Whether you can access information on yourself or whether an organisation or person can access information about you, will depend on what that information is and who has the information. There are three broad groups which collect information on people:
- the Commonwealth Government
- the State Government
- private businesses and individuals.
There is no general right for people to see the information held by businesses or other individuals. There is no common law right to privacy. In other words, just because a business or individual has a file on you does not automatically mean you have the right to see that file.
In contrast, Commonwealth and State legislation gives people the right to access information held by government departments and agencies (for example, the Australian Taxation Office, Centrelink, the Police and Commonwealth and State health departments) and certain private sector entities.
The Privacy Act 1988 (Cth) outlines how, why and what information the Commonwealth Government can compile and store, and ensures that information collected is safely held and not abused (for example, it ensures that information not provided to a particular Commonwealth department or organisation is not transferred to another department or organisation without the knowledge or consent of that person, except in limited circumstances). Some private bodies, such as health organisations, must comply with similar requirements under this law.
At present, there is no privacy legislation applying to State Government departments although Cabinet has issued privacy instructions to departments giving a measure of protection to South Australians. There are also limits under the Public Sector Act 2009 (SA) on what public servants can do with information and various Acts also contain confidentiality provisions in relation to personal information.
None of these laws bind private individuals. The only limitations on an individual invading someone's privacy are contained within other specific legilsation. For example, stalking and recording private conversations or activity.
Privacy law contacts
Office of the Australian Information Commissioner (OAIC)
Ombudsman (South Australia)
Administrative Appeals Tribunal (AAT)
There is currently no legislation in South Australia creating a general right of privacy although there is a Cabinet Administrative Instruction (Information Privacy Principles Instruction) which came into operation on 1 July 1989 and has been re-issued a number of times, including in September 2013. The instruction is not law but represents policy developed at the highest level of State Government and is binding on the public sector. The instruction is similar to the Privacy Act 1988 (Cth) in that it protects against information misuse. Unlike the Commonwealth Act, the instruction does not allow enforcement of the instruction in a court of law. All references in this part are to this instruction unless stated otherwise.
The privacy instruction is designed to protect a person's privacy by ensuring that certain measures are fulfilled when information is:
In general terms the instruction requires that personal information should not be collected unlawfully or unfairly. People should be told the purpose of collecting the information. An agency should not collect information that is inaccurate, irrelevant or excessively personal. An agency must take reasonable steps to ensure that information is securely stored and not misused. Once information is held by an agency, it must not be used except for a relevant purpose.
Perhaps the most important provision in the instruction prohibits an agency from disclosing personal information about a person to anyone else except where specific conditions have been satisfied. One such condition is when the person consents. Another, is that the disclosure is required to prevent or lessen a serious threat to the life or health of some person.
Most of the principles in the instruction have a retrospective effect and apply to information collected before 1 July 1989 when the instruction came into operation.
When the Cabinet Administrative Instruction (Information Privacy Principles Instruction) was announced Cabinet also created a small committee, known as the Privacy Committee of SA, whose chief function is to monitor the implementation of the Privacy Instruction. The committee consists of four public servants who work in very different areas of the public sector, plus one member of the public.
The Privacy Committee meets occasionally with public agencies to discuss problems that arise in interpreting or applying the Cabinet Administrative Instruction. The committee can also consider complaints (usually in writing) from the public although it does not automatically allow people to attend a meeting of the committee .
The committee does have the power in exceptional cases to grant exemptions from the requirements of the instruction. To date, very narrow exemptions have been given to certain agencies to cover very specific circumstances. For example, the Education Department has been given permission to release academic progress reports to the non-residential parents of children enrolled in State schools. For more information about the Committee go to http://www.archives.sa.gov.au/content/privacy-committee-sa .
As indicated already, the privacy instruction is not law and therefore it does not give a person any right to pursue compensation or a legal remedy.
A person who believes that there has been a breach of privacy by a State Government department or agency should firstly approach the department. A list of contact details for all South Australian Government Departments can be found on the sa.gov.au website.
If no satisfactory response is achieved, then a complaint can be lodged with the Privacy Committee. Complaints must be in writing (see http://www.archives.sa.gov.au/privacy/index.html ).
Please note significant changes were recently made to the Privacy Act 1988 (Cth) which came into effect on 12 March 2014.
For detailed information on Commonwealth Government Agencies and Non-Government privacy obligations see the website of the Office of the Australian Information Commissioner: https://www.oaic.gov.au/
The OAIC have produced the following short videos which provide general information:
The Privacy Act 1988 (Cth) gives effect to the Organisation for Economic Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the International Covenant on Civil and Political Rights (Article 17). The OECD guidelines cover the collection of personal information, its use and access to and alteration of, the information.
