BY Stephen Cavey | 13 October 2021
Australia regulates data privacy through a mix of territorial, federal, and state laws. The main law that governs the continent is the Australian Federal Privacy Act 1988 (also known as the Privacy Act). The Privacy Act was introduced as a way to better manage and protect the privacy of individuals and the personally identifiable information (PII) they share with organizations. The Privacy Act allows individuals to see how their PII is being used, and grants them the right to access, as well as appeal, and correct information on files that contain errors.
Although the Privacy Act is applicable at a federal level, the country still relies on a patchwork of other regional laws to protect citizens. Therefore, it is valuable for organizations to understand what other legislation exists so that they can uphold the laws specific to their territorial jurisdictions. Below we will cover the six most prominent Australian data privacy laws to date.
Information Privacy Act 2014 (Australian Capital Territory): This act serves four main purposes. First, the promotion of protecting the privacy of individuals within the Capital Territory. Secondly, to provide a number of checks and balances among individuals to ensure their privacy but also in a way that allows public sector agencies to carry out their activities. This law also aims to promote “responsible and transparent handling of personal information by public sector agencies and contracted service providers.” Finally, the act gives rights to individuals to report any alleged privacy concerns.
Information Act 2002 (Northern Territory): The Information Act 2002 calls for transparency among public sector organizations and individuals who are impacted by the organization’s rules and practices. It also calls for the privacy of individuals, including the ability for people to request corrections to data on file and seek remediation if privacy is obstructed.
Privacy and Personal Information Protection Act 1998 (New South Wales): This law lays a foundation for how organizations may collect personal information and from whom. It also demands that businesses share information on file with any individual who requests access, among other principles. This is a comprehensive law designed to safeguard the privacy of citizens in New South Wales.
Information Privacy Act 2009 (Queensland): The Queensland Information Privacy Act 2009 secures the right for individuals to have their personal information collected and managed under the scope of the privacy principles. It also lays out rules specifically for how the Queensland Government agencies may collect and store private information.
Personal Information Protection Act 2004 (Tasmania): This Act supports comprehensive data compliance within Tasmania and leans heavily on the “Personal Information Protection Principles,” which explain when and how data may be collected as well as disclosure and use rules. This act does not apply to publicly available information.
Privacy and Data Protection Act 2014 (Victoria): The Victoria Privacy and Data Protection Act 2014 calls for the responsible collection and handling of personal information in the public sector and aims to provide remedies should the privacy of an individual be breached. It also calls for the appointment of the Privacy and Data Protection Deputy Commissioner, among other rules laid out within the law.
In addition to region-specific privacy legislation, Australia also enforces protections to citizens within specific markets.
For example, within the telecommunications industry, Australia has enacted two laws; The Telecommunications Act 1997, which “regulates the use and disclosure of information obtained by certain bodies during the supply of telecommunication services,” as well as the Telecommunications (Interception and Access) Act 1979, which makes intercepting private communications unlawful.
In the healthcare industry, Australia homes in on three specific data laws:
My Health Records Act 2012: This act specifies when and how health information for My Health Record (Australia’s digital health recording system) may be collected, used and shared.
Healthcare Identifiers Act 2010 (HI Act): This framework works in tandem with My Health Records Act 2012. The HI Act sets a system in place to assign unique identifiers to individuals, health care providers and health organizations so they may communicate effectively and discreetly in My Health Record.
Health Records and Information Privacy Act 2002 (HRIP Act): The HRIP Act is specific to New South Wales. It outlines what health information public sector agencies, private health service organizations and some private businesses may collect, store or use.
We covered a lot of Australian data privacy laws within this blog, which may seem overwhelming. However, many of these laws hold similar expectations — like notifying individuals on how their data will be used, handling data carefully, and managing who it can be shared with. The best way to ensure that information is being handled properly is first having a strong understanding of where it is located within your systems. This can be done with discovery and scanning tools present in solutions like Ground Labs Enterprise Recon.
If you’re ready to find, organize and protect your organization’s data, schedule a discovery call with one of our experts now.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.