillance state and economy is vehicle monitoring, variously by manufacturers, by fleet-owners, and by insurers.


Freedom of Information


Human Rights


Archives


The Possibility of a Tort of Invasion of Privacy

In ABC v Lenah Game Meats Pty Ltd (2002) 208 CLR 199, a majority of the High Court held that Australian courts were not prevented from finding that there is a tort (or legal cause of action) of unjustified invasion of privacy. But they did not find that it existed on the facts of the case before them. There has been no other significant sign of life in the 15 years since then.

See also the ALRC’s Recommendation of a Privacy Cause of Action ALRC (2008b).


Resources

The Office of the Federal Privacy Commissioner’s page on Other [Privacy-Relevant] Legislation

Andrew Nemeth’s site on NSW Photo Rights, incl. privacy

Two papers on history and issues, Clarke (1998a-) and Clarke (1998b-)

AustLII’s Australian Subject-Index for Privacy

AustLII’s Australian (Commonwealth) Privacy and Surveillance Law Library

Greenleaf G.W. & Waters N. (Eds.) (1994-2006) ‘Privacy Law & Policy Reporter’, monthly, available from http://www.austlii.edu.au/au/journals/PLPR/

Gunning P. (2001) ‘Central features of Australia’s private sector privacy law’ Privacy Law & Policy Reporter 7, 10 (May 2001) 189-199

Hughes G. (1991) ‘Data Protection Law in Australia’, Law Book Company, 1991

AMCRAN (2004) ‘Terrorism Laws: ASIO, the Police and You’, Australian Muslim Civil Rights Advocacy Network, 3rd ed., January 2007, at https://www.missionislam.com/conissues/books/Anti_Terror_Laws_3rd_Ed_English_2Up.pdf