The Act has three areas of operation where the OECD guidelines provide legally binding standards:
Australian Privacy Principles - to protect personal information collected by Federal Government departments or agencies. There are strict privacy safeguards that agencies must observe in collecting, storing and using information.
Tax File Numbers - to ensure that Tax File Numbers are collected and used only for tax related purposes or to assist the tax agency (Tax File Number Guidelines).
- Consumer Credit Reporting - privacy protection for consumer credit information, including the type of information that can be collected and the use and disclosure of this information.
It also covers Health Information.
The Privacy Act 1988 (Cth) sets out rules of conduct called Australian Privacy Principles (APPs) which establish standards for the collection and handling of 'personal information' (as defined by the Act) by Commonwealth agencies. The APPs comprise a code of conduct for privacy of personal information in areas [Privacy Act 1988 (Cth) s 14] including:
- the manner and purpose of collection
- requests from individuals, or from other people, agencies or bodies
- storage and security of information
- availability of information and access to it
- alteration of information held by agencies
- obligation to maintain accurate information
- the permitted uses of information
- limits on agencies disclosing information held by them.The APPs are listed later in this chapter in: Access to Non-government Information - Australian Privacy Principles.
Under the Act agencies must comply with the APPs and a breach of an APP by an agency is deemed to be an interference with the privacy of an individual [s 13]. The Office of the Australian Information Commissioner (OAIC) may issue a public interest determination to allow practices which would otherwise be a breach (eg. publication of Telstra's white pages telephone directory).
The APPs and many useful publications about them and about how to make a complaint about breaches of them are available from the Office of the Australian Information Commissioner's website: http://www.oaic.gov.au/.
The Office of the Australian Information Commissioner (OIAC) administers the Privacy Act 1988 (Cth) and is able to assist individuals who have complaints regarding privacy issues relating to Commonwealth Government agencies, private organisations, consumer credit reporting activities, tax file numbers and spent convictions.
As of 12 March 2014 the Commissioner also has powers to develop and register codes in the public interest that are binding on specified agencies and organisations.
The Commissioner has broad powers to ensure privacy [s 27] including:
- investigating, conciliating and awarding damages for breaches of the APPs by an agency or organisation.
- examining proposed legislation which would allow interference with privacy or may have any adverse effects on peoples privacy.
- researching and monitoring developments in data processing and computer technology to ensure that adverse effects on people's privacy are minimised.
- promoting an understanding and acceptance of the APPs and their objects.
- preparing and publicising guidelines for agencies and organisations to follow to avoid breaches of privacy.
- encouraging industries to develop programs to handle personal information consistent with the APPs.
Most investigations into breaches of the IPPs and NPPs result from complaints. Investigations may also occur in matters that come to the Commissioner's attention in other ways [s 40]. The Office of the Australian Information Commissioner has broad powers to obtain information and documents [s 44], to enter premises, to examine witnesses [s 45] and to compel attendance at compulsory conferences [s 46].
Having investigated, the Office of the Australian Information Commissioner may determine whether there has been an interference with a person's privacy and make various declarations, including payment of compensation to the person concerned [s 52]. However, for the OAIC's determinations to be enforced a new action must be taken in the Federal Court.
Due to the changes to the Privacy Act 1988 (Cth) that came in on 12 March 2014 the Commissioner has new complaint handling powers and to provide further enforceable remedies such as the ability to conduct an assessment of an APP entity’s maintenance of personal information, accepting written undertakings about compliance with the Act, power to recognise external dispute resolution services, conciliate complaints, make determinations including orders that the Commissioner considers necessary or appropriate.
If you wish to make a complaint about an agency's or an organisation's practices which you think amounts to an arbitrary or unreasonable interference with your privacy, you should contact the Commissioner with details of the practices which you think interfere with your privacy.
