ACCESS TO NON-GOVERNMENT INFORMATION

There is no general right of access to information held by individuals or private organisations. In certain situations, the collection, storage and release of privately held information is subject to legislation.

PRIVACY ACT

On 21 December 2001 legislation came into force applying the Privacy Act to certain parts of the private sector. A series of national privacy principles (NPPs) sets legally binding standards within which organisations must operate.

Who is covered?

The private sector provisions of the Privacy Act apply to organisations (including not-for-profits) with an annual turnover of more than $3 million. The provisions also apply to all health service providers regardless of turnover, government contractors, and some small businesses with an annual turnover of $3 million or less.

In addition, even if an organisation is covered by the Act, certain acts and practices of the organisation will be exempt. These are:

non business acts and practices;
acts and practices by an employer organisation which relate to a current or former employment relationship or employee records;
if the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract) and the organisation would be a small business operator if it were not a contracted service provider, then any act done or practice engaged in otherwise for the purpose of meeting an obligation under a Commonwealth contract is exempt;
acts and practices of media organisations in the course of journalism — the phrase 'in the course of journalism' is not defined;
acts and practices of registered parties, political representatives (Commonwealth, State and local) and their contractors and volunteers.

National Privacy Principles

The private sector provisions of the Privacy Act centre around 10 National Privacy Principles (the NPPs) that set out how private sector organisations should collect, use, keep secure and disclose personal information. The principles give individuals a right to know what information an organisation holds about them and a right to correct that information if it is wrong.

There are broad similarities between the IPP's (i.e. the standards the Federal government must follow) and the NPP's, however in general the NPP's impose less onerous obligations than the IPP's.

The NPP's relate to collection, use, disclosure, quality, security, openness, access to and correction of personal information, including sensitive information and health information. There are also principles on the use of government identifiers, the right to remain anonymous, the flow of data across borders.

NPP 1

Collection

NPP 1 provides that an organisation must not collect personal information unless the information is necessary for one or more of its functions or activities. The information must be collected by lawful and fair means and not in an unreasonably intrusive way. The collector must take reasonable steps to ensure the individual is aware of things such as the identity of the organisation, the purposes for which the information is collected, to whom the information is usually disclosed and any law which requires the collection of the information, unless making the individual aware would pose a serious threat to the life or health of any individual. If it is reasonable and practicable to do so, an organisation must collect personal information about an individual from that individual.

NPP 2 Use and disclosure

An organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection. There are exemptions to this principle. These include when the secondary purpose is related, or in the case of sensitive information, directly related to the primary purpose and the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; if the individual has consented to the use or disclosure; in certain circumstances for direct marketing or for health research; if there is threat to an individual's life or the public's health or safety; to report unlawful activity to relevant authorities; it is required or authorised by or under law and for the prevention and detection of criminal offence, enforcement of particular laws and protection of the public revenue.

The organisation must make a written note of any use or disclosure or personal information. There are special provisions which relate to the disclosure of health information.

NPP 3 Data quality

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up‑to‑date.

NPP 4 Data security

An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. Personal information must be destroyed or de-identified if it is no longer needed.

NPP 5 Openness

An organisation must have and make available a policy document on its management of personal information.

NPP 6 Access and correction

An individual must have access to personal information held by an organisation about them. There are exemptions to this principle. These include if access would pose a serious and imminent threat to the life or health of any individual; it would have an unreasonable impact upon the privacy of other individuals; the request is frivolous or vexatious; there are existing or anticipated legal proceedings between the organisation and the individual; providing access would be unlawful; denying access is required or authorised by or under law; providing access may prejudice an investigation of possible unlawful activity, the prevention or detection of a crime or the enforcement of laws, the protection of public revenue or it may damage the security of Australia.

If an individual shows that the information held is not accurate, complete or up to date then the organisation must take steps to remedy this. An organisation must provide reasons for denial of access or a refusal to correct personal information.

