Introduction
This document provides access to laws of the Australian Commonwealth that are relevant to privacy, and that have application to the federal public sector, and some of the private sector nation-wide. If you’re aware of errors or omissions, please let us know.
If you’re looking for the laws of a State or Territory, those details are in another document. See: N.S.W., Victoria, Queensland, Western Australia, South Australia, Tasmania, A.C.T., Northern Territory.
This page contains the following sections:
- The Privacy Act
- Regulation of Social Control Mechanisms:
- Regulation in Particular Sectors:
- Other Areas:
- Resources
The Privacy Act 1988, as amended (esp. in 1990, 2000 and 2012)
The primary statute is the Privacy Act 1988. The original version applied to the Commonwealth public sector. It was amended in 1990 to apply also to the credit reporting industry. It was then further amended in 2000 to apply to much of the private sector.
The original statute was adequate, and the 1990 credit reporting amendment was reasonably strong. The 2000 private sector amendment, on the other hand, was so bad that some people thought that it was the world’s worst privacy legislation. Subsequently, the NSW Act challenged it for that mantle. But then the 2012 amendments were passed, which make the Privacy Act (Cth) unequivocally the most privacy-hostile data protection law in the world.
The law has all manner of exceptions, exemptions, authorisations and designed-in loopholes scattered through it, and the complexities are such that there are many unintended loopholes, ambiguities and uncertainities as well. Its effect has also been greatly weakened by large numbers of exceptions and authorisations written into other legislation. Corporations and expensive lawyers and consultants spend a lot of time wading through the verbiage in order to find multiple ways in which organisations can breach data privacy, but avoid breaching data privacy law.
Here’s the current Privacy Act, as very heavily amended since its original passage in 1988.
Here is the official but less usable version. Typical of the AGD’s privacy-hostility was its refusal to make the 2012 consolidated Act available to the public until the morning in March 2014 that the vastly-amended law came into effect. That appears to be a simply reprehensible position to adopt. The explanation is that, since 2001, the AGD has been completely taken over by shorn-headed national security devotees.
Here’s an OAIC page that provides an overview of its interpretation of the Act.
Here are the new, greatly-weakened Australian Privacy ‘Principles’, wef 12 March 2014.
They’re a monstrous 5,000 words, and contain all manner of concessions to business and government, at great cost to privacy. The public sector IPPs (1989-2014) were already very long, for a body of ‘principles’, at 1,600 words – but that was because they contained so many exemptions and exceptions. The private sector NPPs (2001-2014) were 3,200 words – because they contained even more exemptions and exceptions. Here are:
- The APPs as provided by the OAIC in Feb 2013, in HTML, and in PDF
- The OAIC’s Guidelines on the APPs, released 21 Feb 2014, in HTML, and also in PDF
- As enacted, in the incomprehensible form that legislative draftspeople typically use, presumably so as to avoid parliamentarians and the public understanding what the public service is up to. The Principles start half-way through that document
Important prior documents, 1988-2014:
- Privacy Amendment (Enhancing Privacy Protection) Act 2012 (which made a wide range of amendments that benefited business and government agencies and undermined privacy protections. One of very few improvements was the provision of additional powers to the Privacy Commissioner – but on past performance they’re unlikely to ever be used)
- the consolidated Privacy Act 1988, as at 11 March 2014
i.e. the state the law was in during the last 8-1/2 months before the new, greatly-weakened Act came into force - the old IPPs – the Information Privacy Principles, affecting the Commonwealth public sector, 1989-2014
- the old NPPs – the National Privacy Principles, affecting the private sector, 2001-2014
- Privacy Amendment (Private Sector) Act 2000 (which extended the scope to the private sector with effect from 21 December 2001 for large and medium-sized businesses, and from 21 December 2002 for some small businesses, but included very weak privacy protections)
- Privacy Amendment Act 1990 (which inserted the provisions relating to the credit reporting industry)
- the original Privacy Act of 1988
The Attorney-General’s Department’s ComLaw database can also be used, by searching on ‘Privacy Act’, and then sifting through the hundreds of hits to find the particular document and version that you want.
