When the Cabinet Administrative Instruction (Information Privacy Principles Instruction) was announced Cabinet also created a small committee, known as the Privacy Committee of SA, whose chief function is to monitor the implementation of the Privacy Instruction. The committee consists of five public servants who work in very different areas of the public sector, plus one member of the public.

The Privacy Committee meets occasionally with public agencies to discuss problems that arise in interpreting or applying the Cabinet Administrative Instruction. The committee can also consider complaints (usually in writing) from the public although it does not automatically allow people to attend a meeting of the committee .

The committee does have the power in exceptional cases to grant exemptions from the requirements of the instruction. To date, very narrow exemptions have been given to certain agencies to cover very specific circumstances. For example, the Department for Education has been given permission to release academic progress reports to the non-residential parents of children enrolled in State schools. For more information about the Committee visit the Privacy Committee page on the State Records SA website.

As indicated already, the privacy instruction is not law and therefore it does not give a person any right to pursue compensation or a legal remedy.

A person who believes that there has been a breach of privacy by a State Government department or agency should firstly approach the department. A list of contact details for all South Australian Government Departments can be found on the SA Gov website.

If no satisfactory response is achieved, then a complaint can be lodged with the Privacy Committee. Complaints must be in writing. For information on how to make a complaint, see the State Records SA information on Making a Privacy Complaint.

The Privacy Act 1988 (Cth) sets out rules of conduct called Australian Privacy Principles (APPs) which establish standards for the collection and handling of 'personal information' (as defined by the Act) by Commonwealth agencies. The APPs comprise a code of conduct for privacy of personal information in areas [Privacy Act 1988 (Cth) s 14] including:

Under the Act agencies must comply with the APPs and a breach of an APP by an agency is deemed to be an interference with the privacy of an individual [s 13]. The Office of the Australian Information Commissioner (OAIC) may issue a public interest determination to allow practices which would otherwise be a breach (eg. publication of Telstra's white pages telephone directory).

The APPs and many useful publications about them and about how to make a complaint about breaches of them are available from the Office of the Australian Information Commissioner's website.

The Office of the Australian Information Commissioner (OAIC) administers the Privacy Act 1988 (Cth) and is able to assist individuals who have complaints regarding privacy issues relating to Commonwealth Government agencies, private organisations, consumer credit reporting activities, tax file numbers and spent convictions.

Since 12 March 2014 the Commissioner has had powers to develop and register codes in the public interest that are binding on specified agencies and organisations.

The Commissioner has broad powers to ensure privacy [s 27] including:

Most investigations into breaches of the IPPs and NPPs result from complaints. Investigations may also occur in matters that come to the Commissioner's attention in other ways [s 40]. The Office of the Australian Information Commissioner has broad powers to obtain information and documents [s 44], to enter premises, to examine witnesses [s 45] and to compel attendance at compulsory conferences [s 46].

Having investigated, the Office of the Australian Information Commissioner may determine whether there has been an interference with a person's privacy and make various declarations, including payment of compensation to the person concerned [s 52]. However, for the OAIC's determinations to be enforced a new action must be taken in the Federal Court.

Due to the changes to the Privacy Act 1988 (Cth) that came in on 12 March 2014 the Commissioner has new complaint handling powers and to provide further enforceable remedies such as the ability to conduct an assessment of an APP entity’s maintenance of personal information, accepting written undertakings about compliance with the Act, power to recognise external dispute resolution services, conciliate complaints, make determinations including orders that the Commissioner considers necessary or appropriate.

If you wish to make a complaint about an agency's or an organisation's practices which you think amounts to an arbitrary or unreasonable interference with your privacy, you should contact the Commissioner with details of the practices which you think interfere with your privacy.

For information regarding data breaches, see Consumer Data - Breaches and Rights.

Office of the Australian Information Commissioner (OAIC)

Telephone 1300 363 992

E-mail: enquiries@oaic.gov.au

https://www.oaic.gov.au

The Office of the Australian Information Commissioner (OAIC) also has a number of specific functions relating to the tax file number system including:

See Privacy Act 1988 (Cth) ss 17-18, 28A, 33C(1)(c), 49(1).

For further detail on how the Privacy Act 1988 (Cth) protects consumer credit information, including when the information is given to a credit reporting agency, see Credit Ratings.

Guidelines for data matching by Commonwealth government agencies were issued in February 1998 under s 27(1)(e) of the Privacy Act 1988 (Cth). They are not legally binding but are very persuasive particularly when considering an agency's obligations under the Australian Privacy Principles. The guidelines apply to any agency involved in larger computerised comparisons of two or more databases containing information on more that 5000 individuals, and relate to such requirements including to:

Data matching is carried out regularly and frequently in an overnight 'data dump' by the following major Commonwealth agencies: Centrelink, Australian Tax Office, Department of Veterans Affairs, Department of Home Affairs, and Department of Education and Training. Any match found may lead to investigation of fraud or overpayment, or of breaches of immigration laws such as overstaying an entry permit.