Office of the Australian Information Commissioner (OIAC)
Telephone 1300 363 992
The Office of the Australian Information Commissioner (OIAC) also has a number of specific functions relating to the tax file number system including:
- issuing rules for the collection, storage, use and security of tax file number information;
- investigation of possible breaches of those rules;
- investigation of unauthorised requests or requirements for the disclosure of tax file numbers;
- examining the Commissioner of Taxation's records to ensure the tax file number information is used for authorised purposes and that adequate measures are taken to prevent unlawful disclosure of that information.[See Privacy Act 1988 (Cth) ss 17-18, 28A, 33C(1)(c), 49(1)]
Guidelines for data matching by Commonwealth government agencies were issued in February 1998 under s 27(1)(e) of the Privacy Act 1988 (Cth). They are not legally binding but are very persuasive particularly when considering an agency's obligations under the Australian Privacy Principles. The guidelines apply to any agency involved in larger computerised comparisons of two or more databases containing information on more that 5000 individuals, and relate to such requirements including to:
- publish information about the data match including the objectives and categories of information involved
- inform people whose information is likely to be used
- comply with strict technical standards of operation
- publish data matching program protocols
- notify individuals of any match giving at least 14 days to comment
- destroy unmatched material within 90 days and matched material which is not to be proceeded upon within 14 days after decision not to proceed.
Data matching is carried out regularly and frequently in an overnight 'data dump' by the following major Commonwealth agencies: Centrelink, Australian Tax Office, Department of Veterans Affairs, Department of Home Affairs, and Department of Education, Training and Youth Affairs. Any match found may lead to investigation of fraud or overpayment, or of breaches of immigration laws such as overstaying an entry permit.
Australians can choose to register their own personally controlled electronic health record (eHealth) record.
The law about the eHealth record system is found in the Personally Controlled Electronic Health Records Act 2012 (Cth) and the Personally Controlled Electronic Health Records Regulations 2012 (Cth).
The Office of the Australian Information Commissioner regulates the handling of personal information under the eHealth record system. It can investigate complaints about the mishandling of information in an individual's eHealth record, but does not require a complaint to start an investigation. It will use the existing investigative and enforcement mechanisms under the Privacy Act 1988 (Cth), including conciliation and formal determinations. It may also seek other penalties or rememdies for mishandling from the courts.
The Surveillance Devices Act 2016 (SA) commenced operation on 18 December 2017 and regulates the recording of a private conversation or activity, including the use of tracking and data surveillance devices.
Surveillance devices include devices that record audio or vision, track a location, or record computer data.
While there are some exceptions, it is generally prohibited to do the following actions:
Install or use a listening device that overhears, monitors, or audio records a private conversation without the consent of all the principal parties [s 4];
Install or use an optical surveillance device on a premises (or vehicle) that visually records or observes a private activity without the consent of all the principal parties [s 5];
Install or use a tracking device that determines the geographical location of a person (or their vehicle) without their consent [s 7] (use of the device solely to locate and retrieve the device itself is not an offence); and
Install or use a data surveillance device that accesses, tracks, monitors or records the input/output of information from a person’s computer without their consent [s 8].
The maximum penalties for committing an offence under the above sections is a fine of up to $75 000 for a body corporate or a fine of up to $15 000 or imprisonment for a maximum of three years for an individual.
The parties to the conversation or activity may give either express or implied consent for the surveillance device to be used.
Other than the information here, you may also find useful the information sheet produced by the Attorney-General's Department "What you should know about the Surveillance Devices Act 2016"
A private conversation or activity is one where at least one party would not reasonably want or expect to be overheard or observed by anyone aside from those present [s 3].
Activities which occur in a public place, or in a location or vehicle which can reasonably be observed from a public place, are not considered “private” for the purposes of the Act. Conversations, on the other hand, may or may not be private even if they occur in a public place. It just depends whether the parties could reasonably expect the conversation to be overheard by someone else. This may, in turn, depend on the volume of their speech and whether there is anyone else within earshot.
Because private activity cannot occur in a public place for the purposes of the Surveillance Devices Act 2016 (SA), there are no general restrictions on the taking of photo or film in a public place or from a public place. The only restrictions would be that the photo not: be indecent (such as 'up skirt' photos); of a child in a provocative or sexual manner; protected by a court order (e.g. child custody or witness protection); defamatory or being used for commercial purposes.
A public place includes [s 3]:
A place to which free access is permitted to the public with the express or implied consent of the owner or occupier
A place to which the public are admitted on payment of money only
A road, street, footway, court, alley, or thoroughfare the public are allowed to use
However, it may be a condition of entry to a public place that no photography or film be taken. The taking of photos of film would then be a breach of that condition, but not a breach of the Surveillance Devices Act 2016 (SA). There is also nothing to stop someone taking photos or film of private property from a public place outside that property.
Many filming devices also have audio recording capability; in these cases it is necessary to ensure it is not recording a private conversation without consent. Unlike private activity, a private conversation may take place in a public place as long as the circumstances still suggest that at least one party would not reasonably want or expect to be overheard by anyone aside from those present. See Private conversation and private activity.