The Privacy Act granted the National Health and Medical Research Council the extraordinary power to issue its own guidelines. For these, see:
- Guidelines for the conduct of medical research involving human participants (March 2000), under s.95
- Guidelines on health data expropriated for research purposes (December 2001), under s.95A
- Guidelines on disclosure of genetic data without consent (2014), under s.95AA
Surveillance Laws
There’s a vast array of legislation that authorises surveillance by Commonwealth agencies, much of it enacted since September 2001, most of it grossly excessive, and most of it subject to seriously inadequate controls. Valuable summaries are provided by the Commonwealth Parliamentary Library, but they keep disappearing every few years, because web-site re-designs are conducted with a cavalier attitude to history, and information policy standards in government seem to be non-existent, or else seriously inadequate. Checks in November 2013 and March 2017 found these two:
- Key internet links on Terrorism Law, and a mirror of the version of October 2007
- Terrorism Law – Chronology of legislative developments, and a mirror of the version of 3 May 2010
Here’s an enumeration of the 65 ‘counter-terrorism’ statutes 2001-15, a categorisation of their provisions, a list of the resulting compromises to human rights, and assessment of the extent to which PIAs were performed.
Statutes of particular relevance are:
- Australian Postal Corporation Act, esp. ss.90M-90ZB re Limits on opening and examining articles
- Surveillance Devices Act, a law whose purpose is not to protect the public, but to set out the powers of Commonwealth law enforcement agencies with respect to surveillance devices. That term is defined in readily extensible fashion to mean any combination of a ‘data surveillance device’, a ‘listening device’, an ‘optical surveillance device’ or a ‘tracking device’
- CCTV and its ‘regulation’, see here
- Drones and their ‘regulation’, see here
- Anti-Money Laundering And Counter-Terrorism Financing Act (Cth) – AML-CTF
- Financial Transaction Reports Act (Cth) – FTR or FTRA
- Australian Security Intelligence Organisation Act (Cth), incl. s.25A, whereby ASIO’s Minister authorises hacking of computers to access data ((4)(a)), and modify data ((4)ab)), and s.35K, whereby ASIO’s Minister immunises it against liability for illegal acts (“special intelligence conduct”)
- Mutual Assistance In Criminal Matters Act 1987
- Police Powers and Responsibilities Act (Qld)
incl. ss.211-220, dealing with Covert Evidence Gathering Powers - Inspector-General of Intelligence And Security Act
- Australian Crime Commission Act (now ACIC)
Relevant organisations include:
- Austrac, which tracks financial transactions
- Crimtrac (1990-2016), now part of the Australian Criminal Intelligence Commission,
which operates criminal records, criminal intelligence records and biometrics databases
Attempts to Achieve a National Id Scheme
Here’s some documentation re the first 25 years’ attempts to impose a National ID Scheme (c.1985-2010):
- A history of the failed Australia Card proposal (1985-87), here
- Histories of the early phases of the Tax File Number (1988-91), here and here
- A history needs to be written about the consolidation of all Tax and Social Welfare Identifiers by Centrelink (1997-)
- Histories of three further failed projects (2004-06), here
- A history of the early phases of the Document Verification System (DVS – 2005-06), here
- A history of the failed Access Card proposal (2006-07), here
- A note on the first attempt at a single-signon for all Australians (2007), here
- A note on the merger of Centrelink and Medicare into a super-Dept of Human Services (2011), here
Here are some extant id-related schemes, which are subject to some regulatory constraints, many woefully inadequate:
- The Australian Passports Act, associated processes, records and biometrics. Some early information is here
- Conversion of Births, Death and Marriages Registries from services to surveillance tools
- The National Exchange of Vehicle and Driver Information System (NEVDIS)
- The Document Verification System (DVS)
- The Face Verification System (FVS)
- Australia Post’s National Population and Address Database, onsold to government agencies and business enterprises
- Imposition of a Unique Student Identifier (USI), intended for lifetime application, but apparently without any legislative authorisation or controls
- Imposition of a Health Identifier (IHI), documentation here
- Conversion of the Census from anonymous statistics to a national databank. See here and here
- Many Attempts at a Centralised Portal, most recently myGov
- Many Attempts to impose a Digital Identifier on each person, for use with all Agencies, incl. TDIF (2015-17)
A phantom organisation exists called the National Statistical Service, which is a community of government agencies that expropriate personal data and make it available for research. It appears to be primarily ABS, with AIHW and AIFS – which are designated by another phantom organisation called the ‘Cross Portfolio Data Integration Oversight Board’, under an “interim accreditation scheme”, as ‘Data Linkage Integrating Authorities’. But every agency is invited to be involved and donate ‘their’ data-holdings about people. It appears that the ‘National Statistical Service’ is a backdoor mechanism being used to establish and maintain a Danish-style national databank containing everything available about every Australian resident.
Law Enforcement Data
- Criminal Records Data
- Widespread access to Criminal Records Data, re employees, volunteers, etc.
- Criminal Investigation Data
- The Crimes Act specifies Spent Convictions offences in Part VIIC, ss.85ZL-85ZZK
Crimtrac (1990-2016), now part of the Australian Criminal Intelligence Commission, operates criminal records, criminal intelligence records and biometrics records, and would love to operate an ANPR-based national traffic surveillance network as well.
Communications
The Post
- Re the interception of mail (referred to as ‘mail covers’ in the US and some other countries), see ss.90E-90X of the Australian Postal Corporation Act (Cth)
Electronic Communications, including the Internet
- Telecommunications Act 1997
- Telecommunications (Interception and Access) Act 1979 – TIA or TIAA
(until 2006 amendments, called the Telecommunications (Interception) Act 1979) - Telecommunications (Interception and Access) Amendment (Data Retention) Act (Cth)
- Telecommunications Offences are specified in the Crimes Act at ss. 473-475 (search for <473>, and click 4 more times to reach the section). But these are subject to exemptions for law enforcement
- Offences relating to ‘computer crimes’ are specified in the Crimes Act at ss. 476-478 (search for <476>). This specifies a wide range of offences relating to abuse of other people’s data and devices, and of telecommunications services. However, provisions of this and other Acts enable law enforcement agencies to breach those laws and to avoid liabilities arising from those breaches
- Access to Stored Communications (e.g. email in email-server databases)
- Australia Post Digital Mailbox – n attempt to centralise all of each individual’s official email in one conveniently monitored location
- Spam Act 2003
This came into effect on 10 April 2004. It thereby became illegal to send, or cause to be sent, ‘unsolicited commercial electronic messages’ that have an Australian link. The Australian Communications and Media Authority (ACMA), previously called ACA, enforces the Spam Act, and provides information about spam laws and spam security, and means for reporting spam. It’s a rarity – privacy-protective and reasonably effective law
Telephony Generally
- Calling Number Display / Calling Line Identification (CND / CLI)
- Integrated Public Number Database (IPND) – more disastrously bad ‘regulation’
- Do Not Call Register Act 2006 – after some difficulties, another of the rare successes
Mobile / Celular Telephone
- Telecommunications Regulations 2001 Division 3.2, re PrePaid Mobile Services)
- Telecommunications (Service Provider – Identity Checks for Pre-paid Public Mobile Telecommunications Services) Determination (ACMA)
- Mobile Phone location data
Categories of Unpleasant Cyberspace Behaviour (See here)
- Crimes
- Assault
- Incitement to Violence
- Illegal Pornography (in Australia, for example, this is pornography that involves any of violence, apparent absence of consent, children or animals)
- Grooming
- Harassment
- Stalking
- Preparation for Criminal Acts
- ‘Computer Crimes’
- Unauthorised impairment of data held in computer storage
- Unauthorised impairment of electronic communications
- Unauthorised access, modification or impairment to commit a serious offence
- ‘Cybercrimes’
- Online Grooming
- ‘using a carriage service to make a threat’ (s.474.15)
- ‘using a carriage service to menace, harass or cause offence’ (s.474.17)
- Cyber-Stalking
- ‘Attack Speech’
- Intentional Misinformation
- Trolling (messages designed to provoke emotions and cause disruption)
- Flaming
- Offensive communications and insults
- Humiliating content
- Intimidatory content
- Cyber-Bullying
- Other Forms
- Impersonation
- Sexting
- Revenge Porn
Taxation and Social Welfare
- Income Tax Assessment Act 1936 – Part VA Tax File Numbers
- Taxation Administration Act 1953, especially:
- Data-Matching Program (Assistance and Tax) Act 1990, and as originally enacted
- (Merely ‘Advisory’) Guidelines on Data Matching in Australian Government Administration, including:
Overview
The 2014 version of the Guidelines and
The few ‘Protocols’ (reports) received by OAIC during FY 2015-16 - The Threat of Automated Decision-Making (‘Robot-Government’). See here
Health
A centralised eHealth record has been imposed on Australians, originally misnamed the ‘Personally Controlled Electronic Health Record’ (PCEHR), subsequently re-born as ‘MyHR’. It is not designed to support patient health care, and is of little use to patients or clinicians. Its purpose is to greatly increase the availability to federal bureaucrats of personal health care data, for such uses as statistics for the Minister’s office, waste and fraud control, and research. The scheme is all about expropriation of personal data by the public service.
The Australian Institite of Health & Welfare (AIHW) expropriates vast quantities of highly sensitive personal data from a wide variety of sources, including hospitals, stores it in a database, and makes it available to researchers as identified or at least readily re-identifiable personal data. (I’m currently unclear what the legal authority is, and what the legal protections are).
Some limited protections for data expropriated for research were created in 1981 by the Epidemiological Studies (Confidentiality) Act (Cth); but under s.35 of its 1987 Act, AIHW is exempted from them.
The relevant agencies appear to be bound by the Medicare and Pharmaceutical Benefits Programs Privacy Guidelines which were issued under s.135AA of the National Health Act in 2008 (and have been unchanged since). The Rules come within the purview of the Commissioner under s.135AB.
The Privacy Act granted the National Health and Medical Research Council the extraordinary power to issue its own guidelines. For these, see:
- Guidelines for the conduct of medical research involving human participants (March 2000), under s.95
- Guidelines on health data expropriated for research purposes (December 2001), under s.95A
- Guidelines on disclosure of genetic data without consent (2014), under s.95AA
Attempts to force the Parliament to enact a Genetic Privacy and Non-Discrimination Bill failed in 1998, 2000, 2002, 2004 and 2008. It’s unclear to what extent the Recommendations of the ALRC in 2003 have been implemented. The field may well be wide open for expropriation of genetic data by government agencies, by corporations such as insurance companies, family history companies and pathology services, and by all entities as employers.
Employment
Employers have a complete holiday from the Privacy Act by virtue of s.7B(3), on the pretext that employees’ privacy is covered by other laws. It isn’t.
Re Email, see here
Re Substance Abuse Testing, see here
Re Biometrics, see here
Re Genetics, it’s unclear to what extent the 2003 Recommendations of the ALRC have been implemented. Employers may well have carte blanche to abuse their employees’ privacy in this area
Workplace visual surveillance is authorised in several jurisdictions, and with seriously inadequate controls.
The Australian Government Security Vetting Agency (AGSVA) subcontracts security vetting processes for a remarkably high percentage of Clth goverment employees, direct contractors, and employees and contractors of contractors (>350,000 it seems, incl. temporary accounts payable clerks, plumbers and field workers, all in non-sensitive agencies). Baseline Vetting is moderately intrusive, and it gets progressively worse at Negative Vetting levels 1 and 2, and Positive Vetting. It appears that there may not be any parliamentary authority for these intrusions, and that the entire scheme may be predicated on the conditions of engagement imposed on employees and contractors.
Education
There are ongoing endeavours to impose a single, lifelong identifier on every individual, called the Unique Student Identifier (USI). A system is in place, and appears to be being imposed using the usual monetary incentive/disincentive mechanism applied by government agencies. No enabling legislation appears to exist. A Student Identifiers Bill was introduced in 2013 but did not progress. So it is unclear what, if any, safeguards exists for this invasive and unapproved scheme.
There appears to be ongoing endeavours to achieve a centralised national scheme of records about every individual.
Various national and State/Territory occupational registers exist, generally subject to reasonable safeguards.
Social Behaviour
Incitement to violence is a criminal act called ‘urging violence’, under s.80.2A, B of the Criminal Code (Cth).
Bullying of a serious nature is at least theoretically subject to prosecution as assault.
Re harassment, see ALRC Report 123 (2014), s.15.
The generation of anxiety in a person, through an act that “offends, insults, humiliates or intimidates” on the basis of “race, colour or national or ethnic origin” is subject to regulation in some circumstances through the Racial Dicrimination Act s.18C-18D.
A phantom organisation called the National Statistical Service is a community of government agencies that expropriate personal data and make it available for research. It appears to be primarily ABS, with AIHW and AIFS – which are designated by another phantom organisation called the ‘Cross Portfolio Data Integration Oversight Board’, under an “interim accreditation scheme”, as ‘Data Linkage Integrating Authorities’. But every agency is invited to be involved and donate ‘their’ data-holdings about people. It appears that the ‘National Statistical Service’ is a backdoor mechanism being used to establish and maintain a Danish-style national databank containing everything available about every Australian resident.
