The Information Privacy Act 2014 (ACT) regulates how Australian Capital Territory (ACT) public sector agencies handle personal information. It includes a set of Territory Privacy Principles (TPPs) which cover the collection, storage, use and disclosure of personal information, and an individual’s access to and correction of that information. The Information Privacy Act commenced on 1 September 2014.
What is our role?
Under an arrangement between the ACT Government and the Australian Government, the Australian Information Commissioner is exercising some of the functions of the ACT Information Privacy Commissioner. These responsibilities include handling privacy complaints against, and receiving data breach notifications from, ACT public sector agencies, and conducting assessments of ACT public sector agencies’ compliance with the Information Privacy Act.
Your rights under the Information Privacy Act
The Information Privacy Act gives you greater control over the way that your personal information is handled. Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.
The Information Privacy Act allows an individual to:
- know why their personal information is being collected, how it will be used and who it will be disclosed to
- have the option of not identifying themselves, or of using a pseudonym, in certain situations
- ask for access to their personal information
- ask for their personal information that is incorrect to be corrected
- make a complaint about an agency or contractor covered by the Information Privacy Act, if they think the agency or contractor has mishandled their personal information.
Who has responsibilities under the Information Privacy Act?
The Information Privacy Act applies to ACT public sector agencies. This includes:
- ministers (in their administrative capacities)
- administrative units
- statutory office-holders and their staff
- territory authorities
- territory instrumentalities
- territory-owned corporations
- ACT courts (in their administrative capacities)
- any entity prescribed by regulation.
The Information Privacy Act also applies to some businesses who are contracted service providers (including subcontractors) for an ACT Government contract and are performing obligations under that contract.
What’s not covered by the Information Privacy Act?
The Information Privacy Act does not cover:
- individuals acting in their own capacity, including your neighbours
- private organisations (except to the extent that they are performing obligations under an ACT Government contract)
- personal health information or health records
- workplace privacy and surveillance.
Territory Privacy Principles
The Territory Privacy Principles (TPPs) set out standards, rights and obligations for the collection, use, disclosure, storage, accessing and correction of personal information (including sensitive information). They are principles-based rather than prescriptive. Each ACT public sector agency needs to apply the principles to their own situation.
Individuals can lodge a complaint with us (the OAIC) about the handling of their own personal information under the TPPs by ACT public sector agencies. Where an individual’s complaint is upheld, we must notify the individual that they can apply to a court for a remedy.
Health records held by ACT Government agencies (including public hospitals) are covered by the Health Records (Privacy and Access) Act 1997 (ACT). The ACT Human Rights Commission handles health record privacy complaints.
Notifiable data breaches and ACT public sector agencies
The Notifiable Data Breaches (NDB) scheme requires an individual likely to be at risk of serious harm from a data breach to be notified. The OAIC must also be notified.
The NDB scheme applies to entities with existing information security obligations under the Privacy Act 1988, including entities that hold tax file number (TFN) information. ACT public sector agencies hold TFN information for a number of reasons, but most commonly, for their employment and payroll functions.
If an ACT public sector agency experiences an eligible data breach involving TFN information, it must notify affected individuals and the OAIC. However, ACT public sector agencies are not required to notify data breaches that affect other types of personal information they hold.
Resources
These resources should be read with reference to the full text of the TPPs and are not a substitute for legal advice.
- APP Guidelines
- Privacy Management Framework
- Guide to Developing an APP Privacy Policy
- Guide to Securing Personal Information
ACT public sector agencies and employees who have questions about the operation of the Information Privacy Act should first contact the Privacy Clearinghouse set up by the ACT Justice and Community Safety Directorate. The Privacy Clearinghouse will forward questions to us if appropriate.