A person or body (police officer or other investigating authority) may be authorised to use a surveillance device under an Act, such as the following:
See sections 4(2)(b),(d),(e), 5(4)(a),(c),(d), 7(2)(a), 8(2) of the Surveillance Devices Act 2016 (SA).
There are exceptions to the use of listening or optical surveillance devices without a person’s consent if the use is to protect a person’s lawful interests [s 4 (2) (ii) and 5 (4) (b)] or in the public interest [s 6].
What constitutes a lawful interest or what is in the public interest will be determined objectively by considering the context and circumstances of the surveillance device being used, and weighing this against competing interests such as the need to protect personal privacy.
Therefore, there may be scope, for example, for a land owner to install CCTV cameras on their property without the consent of their neighbour (whose private activities may be within range), as long as it can be demonstrated that the cameras are directed to protect their lawful interests in their property. The land owner could then bring any relevant recordings to the attention of police, see further below Publication of information in lawful interests.
However, the courts have previously determined that it is not considered to be a lawful interest to use a device for the purpose of gaining an advantage in civil proceedings, for example [Thomas & Anor v Nash  SASC 153]. In another case the court accepted that the recording of a private conversation was in the person's lawful interest where the person had a genuine fear for their safety [Groom v Police  SASC 101]. In Groom v Police, a protected person made audio recordings of her former partner who contacted her in a way that was a breach of an intervention order. In this case the Supreme Court held that the recording was allowed to be admitted into evidence as it was both protecting her lawful interest and in the public interest.
Publication of information in lawful interests
Where a device is used to protect a person’s lawful interests, the information obtained can only be used, communicated or published in specific circumstances. This includes, amongst other things, providing the information to someone who was party to the conversation or activity, to an investigating agency (such as SAPOL or ICAC), in the course of particular legal proceedings such as prosecution, to the media, or in accordance with an order from the Supreme Court [s 9].
A media organisation could only re-publish information that is in the public interest, see below Publication of information in the public interest.
If none of the circumstances apply, then a maximum penalty of a fine of up to $50 000 for a body corporate or a fine of up to $10 000 for an individual applies [s 9 (1)].
Publication of information in public interest
Where information derived from a listening or optical surveillance device is obtained in the public interest, it cannot be used, communicated or published except in accordance with an order of the Supreme Court, or where that information has been provided to the media and its publication is in the public interest – maximum penalty of a fine of up to $50 000 for body corporate or a fine of up to $10 000 for an individual [s 10(1)].
Order from Supreme Court
It is possible to apply to the Supreme Court for an order to allow the use, communication or publication of information [s 11]. This is likely to be necessary where a person wishes to use the information obtained from a surveillance device for civil proceedings. Applications are governed by the Supreme Court Special Applications Rules 2014 (SA) [Chapter 3 r 13(ba) and 14(3)(b)]. Filing fees will apply.
There is a further prohibition from knowingly using, communicating or publishing any information derived unlawfully from the use of a surveillance device [s 12].
Information which is obtained without consent and/or not for a lawful interest or in the public interest, cannot be used, communicated or published except in circumstances where:
The communication is to the other party of the conversation or activity; or
Each party to the conversation or activity consents to the disclosure; or
The communication is required as part of a relevant investigation relating to a contravention of the Act, or in the course of proceedings for an offence against the Act; or
The communication is otherwise in the course of duty or as required by law.
A maximum penalty of a fine of up to $75 000 for a body corporate and a fine of up to $15 000 or a maximum term of imprisonment of three years for an individual applies.
However, if the information is obtained by means other than using the surveillance device unlawfully, the person may communicate or publish it, even if it is the same as that obtained unlawfully [s 12(3)]. This means that a person who was a party to the conversation, and heard it with their own ears or saw it with their own eyes, may publish the information as to their conversation or activity.
Surveillance devices are currently used for many legitimate purposes, such as the use of CCTV cameras within a workplace or the monitoring of computer usage of employees by an employer. To ensure compliance with the Act, workplaces should develop and make available to all employees clear policies regarding their use of surveillance devices, or obtain the consent of employees prior to use. There may be evidentiary issues should an employer attempt to rely in disciplinary proceedings against the employee, upon information obtained through the use of a surveillance device when the consent of the employee has not been obtained and/or there is no governing workplace policy.
The content of the Law Handbook is made available as a public service for information purposes only and should not be relied upon as a substitute for legal advice. See Disclaimer for details. For free and confidential legal advice in South Australia call 1300 366 424.