You are here

7 Privacy Act 1988

Document

The Privacy Act 1988, which protects personal information collected by the Commonwealth, came into effect on 1 January 1989. DSH comes into possession of a limited amount of information about members of the defence forces, veterans, their dependants and members of the public. While such personal information is necessary for the efficient functioning of DSH, its collection, usage, storage, security, correction and disclosure are regulated by the Privacy Act 1988. Unauthorised disclosure of information is also an offence under the Crimes Act..

The Privacy Act 1988 established the office of Privacy Commissioner, who is empowered to take privacy protection measures in relation to Commonwealth departments and agencies. It also established a series of rules of conduct called the Information Privacy Principles (IPPs).

In brief, the IPPs provide that:

  • personal information may only be collected by lawful means, and only where necessary for a lawful purpose directly related to a function of the collector;
  • individuals must be made aware of the purpose and authority for collection of any personal information as well as the agency's usual disclosure practices in relation to that information;
  • only information which is relevant, up-to-date and which does not intrude unreasonably on the individual's personal affairs may be collected;
  • records of personal information must be kept secure;
  • agencies must maintain a Register and provide information to the public concerning what personal information is held;
  • individuals have a right of access to records of personal information (access is subject to the provisions and exemptions provided by the FOI Act);
  • personal records must be accurate and, for the purpose of their use, up-to-date, complete and not misleading. Individuals may seek to have records corrected, or where the agency is unwilling to amend, may attach a statement to the record detailing their concerns;
  • an agency must ensure the accuracy of personal records before using them;
  • personal information may only be used for relevant purposes;
  • personal information must only be used for the purpose for which it is collected, except:
  • with the consent of the person;
  • to prevent a serious and imminent threat to a person's life or health;
  • as required or authorised by or under law;
  • where reasonably necessary for the enforcement of criminal or revenue laws; or
  • for a directly related purpose.
  • personal information must not be disclosed to anyone else, except:
  • where the subject of the information is reasonably likely to be aware of the practice of disclosure (or reasonably likely to have been made aware under Principle 2);
  • with the consent of the person;
  • to prevent a serious and imminent threat to a person's life or health;
  • as required or authorised by or under law;
  • where reasonably necessary for the enforcement of criminal or revenue laws.

Where personal information is used or disclosed for the enforcement of criminal or revenue laws, a note of that use or disclosure must be included in the record.

The IPPs have the strength of law and any breach of them is regarded as "an interference with the privacy of the individual". The Privacy Commissioner has the power to investigate complaints from individuals who believe that their privacy has been breached or he can conduct investigations on his own initiative. If a complaint is substantiated, the Privacy Commissioner may make binding orders on the Department, including orders for compensation and expenses. There is no limit to the compensation which may be awarded.