In 2018 the Commonwealth Government reviewed the former eHealth Record System and replaced it with an opt-out system known as the My Health Record system.

Australians have until 31 January 2019 to opt-out of having a My Health Record automatically created for them. Every person who has a Medicare or Department of Veterans' Affairs card and who does not opt-out by 31 January 2019 will have a record automatically created.

The electronic record will store a person's health records and will be accessible (in accordance with access controls) by the individual, their doctor(s), hospital, and other healthcare providers. Individuals will be able to access their record online.

The law about the My Health Record system is found in the My Health Records Act 2012 (Cth), My Health Records Regulations 2012 (Cth) and My Health Records Rules 2016 (Cth).

For information on the opt-out system of My Health Records, the My Health Record Helpline can be contacted on: 1800 723 471.

Detailed information on the My Health Record system can be located on the OAIC website via their factsheets and FAQs (link opens new window).

Commencing on 25 April 2020, the Federal Government launched the COVIDSafe contact tracing app for smart phones.

From 7 August 2022, the use of the COVIDSafe app is no longer required to prevent or control COVID-19 in Australia [Privacy (Public Health Contact Information) (End of the COVIDSafe data period) Determination 2022]. No further information will be collected from the COVIDSafe app and the COVIDSafe app will no longer be available to download.

The COVIDSafe website recommends that the COVIDSafe app be uninstalled on all devices.

See Privacy Policy for COVIDSafe Application on the COVIDSafe website for more information.

The Office of the National Data Commissioner (NDC) and the National Data Advisory Council administer the Data Availability and Transparency Act 2022 (Cth) (the DAT Act). The DAT Act commenced on 1 April 2022, and will cease to have effect on 1 April 2027 (unless extended) [s 143].

The DAT Act provides for the controlled sharing of public sector statistical data with accredited users. Applications for accreditation commenced on 1 June 2022.

Data can only be shared pursuant to the DAT Act for the following purposes [s 15(1)]:

Information cannot be shared for a precluded purpose, including an enforcement related purpose [s 15(2)-(4)]. There are also restrictions on the entities who can share data, with some government entities specifically excluded. This includes the Australian Federal Police, the Australian Security Intelligence Organisation and the Office of National Intelligence [s 11(3)].

The relevant entities must enter into a Data Sharing Agreement [s 19] which must be registered with the NDC before data sharing can commence [s 18(4)]. The register of Data Sharing Agreements is maintained by the NDC, and some information must be made available to the public, including the description of data to be shared and whether any personal information is to be shared [s 130(2)].

Data Sharing Agreements must comply with the privacy protections [Part 2.4], which include:

There are civil and criminal penalties for unauthorised data collection, use and/or sharing [ss 14A, 14].

Complaints about data sharing or sharing entities can be made to the NDC by participants [s 88] and affected persons or entities[s 94]. The NDC has a broad range of investigative and regulatory powers to address complaints.

The National Data Advisory Council holds an advisory role to the NDC relating to the use of public sector data.

Pursuant to the Data Availability and Transparency (Consequential Amendments) Transitional Rules 2022 which commenced on 29 September 2022, the transitional entities include the Australian Bureau of Statistics, the Australian Institute of Family Studies, the Commonwealth Social Services Department*, and the Victorian Department of Health*.

* These entities have conditions on their accreditation.

For more information, visit the National Data Commissioner website. See also the Data Availability and Transparency Code 2022 (Cth).

A private conversation or activity is one where at least one party would not reasonably want or expect to be overheard or observed by anyone aside from those present [Surveillance Devices Act 2016 (SA) s 3].

Activities which occur in a public place, or in a location or vehicle which can reasonably be observed from a public place, are not considered private for the purposes of the Act.

Conversations, however, that occur in a public place could potentially still be considered private for the purposes of the Act.It depends on whether the parties could reasonably expect the conversation to be overheard by someone else. This may, in turn, depend on factors such as the volume of their speech and whether there is anyone else within earshot.

Because private activity cannot occur in a public place for the purposes of the Surveillance Devices Act 2016 (SA), there are no general restrictions on the taking of photo or film in a public place or from a public place.

Some specific restrictions on the taking of photos or film may still apply, however. Applicable restrictions could include:

Section 3 of the Surveillance Devices Act 2016 (SA) defines a public place to include:

However, it may be a condition of entry to a public place that no photography or film be taken. The taking of photos of film would then be a breach of that condition, but not a breach of the Surveillance Devices Act 2016 (SA). There is also nothing to stop someone taking photos or film of private property from a public place outside that property.

Under section 48F of the Health Care Act 2008 (SA) it is an offence to publish or distribute a recording that identifies (or is likely to identify) a person approaching, entering or leaving protected premises at which abortions are lawfully performed. This includes any public area located within 150 metres of the protected premises. It is also an offence to publish information that identifies, or contains information tending to identify, a person who has sought a termination under the Termination of Pregnancy Act 2021 (SA) [ss 18-19]. See Abortions - Safe Access Zones.

