Roger Clarke's Web-Site


© Xamax Consultancy Pty Ltd,  1995-2018

Roger Clarke's 'Australian Privacy Law'

History of Australian Privacy Law
The Other Six Sub-National Jurisdictions

Emergent Draft of 29 October 2010

Roger Clarke ** [and co-authors?]

© Xamax Consultancy Pty Ltd, 2010

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at

It is one chapter in a study of privacy law in Australia

1. Introduction

This paper reviews the history and status of privacy law in Australia's four smaller States: Queensland, Western Australia, South Australia and Tasmania, and two Territories: Australian Capital Territory (ACT) and the Northern Territory.

Separate papers in the series address the Commonwealth, the complex situation in the private sector, N.S.W. and Victoria.

2. Queensland

Queensland is a State of c. 1.8 million (equivalent to Spain, France, Germany and Poland combined), ranging from lush coastal lands via rich agricultural country to semi-desert. It has a population of 4 million, of whom about 55% live in the Brisbane-Ipswich-Gold Coast conurbation.

Its jurisdictional history began as part of the Colony of NSW. It was first settled in 1824, and became a separate British Crown Colony in 1859, and was self-governing from that time. It became a State of the Commonwealth of Australia at federation in 1901.

An ineffectual attempt to regulate credit reporting was made in 1971, An early, but very limited, statute was passed in 1971, in the form of the Invasion of Privacy Act. Part 4 covers Listening Devices, Part 2 deals with Inspectors and Part 4A deals with invasion of the privacy of the home. Provisions relating to credit reporting were rescinded in about 1989.

A statutory Committee which operated from 1984 until 1992, but appears to have achieved very little. Nor did the Fitzgerald enquiry into corruption in the late 1980s provide any momentum. A brief review is at Mason (1995).

Spent convictions legislation has, however, existed since 1986, in the form of the Criminal Law (Rehabilitation of Offenders) Act.

In 1996-97, a Committee of Queensland's unicameral parliament succeeded in broadening the terms of reference of an inquiry into the law of confidence into a privacy enquiry (QP 1997). The Committee subsequently published a very reasonable report, and recommended privacy legislation ( QP 1998). See also Newton (1998). The Government quickly decided to do precisely nothing. The one tiny outcome was that the Scrutiny of Legislation Committee is now explicitly authorised to consider privacy when reviewing regulations.

In late 1999, a private member's Bill was tabled by Jack Paff of Pauline Hanson's One Nation Party. The Information Privacy Bill 1999 includes a basic version of information privacy principles, but without any machinery or institutions. It and appears to be designed to implement the 1998 recommendations of the Parliamentary Committee.

In 2000, the Police Powers and Responsibilities Act was enacted, including Chapter 4 dealing with Covert Evidence Gathering Powers.

Also during 2000, Queensland's then Criminal Justice Commission (CJC), now Crime and Misconduct Commission (CMC), conducted a public inquiry into the misuse of the Queensland Police database. Its Report [appears not to have resulted in changes to the law?].

In 2003, Queensland became the only jurisdiction in Australia that has unequivocally recognised the existence of a tort of invasion of privacy, albeit only at the level of the District Court, in Grosse v Purvis [2003] QDC 151.

Despite various Parliamentary reports, generic privacy legislation and a statutory privacy protection body took a very long time to emerge. From 2001 to 2010, unenforceable codes existed in the form of Government Standards 42 (QGCIO 2001a), and 42A (QGCOI 2001b) for the Department of Health. The Standards reflected the federal National Privacy Principles (i.e. those applicable to the private sector nationally), but applied to almost all agencies excluding local government. These were administered by a small Privacy Unit within the Department of Justice and Attorney-General, which was styled Privacy Queensland.

The Criminal Code was amended in 2005 to regulate 'observations or [visual] recordings in breach of privacy' (s.227A-227C).

An Information Privacy Act was passed in 2009. This created an Information Commissioner, and, subordinate to that role, a Privacy Commissioner. The first Privacy Commissioner was appointed in May 2010.

At some time during 2010, the old domain of was deleted, and visitors redirected to the Office of the Information Commissioner's site. The documents were not transferred, and appear to have been simply withdrawn, without any kind of transition period to the new regime.

Relevant laws are identified in APF (2010).

3. Western Australia

Western Australia is a State of c. 2.3 million (and is the second-largest sub-national entity in the world, to the Sakha Republic - Western Siberia). It is the size of 2/3rds of Russia west of the Urals, or close to Spain, France, Germany and the whole of Scandinavia combined. Most of it is desert or semi-desert. It has a population of about 2 million, about 75% of whom live in the capital city, Perth.

A British settlement on the south coast in 1826 was followed by the establishment of the Swan River Colony in 1829, including the townsite of what is now Perth. Self-government was granted in 1890. It became a State of the Commonwealth of Australia at federation in 1901. (It nearly did not, however, and even in the twenty-first century, it is remote from the majority of the country, which is almost all close to the eastern seaboard).

The State has no generic privacy laws. Relevant laws are identified in APF (2010).

The Surveillance Devices Act, passed in 1998, is a modern statute regulating devices that enable surveillance, including listening devices, optical surveillance devices, tracking devices and data surveillance devices.

Following a discussion paper in 2003, an Information Privacy Bill was eventually introduced into the Parliament by the Labor Attorney-General in March 2007. It would have expanded the functions of the existing, small Information Commissioner's Office (which is responsible for the administration of FOI laws) to that of a Privacy and Information Commissioner. Further, it would have enabled the position to be held concurrently with that of Parliamentary Commissioner (Ombudsman). It is not clear whether any additional resources would have been provided to enable the new functions to be addressed. During 2007-08, the Government was embroiled in political difficulties arising from accusations of engrained corruption. The Bill lapsed when Parliament was prorogued. The Coalition that won Government in the September 2008 elections has provided no indications of any intention to create privacy protections.

It appears that, to date, no agency has ever had any substantive function that approximates to a privacy oversight role. In short, there is no form of privacy protection in Western Australia.

4. South Australia

South Australia is a State of c. 1 million (equivalent to France, Germany, Belgium and The Netherlands combined), most of it arid or semi-arid. It has a population of 1.5 million, over 70% of whom live in the capital city, Adelaide.

Unlike all other Australian states, South Australia was never a penal colony. It was proclaimed in 1836, and became self-governing in 1856. It became a State of the Commonwealth of Australia at federation in 1901.

The State has no generic privacy laws. Relevant laws are identified in APF (2010).

An old-fashioned Listening and Surveillance Devices Act has existed since 1972.

A Cabinet Administrative Instruction (SADPC 1989) established a set of Information Privacy Principles and requires agencies to comply. Although nominally binding, it is unclear by what means and by whom it could be enforced. A Privacy Committee of S.A. exists, under proclamation of Government. It is run out of the State Records Office, and appears to have no budget. Moreover, its primary function appears to be to approve exemptions to the non-statutory principles. It is unclear whether the Instruction applies to local government.

A Department of Health Code of Fair Information Practice exists (SADOH 2004), which embodies unspecified reductions in the protections declared in the Cabinet Instruction. The Code is derived from the National Privacy Principles (which were designed for the private sector), and it appears that it embodies unspecified reductions in the protections declared in the Cabinet Instruction. As with the Cabinet Instruction itself, it is unclear whether, how and by whom it could be enforced, particularly in relation to organisations that are not State government agencies and individuals who are not State government employees. A Department of Families and Communities Code appears to be identical to that of the Department of Health.

The effective position appears to be that there is no substantive privacy protection in South Australia.

5. Tasmania

Tasmania is an island State of c. 90,000 (much the same as Portugal, and twice the size of Switzerland). It has a population of close to 0.5 million, about 40% of whom live in the capital city, Hobart.

The first settlement by the British was in 1803, with around 75,000 convicts transported there between 1803 and 1853. Van Diemen's Land was proclaimed a separate colony from New South Wales in 1825. As Tasmania, it was self-governing from 1856. It became a State of the Commonwealth of Australia at federation in 1901.

Relevant laws are identified in APF (2010).

A Listening Devices Act was passed in 1991.

The Annulled Convictions Act dates from 2003, dealing with spent convictions.

The Personal Information Protection Act 2004 came into effect on 5 September 2005. It applies to the public and local government sectors and the University of Tasmania. The Act is a greatly weakened form of the OECD model. It did not create a statutory office responsible for privacy matters, nor did it assign such responsibilities to any existing agency.

A complaints-handling function was created, and assigned to the Ombudsman. (The practice in the State has been to consolidate all forms of review in the Ombudsman's Office, including FOI, police and health matters). The Ombudsman has no powers to enforce decisions. The privacy powers are not mentioned on the Ombudsman's home-page, mentions of privacy can only be found at deep levels on the site, there has been almost no mention of privacy in the Annual Reports, and there is virtually no substantive information on the site.

There is at best nominal privacy protection in Tasmania.

6. The Australian Capital Territory

The Australian Capital Territory (ACT) has an area of 2300, which is similar to Luxenbourg. It has a well-educated, high-income and highly urbanised population of 350,000.

It was formed in 1911, by transfer of the area from the State of N.S.W., in order to ensure that the national capital was in neither of the two large States. It had self-government imposed on it, despite the result of a plebiscite, by the Commonwealth Australian Capital Territory (Self-Government) Act 1988.

Relevant laws are identified in APF (2010).

The Territory chose to adopt the Commonwealth Privacy Act 1988. The authority for that is the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (which followed on from the 1988 Act that imposed self-government on the Territory). See in particular s. 23, Schedule 2 and Schedule 3.

Among other things, this allocates to the federal Privacy Commissioner the responsibility to perform the functions of an A.C.T. Privacy Commissioner. The Office of the Federal Privacy Commissioner is located in Sydney, however. For some years there was a small office in Canberra, but that is no longer the case, and it appears that the responsibility may be worn lightly:

A Memorandum of Understanding (MoU) is understood to exist between the ACT government and the OAPC - although it appears to be unpublished. Although the Office is supposed to perform the functions of an ACT Privacy Commissioner, there is only limited evidence of anything being done, and what little there is appears only within the Commissioner's Annual Reports. The arrangements will presumably survive the shift of the Privacy Commissioner to a subordinate role to the Information Commissioner; although the possibility of separate ACT legislation has been mooted.

In 1992, a Listening Devices Act was passed.

In 1997, the ACT enacted a Health Records (Privacy And Access) Act, which applies to organisations in both the public and private sectors. This provides A.C.T. residents with comprehensive information privacy rights in respect of all personal health information, held in both the public and the private sectors. See Waters (1998a). This legislation was in response to the Breen v. Williams case, which had established in the High Court of Australia in November 1995 that patients have no legal right to access to the records about them held by medical practitioners (Gaudin 1996).

In 2000, a Spent Convictions Act was passed.In 2004, the A.C.T. became the first - still of only two - jurisdictions in Australia that has enacted a Bill of Rights - the Human Rights Act. In s.12, the Act provides people with a right to not have their privacy, family, home or correspondence interfered with unlawfully or arbitrarily. The Act is administered by a Human Rights Commissioner (HRC) with a small staff. There is nothing on the HRC's site to suggest that privacy is seen as a significant element of its responsibilities. The law and the Office adopt the weakest possible approach to the protection of human rights, and they have to date had no visible impact on privacy protection in the Territory.

Within the A.C.T. Government, the primary responsibility for scrutiny of legislation for compliance with the Human Rights Act and the Privacy Act, and for advice on policy development, rests with the Department of Justice and Community Safety (JACS), and in particular the Human Rights Unit. The Unit advises that new legislation is scrutinised against the Human Rights Act, and this evaluation could reasonably be expected to extend privacy, including privacy of the person, personal behaviour and personal communications (Interview, 2007). On the other hand, this scrutiny appears to be internal dialogue within the A.C.T. public service, without public information and consultation.

7. The Northern Territory

The Northern Territory (NT) is c.1.4 million (about the same as Portugal, Spain, France and Germany combined), but is mostly desert or semi-desert. It has a population of 200,000, about one-third indigenous. About 50% of the population lives in the capital city, Darwin.

It was part of the colony of South Australia until 1901, after which it became a Territory of the Commonwealth of Australia. It was permitted and required to govern itself by the Northern Territory (Self-Government) Act 1978.

Relevant laws are identified in APF (2010).

On 22 April 1999, the Chief Minister of the Northern Territory issued a Ministerial Statement to the Legislative Assembly on Access to Information and Privacy. It said that he intended to introduce 'light touch' legislation to cover the Territory's public sector, and thereby complement the Commonwealth legislation.

In 2002, the Northern Territory implemented the Information Commissioner model, as a pragmatic approach to cost-minimisation in administering a tiny population scattered across a vast area. The architect of the Information Act 2002 had been deeply involved in the preparation of the Victorian Information Privacy Act, and the privacy aspects of the N.T. statute are accordingly a clean and practical application of the (now badly dated) OECD 1980 provisions. The Act created a single statutory post of Information Commissioner. The same appointee has since had added to their functions the role of Commissioner for Public Interest Disclosures (Whistleblowers).

Under s.160 of the Act, a review is required after 5 years. In 2010, the review was 3 years overdue, with no evidence of any review.


See the consolidated reference list for the complete series of papers.



Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 7 August 2010 - Last Amended: 29 October 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy