Australia

• Neither the Australian Federal Constitution nor the Constitutions of the six States and two Territories contain any express provisions relating to privacy.
• The Australian Capital Territory adopted a bill of rights in 2004. Section 12 of the Human Rights Act of 2004 creates a right of "privacy and reputation."

• Principle federal statute on privacy is the Privacy Act of 1998, which is based in part upon the Organization for Economic Cooperation and Development (“OECD”) Guidelines and the International Covenant on Civil and Political Rights.
• Controls on the transfer of personal information out of the country are limited, requiring only that the data controller take “reasonable steps” to ensure personal information will be protected, or “reasonably believe” that the information will be subject to similar protection as applied in the Australian law.
• The Office of the Australian Information Commissioner enforces the Privacy Act. This office has a wide range of functions, including handling complaints, auditing compliance, promoting awareness and advising the government on privacy matters.
• There are numerous sector laws that regulate the use of personal information in special categories, such as health care, telecommunications, etc.
• In March 2001, the European Union’s Article 29 Working Party declined to find that Australia met the requirements for providing “adequate protection” under the EU Data Protection Directive.

The Federal Privacy Act does not regulate state or territory agencies, except for the Australian Capital Territory (ACT).

Personal Information which is information that identifies an individual or could identify the individual. The Privacy Act defines personal information as:

"... information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."

• The Privacy Amendment Act of 2000 contains eleven Information Privacy Principles (NPPs) that require companies to observe the National Privacy Principles for Fair Handling of Personal Information.
• The Privacy Amendment (Private Sector) Act 2000 provides two important exemptions in its provisions that heavily impact the regulation of employment data protection. The first is the exemption for “small businesses” and the second is the exemption of certain “acts and practices,” including those related to employment records. Combined, these exemptions removed most employment data from the jurisdiction of the Privacy Act. It is important to note, however, that the Act contains exceptions for what qualifies as a “small business”. Also, the Act authorizes small businesses to opt-in to be covered by the Act. As of 2007, almost 70 small businesses had opted to be covered by the Act.
• Employee records are defined broadly and include records that contain the types of personal information about employees typically held by employers on personnel and similar files. For example, a record containing information about the engagement, training, disciplining or resignation of an employee; the terms and conditions of employment of an employee; or an employee’s performance or conduct would be considered to be an employee record for purposes of the legislation.
• The exemption applies to acts or practices directly related to an employee record and a current or former employment relationship. This dual requirement is designed to ensure that employers do not take commercial advantage of the exemption.

The Privacy Act regulates handling of personal information in Australia and originating from Australia. Under Australian Law, specifically National Privacy Principle (NPP) 9, if an organization’s overseas activity is required by the law of a foreign country, then it does not interfere with the privacy of an individual under Australian Law.

An organization may transfer personal information overseas provided that one of the following conditions is satisfied:

1. The organization reasonably believes a law, binding scheme or contract applies at the destination which effectively delivers privacy standards substantially similar to the NPPs;
2. The individual consents to the transfer;
3. The transfer is for the benefit of the individual and it is impracticable to obtain consent, but it's likely consent would be given;
4. The transfer is required by a contract between the individual and the organization, or a contract between the organization and a third party in the interests of the individual; or
5. The organization has taken reasonable steps to ensure the information will not be held, used or disclosed by its recipient inconsistently with the National Privacy Principles.

Pursuant to Section 52 of the Privacy Act, there are a number of sanctions, including:

After investigating a complaint, the Commissioner may:

• Make a determination dismissing the complaint; or
• Find the complaint substantiated and make a determination that includes one or more of the following:
  • A declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant;
  • A declaration that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint.