Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy business resource 13: Application of the Australian Privacy Principles to the private sector

pdfPrintable version224.71 KB

December 2015

This resource outlines who isn’t considered an organisation under the Privacy Act and therefore doesn’t need to comply with the Australian Privacy Principles (APPs). It also outlines some specific circumstances when organisations bound by the Privacy Act are not required to comply with the APPs, as the particular act or practice is exempt.

What does the Privacy Act cover?

The Privacy Act includes 13 Australian Privacy Principles (APPs) that outline how APP entities must handle, use and manage personal information.

In addition to the APPs, the Privacy Act also covers more specific matters. For example, Part IIIA regulates the way specified persons handle individuals’ credit reporting information, including credit reports, and the Privacy (Tax File Number) Rule 2015 regulates the handling of individuals' tax file number information.

Personal information is information or an opinion that identifies or could reasonably identify an individual. Some examples are name, address, telephone number, date of birth, medical records, bank account details, and opinions.

Who needs to comply with the APPs?

APP entities must comply with the APPs. The term ‘APP entity’ means an agency or an organisation.

An ‘agency’ refers to an Australian Government (and Norfolk Island Government) agency. More information about the definition of agency can be found in Chapter B (Key Concepts) of the APP guidelines.

An ‘organisation’ is defined in section 6C to be:

  • an individual (including a sole trader). Generally, the Privacy Act does not apply to an individual acting in a personal capacity
  • body corporate
  • partnership
  • any other unincorporated association, or
  • a trust

unless it is a small business operator, registered political party, State or Territory authority or a prescribed instrumentality of a State. The definition of organisation is further explored below.

Who doesn’t need to comply with the APPs?

The following are not considered to be ‘organisations’ and are therefore not required to comply with the APPs.

Small businesses

Generally, businesses with an annual turnover of $3 million or less are not required to comply with the APPs. Annual turnover for the purposes of the Privacy Act includes all income from all sources. Annual turnover does not include assets held, capital gains or proceeds of capital sales.

While many small businesses do not need to comply with the APPs, some small businesses that handle particular types of personal information do. For example, all private sector health service providers, regardless of their annual turnover, have obligations under the APPs. The Office of the Australian Information Commissioner’s (OAIC) business resource Does my small business need to comply with the Privacy Act? includes a detailed checklist that will help small businesses determine whether they are covered by the APPs and the Privacy Act more generally.

The Privacy Act provides a mechanism for small businesses to opt in to the Privacy Act. A small business that opts in to the Privacy Act could experience a number of benefits, including increased consumer confidence and trust in its operations. The OAIC publishes a list of those businesses that have opted in.

Registered political parties

Registered political parties are exempt from the APPs and not required to handle personal information in accordance with the APPs. Section 6(1) of the Privacy Act defines a registered political party as one that is registered under Part XI of the Commonwealth Electoral Act 1918 (Cth).

State or Territory authorities and prescribed instrumentalities

Most State and Territory government bodies, such as State and Territory government departments, agencies, authorities and local government, are not bound by the APPs.

However, State or Territory bodies that are incorporated companies, societies or associations are covered by the APPs. Section 6C(4) allows for a regulation to be made exempting these bodies, but only on request from the State or Territory and only after the Minister responsible for the Privacy Act has considered a number of issues outlined in the Privacy Act.

Which acts and practices are exempt from the APPs?

Some acts and practices are exempt from the application of the APPs. This means organisations bound by the Privacy Act are not required to comply with the APPs when they carry out these exempt acts and practices. They will be expected to comply with the APPs in relation to all other acts and practices.

Acts and practices of employers in relation to employee records

In some circumstances, a private sector employer’s handling of employee records in relation to current and former employment relationships is exempt from the APPs (s7B(3)).

The exemption applies if the organisation’s act or practice is directly related to two things:

1. A current or former employment relationship between the employer and the individual

The act or practice must directly relate to a current or former employment relationship. The exemption does not cover future employment relationships. This means that the exemption will not apply to the collection of personal information about prospective employees who are subsequently not employed by an organisation, such as unsuccessful job applicants. However, once an employment relationship is formed with an individual, the records the employer holds relating to that individual's pre-employment checks become exempt.

This exemption does not apply to acts or practices of an organisation that are outside the scope of the employment relationship. For example, an employer that intends to sell a list of employees to another organisation for marketing purposes would need to comply with the APPs.

2. An employee record held by the organisation relating to the individual

The employee record must be held by the organisation and must relate to the individual. An employee record is defined under section 6(1) to mean a record of personal information relating to the employment of the employee. Examples include health information about an employee, as well as personal information relating to:

  • the engagement, training, disciplining, resignation or termination of employment of an employee
  • the terms and conditions of employment of an employee
  • the employee's personal and emergency contact details, performance or conduct, hours of employment or salary or wages
  • the employee's membership of a professional or trade association or trade union membership
  • the employee's recreation, long service, sick, maternity, paternity or other leave
  • the employee's taxation, banking or superannuation affairs.

Employers may not be able to assume that all the information they hold that relates to an individual employee would be an employee record. For example, whilst an employee’s bank details may form part of an employee record, emails an employee receives from their financial institution via their work email account may not necessarily be part of an employee record as they may not relate to the employment of the employee. Whether or not the content of emails sent or received by an employee forms part of their employee record will depend on the circumstances in any particular case.

Contractors of employers

This exemption does not cover contractors and subcontractors when they handle the personal information of the employees of another organisation, notwithstanding their contractual arrangements. For example, the employee records exemption is unlikely to apply to organisations that provide recruitment, human resource management services, or medical, training or superannuation services under contract to an employer. This exemption also does not cover workers compensation insurers that are not the employer of an individual.

An organisation that is a contractor or subcontractor that collects employee records about an individual from an employer will have to comply with the APPs in handling that information, including the notice requirements in APP 5. For more information about the APPs, see Privacy Fact Sheet 17: Australian Privacy Principles.

Volunteers

This exemption does not cover an organisation when it handles the personal information of a volunteer, as an organisation and a volunteer are not considered to have an employee relationship for the purposes of the employee record exemption in s 7B(3).

Acts and practice of media organisations

Certain acts and practices engaged in by media organisations are exempt from the APPs (s 7B(4)). A ‘media organisation’ is an organisation whose activities consist of the collection, preparation for dissemination or dissemination of:

  • material having the character of news, current affairs, information or documentaries; or
  • material consisting of commentary or opinion on, or analysis of, news, current affairs, information or a documentary.

The exemption applies to acts and practices engaged in by the media organisation in the course of journalism, at a time when the media organisation is publicly committed to observing published, written standards that deal with privacy in the context of the activities of a media organisation.

Acts and practice of political representatives

The political activities of political representatives are exempt from the APPs. ‘Political representatives’ are members of Parliament or councillors of a local government authority (s 7C).

Exempt political activities are acts or practices carried out in connection with:

  • an election under an electoral law;
  • a referendum under a law of the Commonwealth or a law of a State or Territory ; or
  • the participation of a political representative in another aspect of the political process.

The activities of contractors for political parties and representatives are also exempt from the APPs in some circumstances. The acts or practices of a contractor are exempt if they are carried out for the purposes of meeting an obligation under a contract between the contractor and a registered political party or political representative and are connected to:

  • an election under an electoral roll;
  • a referendum under a law of the Commonwealth or a law of a State or Territory;
  • the participation in another aspect of the political process by the registered political party or political representative; or
  • facilitating the acts or practices of the registered political party or political representative for one of the above three purposes (s 7C(2)).

Activities related to a State or Territory contract

The acts and practices of contracted service providers for a State or Territory contract that are directly or indirectly related to meeting an obligation under the contract are exempt from the APPs (s 7B(5)). A State or Territory contract is a contract to which a State or Territory or a State or Territory authority is a party, under which services are provided to a State or Territory authority (s 6(1)).

Best practice tip

Notwithstanding any exemptions in the Privacy Act, as a matter of good practice, the private sector is encouraged to handle all personal information in accordance with the APPs. For more information about the Privacy Act and complying with the APPs, see the OAIC’s APP guidelines.

The information provided in this resource is of a general nature. It is not a substitute for legal advice. Organisations will need to consider how the Privacy Act applies to their particular situation.