16.08.2010
The Australian Constitution and privacy
2.2 The Australian Constitution establishes a federal system of government in which powers are distributed between the Commonwealth and the six states. It includes a list of subjects about which the Australian Parliament may make laws. That list does not include privacy expressly but this does not mean that the Australian Parliament has no power in relation to privacy.
2.3 The principal piece of federal legislation regulating privacy in Australia is the Privacy Act. The Privacy Act was passed partially in reliance on the basis of the Australian Parliament’s express power to make laws with respect to ‘external affairs’.[2] The external affairs power enables the Australian Parliament to make laws with respect to matters physically external to Australia;[3] and matters relating to Australia’s obligations under bona fide international treaties or agreements, or customary international law.[4] The external affairs power is not confined to meeting international obligations, but also extends to ‘matters of international concern’.[5]
2.4 The Preamble to the Privacy Act makes clear that the legislation was intended to implement, at least in part, Australia’s obligations relating to privacy under the United Nations International Covenant on Civil and Political Rights (ICCPR)[6] and the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines).[7] The Second Reading Speech to the Privacy Bill also referred to the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, though this instrument does not, of course, bind Australia.[8] In Chapter 3, the ALRC discusses further the Australian Parliament’s power under the Australian Constitution to enact federal privacy laws.
Privacy Act 1988 (Cth)
2.5 The Privacy Act regulates the handling of personal information by the Australian Government, the ACT Government and the private sector. The Act contains a set of 11 Information Privacy Principles (IPPs) that apply to Australian Government and ACT Government agencies, and 10 National Privacy Principles (NPPs) that apply to the private sector. In Chapter 5, the ALRC provides an overview of the Privacy Act.
2.6 The Privacy Act does not regulate the handling of personal information by the state governments or the Northern Territory Government, except to a very limited extent. The Privacy Act is expressed to bind the Crown ‘in right of the Commonwealth, of each of the States, of the Australian Capital Territory, of the Northern Territory and of Norfolk Island’.[9] State and territory public sector ‘authorities’, however, fall outside the definition of public sector ‘agency’, and are specifically excluded from the definition of private sector ‘organisation’.[10] State and territory authorities include ministers, departments, bodies established or appointed for a public purpose under state and territory law, and state and territory courts.[11] Under s 6F of the Privacy Act, however, states and territories may request that state and territory authorities be brought into the regime by regulations made under the Act.[12]
Other relevant federal legislation
2.7 Other federal legislation also regulates the handling of personal information. For example, the Freedom of Information Act 1982 (Cth) (FOI Act) provides that every person has a right of access to documents held by government agencies or ministers, other than exempt documents. A document is exempt from the freedom of information regime if its disclosure would involve unreasonable disclosure of ‘personal information’.[13] This exemption is subject to an exception that a person cannot be denied access to a document on the basis that it contains his or her own personal information.[14] The Archives Act 1983 (Cth) provides a similar exemption.[15]
2.8 The handling of tax file numbers (TFNs) is regulated under various federal Acts, including the Income Tax Assessment Act 1936 (Cth) and the Taxation Administration Act 1953 (Cth). The Data-matching Program (Assistance and Tax) Act 1990 (Cth) regulates data-matching using TFNs.
2.9 Various provisions under other federal legislation require or authorise certain acts and practices, including the collection, use and disclosure of personal information. For example, the Census and Statistics Act 1905 (Cth) and the Commonwealth Electoral Act 1918 (Cth) require or authorise the collection of large amounts of personal information. Other Acts require or authorise the disclosure of personal information in a range of circumstances, such as the Australian Passports Act 2005 (Cth), Corporations Act 2001 (Cth), Telecommunications Act 1997 (Cth), Telecommunications (Interception and Access) Act 1979 (Cth) and Migration Act 1958 (Cth). Federal legislation also contains a large number of secrecy provisions that impose duties on public servants not to disclose information that comes to them by virtue of their office. Federal legislation that regulates the handling of personal information is discussed in detail in Chapters 15 and 16.
[2]Australian Constitution s 51(xxix). See Privacy Act 1988 (Cth) Preamble.
[3]Horta v Commonwealth (1994) 181 CLR 183.
[4]Commonwealth v Tasmania (1983) 158 CLR 1; Polyukhovich v Commonwealth (1991) 172 CLR 501; Horta v Commonwealth (1994) 181 CLR 183.
[5]Koowarta v Bjelke-Petersen (1982) 153 CLR 168.
[6]International Covenant on Civil and Political Rights, 16 December 1966, [1980] ATS 23, (entered into force generally on 23 March 1976), art 17. See discussion in Ch 3.
[7] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). The OECD Guidelines are discussed further in Part D. Section 3 of the Privacy Amendment (Private Sector) Act 2000 (Cth) makes clear that the private sector amendments were also intended to meet Australia’s international obligations, as well as international concerns, relating to privacy.
[8]Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, 28 January 1981, Council of Europe, CETS No 108, (entered into force generally on 1 October 1985).
[9]Privacy Act 1988 (Cth) s 4.
[10] Ibid s 6C(1).
[11] Ibid s 6C(3).
[12] Ibid s 6F. Only four state authorities have been brought into the regime by regulation. This issue is discussed in detail in Ch 38. In 1994, as part of the transition to self-government, the ACT public service was established as a separate entity from the Australian Government public service. The Privacy Act was amended at that time to ensure that ACT public sector authorities continued to be covered by the Act: Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth).
[13]Freedom of Information Act 1982 (Cth) s 41.
[14] Ibid s 41(2).
[15]Archives Act 1983 (Cth) s 33. See discussion in Ch 15.