NPP 7 Identifiers

NPP 7 prohibits the use by organisations of government identifiers such as the tax file number of a person to identify a person or information.

NPP 8 Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with an organisation.

NPP 9 Transborder data flows

NPP 9 regulates the transfer of personal information about an individual to someone in a foreign country.

NPP 10 Sensitive information

NPP 10 prohibits the collection of sensitive information about an individual except in certain circumstances, such as when the individual has consented or the collection is required by law. There are specific provisions in relation to the collection of health information.

Government Contractors

The Privacy Act 1988 treats private sector government contractors, known as contracted service providers (CSPs) differently. The Act requires agencies to take contractual measures to ensure that CSPs, including subcontractors, do not breach the IPPs. It is therefore the IPP's and not the NPPs which apply to CSPs. The CSP's privacy obligations are derived from the contract. Therefore agencies need to ensure that contractual clauses are consistent with the privacy obligations that apply. An act done or practice engaged in by a CSP that is authorised by the contract will not breach an NPP or an approved privacy code.

The Act applies to CSPs regardless of when the contract was entered into. Therefore there is an obligation on agencies to include privacy clauses in contracts prior to the commencement of the Act . The provisions also apply to acts and practices of CSPs after completion or termination of the contract. A small business operator that is also a CSP will be subject to the legislation in respect of the performance of that contract. That is, it cannot benefit from the small business exemption for contractual matters.

To ensure that people are able to find out what privacy standards apply, agencies and CSPs are required to release on request details of privacy clauses in their contracts.

A CSP is expressly prohibited from using or disclosing personal information collected under a Commonwealth contract for direct marketing purposes unless this a necessary part of the contract itself.

Complaints

All complaints in relation to the acts or practices of Contracted Service Providers (CSPs) are to be handled by the Privacy Commissioner. The CSPs are liable for their own acts and practices. The outsourcing agency is to be given notice of any determination against a CSP.

In circumstances where an individual is unable to obtain a remedy from a CSP, the Privacy Commissioner can substitute the agency for the CSP. This ensures that the agency remains ultimately responsible for the acts and practices of its CSPs.

CONSUMER CREDIT INFORMATION

A bank or other credit provider can refuse someone credit because of an unfavourable credit report. In South Australia consumer have rights under both State and Commonwealth legislation. The Fair Trading Act 1987 regulates the reporting of credit files. The most significant protection is found in the Privacy Act 1988 (Cth) which both protects the privacy of consumer credit information and gives consumers the right to gain access to their credit information files. Unlike the State Act, the Privacy Act also applies to banks so it provides greater protection.

Credit reporting agencies

Credit reporting agencies are private companies that compile information about a consumer for the benefit of their members. Information is gathered from many sources, including finance companies, retailers, credit unions and real estate agents who can also be members of that agency. A member of a credit reporting agency therefore feeds information in and, by virtue of membership, may retrieve information out of any agency file.

Other sources of information are the list of default judgments obtainable by anyone (for a fee) from the State Attorney-General, Government Gazettes and court registries.

State law

Other sources of information come from the list of default judgements obtainable by anyone (for a fee) from court registries.

Under the Fair Trading Act 1987 consumer about whom a credit bureau or agency has recorded incorrect information can get it changed. A credit bureau must do everything possible to ensure that the contents of any report about a consumer are accurate and fair. In particular, a credit bureau must not include, in any consumer report, any information based upon evidence that is not the best evidence reasonably available. Alternatively, the bureau cannot include any unfavourable personal information which is based upon second hand evidence unless it has made reasonable efforts to substantiate the evidence on which its information is based. If it is unable to substantiate the information, that lack of substantiation must be stated in any report given. Further, a credit bureau is prohibited from including in a consumer report any information as to the race, colour, religious or political belief of any such person.

Commonwealth law

The Privacy Act 1988 [Part IIIA] prescribes a mandatory regime for the storage, use, disclosure, access to and accuracy of consumer credit information. It applies to credit reporting agencies and credit providers (including banks, building societies, credit unions, finance companies and retailers that issue credit cards to customers) [ss 6, 11A, 11B].

The Act controls the type of personal information which may be contained in credit information files [s 18E] and the uses which may be made of that information.

Some of the important rights and obligations created by Part IIIA of the Act are:

credit reporting agencies must ensure that credit information files are accurate, up-to-date, complete and not misleading, and they must use adequate safeguards to protect the files against loss, and against unauthorised access, use, modification or disclosure [s 18G]
credit reporting agencies must ensure that people have access to their credit information files [s 18H]
if people think that the information in their file is not accurate, up-to-date and complete, they may ask the credit reporting agency to alter the file. If the agency refuses, the person can have a statement included in the file to the effect that he or she requested the alteration [s 18J]
generally, credit reporting agencies cannot disclose personal information about a person except to credit providers so they can decide whether to give credit to that person [s 18K]
a credit provider must only use personal information (a credit report) on a person to assess a credit application of that person [s 18L]
very strict limits apply to credit providers disclosing personal information in credit reports [s 18N]
when assessing a consumer credit application, a credit provider generally must not use information about a person's commercial creditworthiness unless that person specifically consent [s 18L(4)]
a credit information file must include a note of each disclosure of information [s 18K(5)]
where credit is refused because of information in a credit report, the credit provider must tell the applicant of this fact in writing and give the name and address of the credit reporting agency who provided the credit report [s 18M]
credit providers must inform credit reporting agencies when loans or other forms of credit are repaid [s 18F(5)]
there are time limits on the keeping of credit information [s 18F(2)]. Some of the common time limits are set out in the following table.

Common time limits for keeping credit information

a payment made more than 60 days late that a creditor took action to enforce	5 years from the date the reporting agency was advised
a cheque of $100 or more that has been dishonoured twice	5 years from the date of the second dishonouring
court judgments	5 years from the date the order was made
bankruptcy	7 years from the date of the bankruptcy
a serious credit infringement (eg, fraud)	7 years from the date the reporting agency was advised

In many cases, a credit provider or credit reporting agency that breaches the obligations outlined above may be guilty of an offence. In addition to the Act, the Code of Conduct determined by the Privacy Commissioner must be followed by all credit providers and credit reporting agencies [Privacy Act 1988 ss 18A,18B].

Complaints about possible breaches of the Act or the Code of Conduct, or generally about the conduct of credit reporting agencies or credit providers, can be made in writing or by telephoning the Privacy Commissioner, see contact points.

PERSONAL FILES

Personal information is held by many private agencies including banks, insurers, medical and legal professionals.

Medical files

Both Commonwealth and State freedom of information legislation give patients a right to obtain personal health information. This includes their own patient files, Medicare records, hospital records and pharmaceutical records that are in the possession of government departments and agencies or government owned health care facilities (such as public hospitals). Because health is a State matter applications for access to health records held by public hospitals and other government health organisations should be made under the South Australian FOI Act.

Under the Commonwealth FOI Act, an agency may refuse to give a patient direct access to his or her medical information if the agency believes the disclosure of the information could be detrimental to the person's physical or mental health or well being [s.41]. In such cases, the agency may release the information to a qualified person (for example, a doctor, psychologist, marriage guidance counsellor or social worker) who can discuss the information with the person.

Access to documents held by State public hospitals can be gained by the patient under the Freedom of Information Act 1991 . To apply, the patient will need to fill in a form, stating what documents he or she wants. There may be a fee for this. Public hospitals must provide access to personal records [s 12] unless the disclosure of the information would have an adverse effect on the physical or mental health or the emotional state of the applicant [s 26].