Many filming devices also have audio recording capability; in these cases it is necessary to ensure it is not recording a private conversation without consent. Unlike private activity, a private conversation may take place in a public place as long as the circumstances still suggest that at least one party would not reasonably want or expect to be overheard by anyone aside from those present. See Private conversation and private activity.

A person or body (police officer or other investigating authority) may be authorised to use a surveillance device under an Act, such as the following:

See sections 4(2)(b),(d),(e),(h); s 5(4)(a),(c),(d),(f); s 7(2)(a), and s 8(2) of the Surveillance Devices Act 2016 (SA); regulation 10A of the Surveillance Devices Regulations 2017 (SA).

There are exceptions to the use of listening or optical surveillance devices without a person’s consent if the use is to protect a person’s lawful interests [see Surveillance Devices Act 2016 (SA) 4(2)(ii) and 5(4)(b)] or is in the public interest [s 6].

What constitutes a lawful interest or what is in the public interest will be determined objectively by considering the context and circumstances of the surveillance device being used, and weighing this against competing interests such as the need to protect personal privacy.

Therefore, there may be scope, for example, for a land owner to install CCTV cameras on their property without the consent of their neighbour (whose private activities may be within range), as long as it can be demonstrated that the cameras are directed to protect their lawful interests in their property. The land owner could then bring any relevant recordings to the attention of police, see further below Publication of information in lawful interests.

However, the courts have previously determined that it is not ordinarily considered to be a lawful interest to use a device for the purpose of gaining an advantage in civil proceedings, for example [Thomas & Anor v Nash [2010] SASC 153]. See also Nanosecond Corporation Pty Ltd & Anor v Glen Carron Pty Ltd & Anor [2018] SASC 116 where it was held that some of the recordings were made for the protection of the lawful interests of the plaintiffs, whilst others were not, and were hence found to be unlawful.

The court has accepted, however, that the recording of a private conversation was in the person's lawful interest where the person had a genuine fear for their safety [Groom v Police [2015] SASC 101]. In Groom v Police, a protected person made audio recordings of her former partner who contacted her in a way that was a breach of an intervention order. In this case the Supreme Court held that the recording was allowed to be admitted into evidence as it was both protecting her lawful interest and in the public interest.

Use of a device to protect a lawful interest

Where certain surveillance devices are used to protect a person’s lawful interests, the information obtained can only be used, communicated or published in specific circumstances. This includes, amongst other things:

If none of the circumstances apply, then a maximum penalty of a fine of up to $50,000 for a body corporate or a fine of up to $10,000 for an individual applies [s 9(1)].

Publication of information in public interest

Where information derived from a listening or optical surveillance device is obtained in the public interest, it cannot be used, communicated or published except in three circumstances. Those three circumstances are:

Maximum penalty of a fine of up to $50,000 for body corporate or a fine of up to $10,000 for an individual applies for a breach of these provisions [s 10(1)].

Order from Supreme Court

It is possible to apply to the Supreme Court for an order to allow the use, communication or publication of information [s 11]. This is likely to be necessary where a person wishes to use the information obtained from a surveillance device for civil proceedings. Applications are governed by Chapter 4 Part 6 of the Uniform Special Statutory Rules 2022 (SA). Filing fees will apply.

A person will be in breach of the Surveillance Devices Act 2016 (SA) if they knowingly use, communicate or publish information derived from the use of a surveillance device if the lawful interest of public interest exceptions do not apply [see s 12].

Information which is obtained through the use of a surveillance device which was not used for a lawful interest or in the public interest cannot be used, communicated or published except in circumstances where [s 12(2)]:

A maximum penalty of a fine of up to $75,000 for a body corporate and a fine of up to $15,000 or a maximum term of imprisonment of three years for an individual applies.

However, if the information is obtained by means other than using the surveillance device unlawfully, the person may communicate or publish it, even if it is the same as that obtained unlawfully [s 12(3)]. This means that a person who was a party to the conversation, and heard it with their own ears or saw it with their own eyes, may publish the information as to their conversation or activity.

A person must not knowingly communicate or publish information or material derived from the use of a listening device in contravention of section 4 of the Listening and Surveillance Device Act 1972 (SA) (as in force immediately prior to the commencement of the Surveillance Devices Act 2016 (SA)).

Maximum penalty : $10,000 or imprisonment for 2 years

Surveillance devices are currently used for many legitimate purposes, such as the use of CCTV cameras within a workplace or the monitoring of computer usage of employees by an employer. To ensure compliance with the Surveillance Devices Act 2016 (SA), workplaces should develop and make available to all employees clear policies regarding their use of surveillance devices, or obtain the consent of employees prior to use. There may be evidentiary issues should an employer attempt to rely in disciplinary proceedings against the employee, upon information obtained through the use of a surveillance device when the consent of the employee has not been obtained and/or there is no governing workplace policy.