IT Advocate: The privacy minefield

There are significant differences between state and federal privacy legislation. CIOs who deal with government agencies or other public sector organisations must determine the privacy laws applicable to them – and how best to accommodate them.

It is clear to most businesses that deal with personal information that the Privacy Act 1988 (Cth) (Privacy Act) and National Privacy Principles (NPPs) impact in some way or another on them in terms of rights and obligations under the Act. Conversely, consumers dealing with private sector organisations can be relatively certain of the procedures by which they can access personal information held by private sector organisations, or make a complaint in respect of the information handling practices of such an organisation.

However, if consumers or service provider businesses find themselves dealing with government-owned corporations, universities, local governments, state governments or a raft of other state-based public sector bodies, they will need to undertake a significant amount of research to determine the privacy laws applicable to them, and how to best deal with those privacy laws.

At least one thing is clear -- all jurisdictions recognise a definition of personal information that is roughly the same and that such information must be protected, and used only in certain ways.

Commonwealth and Australian Capital Territory government agencies

Commonwealth and ACT government agencies are required to comply with the provisions of the Privacy Act in so far as they relate to Commonwealth and ACT government agencies. In general, this means complying with the requirements of the 11 Information Privacy Principles (IPPs).

Interestingly, the ACT also has the Health Records (Privacy and Access) Act 1997 which covers health records held in the public sector in the ACT and also seeks to apply to acts or practices in the private sector not covered by the Privacy Act. There is no such legislation dealing separately with the handling of health information at the Commonwealth level.

The Privacy Act requires that an agency entering into a contract with a service provider (whether private sector or otherwise) must take contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an IPP if done or engaged in by the agency. If an individual considers that the contractor has breached their obligations in the handling of personal information about them, they may make a complaint to the Privacy Commissioner who has jurisdiction to directly investigate the actions of the contractor.

Individuals may apply for access to personal information held about them by a Commonwealth or ACT Government Agency either under the Privacy Act or the Freedom of Information Act 1982 (Cth), but the Privacy Commissioner has accepted that most agencies will deal with such requests in accordance with the procedures under the Freedom of Information Act, and has not initiated a separate regime for dealing with access requests under the Privacy Act.

Queensland Government Agencies

Until 1 July 2009, Queensland government agencies were bound by the requirements of ‘information standards’ which essentially did not have the force of law. As of 1 July 2009, Queensland government agencies are bound to comply with the Information Privacy Act 2009 (Qld) which sets out obligations similar to the IPPs mentioned above for most agencies, and obligations similar to the NPPs for the Queensland Department of Health.

Interestingly, and despite this new regime, Queensland does not have separate privacy legislation to regulate private sector health providers.

Under the Information Privacy Act if a service provider is contracted to provide services to a government agency, and the provider is bound to comply with the provisions of the act under the contract, then it becomes a ‘bound service provider’ for the purposes of the legislation, and it is answerable to the Privacy Commissioner under that legislation, regardless of the fact that it is not originally bound to comply with the requirements of that legislation.

Access to information held about individuals by the Queensland government is now facilitated under the Information Privacy Act. However, if an individual incorrectly makes an application for access under the Right to Information Act 2009 (Qld) (the new freedom of information legislation) -- then the relevant government agency must the individual of their error, and ask the individual if they would like to amend their application so that it is made under the correct legislation.

Join the CSO newsletter!

Error: Please check your email address.

Tags IT advocateMcCullough Robertsonlegal

More about ACTDepartment of HealthDepartment of JusticeQueensland GovernmentUniversity of Tasmania

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Emma Weedon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts