ACT Personal Information Digest (2001)-Introduction  
     
  Openness principle

The Privacy Act 1988 (Cth) ("the Privacy Act") came into operation on 1 January 1989. It requires Commonwealth and ACT government agencies to comply with 11 Information Privacy Principles ("IPPs") which appear in its section 14. Broadly speaking, the IPPs regulate how personal information may be collected, used, accessed, disclosed and secured by agencies.

Under the Privacy Act, the Privacy Commissioner may inspect the records of agencies and direct them to change their information handling practices to accord with the requirements of the IPPs. The Privacy Commissioner also has the power to investigate complaints concerning interferences with privacy and may award compensation if an interference with privacy has occurred.

The Privacy Act recognises that it is fundamental to the exercise of their rights for individuals to be made aware of personal information about them held by agencies. Apart from the nature and extent of these holdings, it is important that individuals be advised of how to obtain access to their personal information. To this end, the Privacy Act requires agencies to maintain a detailed record of their information holdings for submission to the Privacy Commissioner on an annual basis.

 
 
These aspects of the Privacy Act reflect the 'Basic Principle of National Application' as set out in the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data issued by the Organisation for Economic Cooperation and Development. This principle states that:
 

12. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
 
 
 

Legislative background

The Privacy Act applies to ACT government agencies by virtue of the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth) ("the Consequential Provisions Act"). The Consequential Provisions Act provides that, unless the ACT Legislative Assembly passes an enactment that provides otherwise, the Privacy Act applies in the ACT as if it had been amended by Schedule 3 to the Consequential Provisions Act. In effect, ACT government agencies are subject to the IPPs in the Privacy Act in the same way as Commonwealth government agencies.
 

 
 

IPP 5 provides that:

  1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
    1. whether the record-keeper has possession or control of any records that contain personal information:
    2. and if the record keeper has possession or control of a record that contains such information
    3. the nature of that information;
    4. the main purposes for which that information is used;
    5. and the steps that the person would take if the person wishes to obtain access to the record.
       
  2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents
     
  3. A record-keeper shall maintain a record setting out:
    1. the nature of the records of personal information kept by or on behalf of the record-keeper;
    2. the purpose for which each type of record is kept;
    3. the classes of individuals about whom records are kept;
    4. the period for which each type of record is kept;
    5. the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and
    6. the steps that should be taken by persons wishing to obtain access to that information.

     
  4. A record-keeper shall:
    1. make the record maintained under clause 3 of this Principle available for inspection by members of the public; and
    2. give the Commissioner, in the month of June in each year, a copy of the record so maintained
IPP5 applies to Departments and other government agencies that are both agencies and record-keepers as defined by the Privacy Act. Relevant provisions of the Privacy Act are sub-section 6(1) regarding agencies and section 10 regarding record-keepers.

Under paragraph 27(1)(g) of the Privacy Act, the Privacy Commissioner is obliged to compile the statements provided by agencies under IPP 5.4(b) and to publish them annually. The publication which sets out information provided by ACT agencies is known as the Australian Capital Territory Personal Information Digest.

The Privacy Commissioner also compiles and publishes annually the Commonwealth Personal Information Digest, which lists personal information held by Commonwealth agencies subject to the Privacy Act.
 
How to use this Digest

This Digest has been compiled with two types of user in mind: clients of agencies and other members of the public, and employees of agencies.

If you are a client of an agency and wish to find out:

  • whether your personal information remains on the agency's files despite a considerable period of time since last you dealt with the agency; or
  • the extent to which, and how your personal information is held; or
  • the accuracy, relevance or completeness of the personal information held about you;
     
then the Digest can provide you with a general indication of:
  • how long the agency holds particular classes of records;
  • the types of general and sensitive content held on each class of record and on what type of media it is held; and
  • the telephone number or contact address to which any specific inquiry regarding your personal information may be directed.
If you are an employee of or contractor to an agency (either former or current), the Digest can provide a general indication of the types of information held by your employer and indicate to whom you may direct any specific inquiry.
 
What information is provided about each class of records?
 
IPP 5.3 requires agencies to provide the following information about each class of records containing personal information:

  1. the nature of the records of personal information kept by or on behalf of the record-keeper;
  2. the purpose for which each type of record is kept;
  3. the classes of individuals about whom records are kept;
  4. the period for which each type of record is kept;
  5. the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and
  6. the steps that should be taken by persons wishing to obtain access to that information.

In describing the nature of the records kept, the Privacy Commissioner has asked agencies to advise whether records include sensitive information. Sensitive information is defined, in line with international data protection standards, as including information touching upon any of the following:

  • racial or ethnic origin,
  • mental or physical health,
  • disabilities,
  • sexual life,
  • criminal convictions,
  • criminal intelligence,
  • religious affiliations,
  • tax file numbers,
  • financial information, including debts,
  • relationship details, or
  • political affiliations.
 
  Details of any sensitive personal information held has been included for each class of record.

In addition to the information required by IPP 5.3, the Privacy Commissioner has also requested agencies to provide information about the volume of records held, details of the media on which information is stored and the main geographical location of the information.

This extra information makes the Digest more informative for readers and the Privacy Commissioner appreciates agencies' co-operation in providing it.

Structure of the Digest

The body of the Digest provides descriptions of classes of personal information held by, or on behalf of, the agencies which have provided returns. Each ACT Government Department has provided an entry which includes (under separate headings) information held by independent statutory authorities for which the Department has portfolio responsibility. Agencies which are Territory Owned Corporations for the purposes of the Territory Owned Corporations Act 1990 have submitted separate entries.

Each class of record represents a separate file, database or type of record as defined by the agency itself. Some agencies have chosen to describe their personal information holdings in considerable detail, such as by including each physically separate set of records as a separate class. Others have chosen to group together similar files and records under a more inclusive description.

Responsibility for accuracy of the information in this Digest

Each agency is responsible for providing the information which has been complied in this Digest. Although the text has been edited, the Privacy Commissioner has not verified the accuracy or completeness of the entries. Any inquiries about the contents of entries should be directed to the relevant agency.

Rights of access

An individual is entitled to obtain access to personal information held by an agency about themselves. This right was first conferred on individuals in relation to Commonwealth agencies by the Freedom of Information Act 1982 (Cth). It is now enshrined, in relation to ACT agencies, in the Freedom of Information Act 1989 (ACT) ("the FOI Act").

This right is reflected in IPP 6, but is qualified in that a record-keeper is entitled to refuse access if required or authorised to do so by or under a Commonwealth (but not an ACT) law.

Individuals wishing to exercise their rights of access to personal information should contact the agency holding the relevant records. They should telephone or write to the contact point or person nominated in the relevant listing in this Digest.

Alteration of records

A record-keeper is obliged to take reasonable steps to ensure that records are accurate, relevant, up to date, complete and not misleading. The FOI Act and Privacy Act provide for individuals to challenge any record about themselves which they consider does not meet these standards. Such a challenge would usually follow an FOI access request, but may also be made directly to the agency concerned under the Privacy Act.

Under IPP7, if an agency declines to amend a record, the agency must take reasonable steps, if requested by an individual, to attach to the record any statement provided by the individual.

Complaints about breaches of the Privacy Act

Individuals have the right to complain to the Privacy Commissioner if they feel their privacy has been interfered with through the actions of an agency which breach any of the 11 IPPs. If the complaint cannot be resolved by conciliation, the Privacy Commissioner may make a determination, including a direction to the agency or tax file number user to change its information handling procedures and, where appropriate, to pay compensation. If you wish to complain to the Privacy Commissioner, or obtain more information about the Privacy Act, contact the Privacy Hotline 1300 363 992, or write to the Privacy Commissioner at GPO Box 5218 Sydney NSW 1042.

  
  Canberra Connect home page  
  Australian Capital Territory