The Information Privacy Act commenced on 1 September 2014 and replaces the Privacy Act 1998 (Cth) as in force on 1 July 1994 (and as modified by the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth), which previously applied to ACT public sector agencies. More information on the Information Privacy Principles that applied before 1 September 2014 can be found at Information Privacy Principles.
- Role of the OAIC
- Rights and responsibilities under the Information Privacy Act
- Territory Privacy Principles
- How to make a complaint
- ACT Privacy resources
What is the role of the OAIC?
Under an arrangement between the ACT Government and the Australian Government, the Australian Information Commissioner is exercising some of the functions of the ACT Information Privacy Commissioner. These responsibilities include handling privacy complaints against, and receiving data breach notifications from, ACT public sector agencies, and conducting assessments of ACT public sector agencies’ compliance with the Information Privacy Act.
Rights and responsibilities under the Information Privacy Act
Who has rights under the Information Privacy Act?
As an individual, the Information Privacy Act 2014 (ACT) gives you greater control over the way that your personal information is handled. Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.
The Information Privacy Act allows individuals to:
- know why your personal information is being collected, how it will be used and who it will be disclosed to
- have the option of not identifying yourself, or of using a pseudonym, in certain circumstances
- ask for access to your personal information
- ask for your personal information that is incorrect to be corrected
- make a complaint about an agency or contractor covered by the Information Privacy Act, if you consider that they have mishandled your personal information.
Who has responsibilities under the Information Privacy Act?
The Information Privacy Act applies to ACT public sector agencies. This includes:
- Ministers (in their administrative capacities)
- administrative units
- statutory office-holders and their staff
- territory authorities
- territory instrumentalities
- territory-owned corporations
- ACT courts (in their administrative capacities)
- any entity prescribed by regulation.
The Act also applies to some businesses who are contracted service providers (including subcontractors) for an ACT government contract and are performing obligations under that contract.
What is not covered by the Information Privacy Act?
The Information Privacy Act does not cover:
- individuals acting in their own capacity, including your neighbours
- private organisations (except to the extent that they are performing obligations under an ACT Government contract)
- personal health information or health records
- workplace privacy and surveillance.
Territory Privacy Principles
The Information Privacy Act 2014 (ACT) includes a set of Territory Privacy Principles (TPPs). The TPPs set out standards, rights and obligations for the collection, use, disclosure, storage, accessing and correction of personal information (including sensitive information).
The TPPs are principles-based rather than prescriptive. Each ACT public sector agency needs to apply the principles to its own situation. The principles cover:
- the open and transparent management of personal information including having a privacy policy (TPP 1)
- an individual having the option of transacting anonymously or using a pseudonym where practicable (TPP 2)
- the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection (TPPs 3, 4 and 5)
- how personal information can be used and disclosed (including disclosure overseas) (TPPs 6 and 8)
- maintaining the quality of personal information (TPP 10)
- keeping personal information secure (TPP 11)
- rights for individuals to access and correct their personal information (TPPs 12 and 13)
For more detail, see the full text of the TPPs or the TPPs quick reference tool.
TPPs and the Australian Privacy Principles
The TPPs are similar to the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) that apply to most Australian Government (and Norfolk Island Government) agencies and some private sector organisations.
Some of the APPs are not relevant to the handling of personal information by ACT public sector agencies and have not been included in the TPPs. For example, APP 7, which deals with the use and disclosure of personal information for the purpose of direct marketing, and APP 9, which regulates the adoption, use and disclosure of government related identifiers are not included.
The TPPs also contain some minor textual differences to the APPs, but these do not change the meaning of the principle. For example, the phrase ‘the entity must take such steps (if any) as are reasonable in the circumstances’ is used in the APPs while a similar phrase, ‘the agency must take reasonable steps’, is used in the TPPs.[1] While expressed differently, both provisions could be satisfied by taking no steps if that is reasonable in the particular circumstances.
For more information about the APPs see the APP quick reference tool and the full text of the APPs. Additional information on complying with the APPs can be found in the APP guidelines.
How to make a complaint
Individuals can make a complaint to the Office of the Australian Information Commissioner (OAIC) about the handling of their own personal information by ACT public sector agencies. Where an individual’s complaint is upheld, the OAIC is required to notify the individual that they can apply to a court for a remedy.
For more information about how you can make a privacy complaint to the OAIC, what you can complain about, who you can complain about, possible outcomes and what you should include with your complaint, see Making a complaint. You may also wish to review Privacy fact sheet 43: Making a privacy complaint under the Territory Privacy Principles.
Health records held by ACT Government agencies (including public hospitals) are covered by the Health Records (Privacy and Access) Act 1997 (ACT). The ACT Human Rights Commission handles health record privacy complaints.
ACT privacy resources
The ACT Justice and Community Safety Directorate has established a Privacy Clearinghouse. The Privacy Clearinghouse provides a portal that ACT public sector agencies and staff can use to access privacy advice, resources and training.
If an ACT public sector agency has queries about the operation of the Information Privacy Act, those queries should be directed to the Privacy Clearinghouse first, rather than the OAIC. The Clearinghouse will forward questions to the OAIC where appropriate.
The OAIC has also developed a range of privacy resources for the general public and ACT public sector agencies in relation to the Information Privacy Act.
- Privacy fact sheet 42: Australian Capital Territory Privacy Principles
- Privacy fact sheet 43: Making a privacy complaint under the Territory Privacy Principles
- Privacy agency resource 3: Information Privacy Act 2014 — Checklist for ACT agencies
- TPPs quick reference tool
In addition, the OAIC has developed a range of privacy resources to provide information and advice to the general public, private sector organisations and Australian Government agencies in relation to the Australian Privacy Principles (APPs). The obligations for Australian Government agencies under the APPs are substantially similar to those of ACT public sector agencies under the TPPs and the materials may be usefully referred to.
Key resources for agencies
- APP guidelines
- APP quick reference tool
- Guide to developing an APP privacy policy
- Guide to undertaking privacy impact assessments
- Guide to information security — April 2013
- Data breach notification — A guide to handling personal information security breaches
The resources should be read with reference to the full text of the TPPs and are not a substitute for legal advice.
[1] These phrases can be found in both APPs and TPPs 5.1, 10.1, 10.2, 12.5, 13.1, 13.2. For a more detailed discussion of ‘reasonable steps’ see Chapter B: Key concepts of the OAIC’s APP guidelines.