In addition, the Australian Instutute of Family Studies (AIFS) appears to maintain at least one dataset which appears to contain data expropriated by the Dept of Social Security, and which appears to be highly privacy-intrusive, and which is accessed by many scores of organisations and many hundreds of researchers.
A vast amount of data, some effectively de-identified, some not, and some apparently identified, has been expropriated and consolidated in the Australian Data Archive, a resource available to social scientists. It is unclear under what, if any, authority it operates, and what safeguards apply.
In August 2016, the Census was converted was abruptly converted, without public consultation or even parliamentary debate, from an anonymous statistical survey of the population to a consolidated, longitudinal database of personally identified information, with data to be expropriated from agencies’ administrative data holdings and added into the ABS-maintaned data warehouse. A larger breach of public trust is difficult to imagine. The public has been taught to avoid, obfuscate and falsify data that it provides to government agencies. See here and here.
Financial Transactions
ATM and EFTPOS transaction data appears to be readily available to law enforcement agencies. The tracking value has massively intensified since 2013, with the explosion in uptake of contactless card payments.
Austrac financial transaction tracking, and associated identification requirements:
- Anti-Money Laundering And Counter-Terrorism Financing Act (Cth) – AML-CTF
- Financial Transaction Reports Act (Cth) – FTR or FTRA
The Privacy Act’s Part IIIA was amended in 2012 to destroy the 1989 provisions that constrained the operations of credit bureaux, and to provide authorisation for credit bureaux to gather highly detailed personal data, and sell it back to lenders, subject to seriously inadequate regulatory mechanisms. The near-monopoly operator Veda was promptly taken over by US behemoth Equifax, ensuring a massive leap in the sale, rental and profile-consolidation of Australian consumers.
Transportation
The international Passenger Movements System is operated by the Dept of Immigration, or whatever para-military title it may be operating under at any given time. This is linked with passenger name record (PNR) systems. For information on the appalling process and outcomes in relation to disclosure of passenger data, see APF submissions of 19 Sep 2011 and 27 Sep 2011.
The Dept of Immigration (replace with current name) operates a Movement Alert List (MAL). In late 2013, a Departmental document of mid-2011 – mirrored here – disclosed that the MAL contained an extraordinary “647 000 identities, of which 49 per cent are national security alerts of interest”.
There have been considerable endeavours by Crimtrac, now ACIC, to stimulate the use of ANPR to build a national database for traffic surveillance.
A further element of the surveillance state and economy is vehicle monitoring, variously by manufacturers, by fleet-owners, and by insurers.
Freedom of Information
Human Rights
- Australian Human Rights Commission Act 1986
(formerly called the Human Rights and Equal Opportunity Commission Act 1986) - Human Rights (Sexual Conduct) Act 1994
Archives
- Archives Act
in particular privacy-relevant exemptions from disclosure, under s.33(1)(d), (e), (g) and (j)
The Possibility of a Tort of Invasion of Privacy
In ABC v Lenah Game Meats Pty Ltd (2002) 208 CLR 199, a majority of the High Court held that Australian courts were not prevented from finding that there is a tort (or legal cause of action) of unjustified invasion of privacy. But they did not find that it existed on the facts of the case before them. There has been no other significant sign of life in the 15 years since then.
See also the ALRC’s Recommendation of a Privacy Cause of Action ALRC (2008b).
Resources
The Office of the Federal Privacy Commissioner’s page on Other [Privacy-Relevant] Legislation
Andrew Nemeth’s site on NSW Photo Rights, incl. privacy
Two papers on history and issues, Clarke (1998a-) and Clarke (1998b-)
AustLII’s Australian Subject-Index for Privacy
AustLII’s Australian (Commonwealth) Privacy and Surveillance Law Library
Greenleaf G.W. & Waters N. (Eds.) (1994-2006) ‘Privacy Law & Policy Reporter’, monthly, available from http://www.austlii.edu.au/au/journals/PLPR/
Gunning P. (2001) ‘Central features of Australia’s private sector privacy law’ Privacy Law & Policy Reporter 7, 10 (May 2001) 189-199
Hughes G. (1991) ‘Data Protection Law in Australia’, Law Book Company, 1991
AMCRAN (2004) ‘Terrorism Laws: ASIO, the Police and You’, Australian Muslim Civil Rights Advocacy Network, 3rd ed., January 2007, at https://www.missionislam.com/conissues/books/Anti_Terror_Laws_3rd_Ed_English_2Up.pdf