Medical records held by private hospitals and doctors are now accessible under the national privacy principles which were introduced by the Privacy Amendment (Private Sector) Act 2000 . Under principle 6 a personal has the right to access and even correct medical records where that information was acquired after 21 December 2001 or where information acquired before that date has been used or disclosed by the health care practitioner since 21 December 2001. The practitioner can charge a reasonable cost for providing this information. Access may be denied on several grounds including if provision of the information would pose a serious threat to the life or health of any individual, see national privacy principle 6. Access may also be denied to information acquired before 21 December 2001 and used or disclosed since that date if providing access would place an unreasonable administrative burden on the health organisation or cause the organisation unreasonable expense [Privacy Act 1988 s 16C]. Use of information includes amongst other things, compiling information for statistics and research,see national privacy principle 2.

If the information was acquired before the 21 December 2001 and has not been used or disclosed since then, it may be necessary to get a court order. This is because prior to 21 December 2001 information that has not been used or disclosed since that date is not subject to the national privacy principles and is actually the property of the doctor or hospital that holds the records [Breen v Williams High Court (1996) 138 A.L.R. 259]. Such discovery proceedings are usually complex and require the assistance of a solicitor experienced in medical negligence claims.

Lawyers' files

It is accepted law in Australia that clients have a right to their personal files once they have paid their legal fees. All legal documents such as contracts, summonses and pleadings must be released to the client. However, a lawyer does not have to disclose speculations, memos or any documents of a commentary nature to a client.

Employers' files

Employees should be told whether personal files are kept on them and whether they may have access to those files. Many organisations have a policy to allow access to employee information. Employees wanting access should firstly make use of such policies where they exist.

Commonwealth or State government employees can apply under the relevant FOI Act for access to personal information. However, employees of private sector employers have no legislative right of access to their employment records as these are exempt under the Privacy Act.

Police and Court Records

Police records

Police records are restricted and can only be accessed in a limited way.

Criminal Convictions

An individual can request criminal conviction information themselves in the form of a police check, either through the state or federal police. This may be requested by certain people or organisations like a potential employer, an adoption agency or for a visa, but only will be provided directly to that organisation if you consent. Under Commonwealth law there is a spent and minor convictions procedure, where if there have been no convictions for more than ten years (five for a Youth Court matter), and the conviction is minor then it will not be disclosed. The South Australia police also follow this as a matter of policy. See Effects of Criminal Convictions or AFP website.

Other organisations, departments or individuals have to show that the records are legitimately required for the investigation into potential risk, suspected offence and/or prosecution of an offender to obtain the records wtihout the consent of the individual. They will also need to specify the relevant section of legislation that provides these powers. Parents can only obtain this information about a child under 18 years of age with the child's consent.

Police Reports

Police reports of motor vehicle accidents or incidents can be released in certain circumstances. If you were involved in the incident you may obtain a police incident report or a vehicle collison report. If you are in some way associated (for example the owner of property damaged) but not mentioned in the report then you can get often still get the incident report if you provide information and/or proof on how you are associated and why you need the information. However, personal details of the parties will not be provided.

Freedom of Information

The usual procedures and exemptions apply to the police. See State Government.

Court Records

As a general rule courts are open to the public and the public may access information about what happens in court. Sometimes access is restricted or information suppressed to protect a witness or in the administration of justice, for example victim evidence in relation to sexual offences. However, generally anyone can obtain information about what happened in court, what orders were made or what was said when someone was sentenced.

Family or federal court magistrates matters in relation to family law proceedings (divorce, child custody etc) are closed and no information may be obtained by a person who is not a party to the proceedings. This also prevents a party to the proceedings from disclosing information. Only the lawyers, judges, persons directly involved in the case and any experts consulting on the case may see any of the documents. Judgements are published but the names are not, parties are referred to by an initial.[s121 Family Law Act (Cth)]

Often it is required to provide family court orders to other organisations to ensure that they are complied with, such as childcare centres or schools. Whilst this does not breach confidentiality, the organisation can not pass on that information on to others to whom it is not relevant for the enforcement of the order. For example, the organisation may inform the relevant staff members, but may not inform other parents at the school or childcare.