Privacy Laws of the Australian States and Territories

© Xamax Consultancy Pty Ltd,  1995-2017
Photo of Roger Clarke

This document is a partner to pages on Privacy Laws of the Australian Commonwealth, and on International Instruments


Introduction

Australia is a federation of 6 States and 2 Territories. A separate document provides access to federal laws, which are relevant to Commonwealth government agencies, and to some of the private sector throughout the country. This document provides access to the laws of those 8 jurisdictions relevant to privacy, under the headings below. If you're aware of errors or omissions, please tell me.


Generic Laws

A range of torts (civil wrongs) may apply in any and all States and Territories. They have potential applicability to some kinds of privacy issues. On the other hand, there appears to be very little case law, so the protections they offer may be theoretical rather than real.


N.S.W.

The primary legislation is:

In 2009-10, the climate appeared to change. Firstly, the Government Information (Public Access) Act 2009 replaced the old Freedom of Information Act 1989 with a new and very positive regime, and created the Office of the Information Commissioner (OIC). But it was, of course, a false dawn. In late 2010, the Privacy and Government Information Legislation Amendment Act 2010 combined the two Commissioners into the Information and Privacy Commission (IPC), with the Information Commissioner dominating to the extent of almost eclipsing the privacy function.

The dismal history of the Privacy Commissioner function is documented here.

There are of course many further laws that are relevant to various aspects of privacy.

The Crimes (Domestic and Personal Violence) Act (NSW) relates to:

The Crimes Act (NSW) s.60E criminalises assault, stalking, harassment or intimidation of any school student or member of staff of a school while at school.

The Surveillance Devices Act 2007 appears to have replaced the Listening Devices Act 1984.

A provision relevant to 'revenge porn', aka 'image-based abuse', i.e. non-consensual distribution of "intimate images", is in the offence of 'publishing an indecent article', under the Crimes Act (NSW) s.578C.

The Workplace Surveillance Act 2005 is a very weak instrument that essentially authorises overt surveillance, but does require a warrant for covert surveillance, and bans cameras in toilet facilities. This replaced the Workplace Video Surveillance Act 1998, which was mildly privacy-protective (and hence distasteful to employers)

The Criminal Records Act 1991, Part 2 of which relates to Spent Convictions.

The Telecommunications (Interception and Access) (New South Wales) Act 1987.

'Computer Crimes' are regulated by the NSW Crimes Act at ss. 308-308I. Here is a law firm's summary of 'computer offences' in NSW, some of which are relevant to privacy, in particular 'Access restricted data held in computer'.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

The Summary Offences Act ss.21G-H 2004-08 related to 'filming for indecent purposes', but this was repealed in 2008, and no replacement provision has come to light.

There's the Crimes (Forensic Procedures) Act 2000.

Also the Access to Neighbouring Land Act 2000, esp. s.16 and s.26.

There's the State Records Act 1998.

The Local Court of New South Wales Practice Note 1 of 2008 declares an Identity theft prevention and anonymisation policy, which contains policy and recommendations to magistrates on how to suppress personal details from judgments and transcripts to minimize risks of identity theft and to protect privacy.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy

Historical Notes:


Victoria

In 2006, Victoria became only the second Australian jurisdiction to provide nominal, but entirely unenforceable, protection of human rights in the form of the Charter of Human Rights and Responsibilities Act. It is unclear whether it has done anything at all to improve human rights.

Under s.13, "a person has the [unenforceable] right (a) not to have his or her privacy, family, home or correspondence unlawfully or arbitrarily interfered with; and (b) not to have his or her reputation unlawfully attacked". However, this provision has done nothing whatsoever to stem the tide of privacy-invasive behaviour

The history of the Privacy Commissioner function, documented here, was positive from 1999 to 2012, but has since been destroyed by a wayward Premier.

The primary legislation is the Privacy Data and Protection Act 2014, assented to on 2 September 2014.
This retained the Information Privacy Principles, and may have the effect of generally increasing data security requirements. However the 2014 legislation considerably weakened the provisions of the repealed Information Privacy Act 2000, e.g.:

An emergent tort of invasion of privacy was heralded by a County Court decision, Jane Doe v ABC and ors [2007] VCC 281, mirrored here. The ABC reported a woman's name as part of a radio news item about the sentencing of her husband, who was convicted of her rape. The Judge found that that the publication induced post traumatic stress disorder. But it appears that nothing's happened since.

The Personal Safety Intervention Orders Act (Vic) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

The Health Records Act 2001 includes a set of Health Privacy Principles. The Act appears to apply to any organisation that holds what people normally understand by the term 'health information', i.e. it is relevant to health care institutions, but also other organisations that handle 'health information. It is, however, highly permissive of personal data use and disclosure. And the Health Care Complaints Commissioner has been studiously useless on privacy matters. Additional information may be found on the site of the Health Services Commissioner.

There is a modern statute regulating devices that enable surveillance, including listening devices, optical surveillance devices, tracking devices and data surveillance devices – the Surveillance Devices Act 1999.

A provision relevant to 'revenge porn', aka 'image-based abuse', i.e. non-consensual distribution of "intimate images", is in the Summary Offences Act (Vic) ss.40-41DB.

There is a Freedom of Information Act 1982.

There is a Public Records Act 1973.

And a Telecommunications (Interception) (State Provisions) Act 1988.

There is no spent convictions law. For what it may be worth, there is a Victoria Police Records Information Release Policy.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy


Queensland

The primary legislation is the Information Privacy Act 2009

The pretty dismal history of the Privacy Commissioner function is documented here.

The Office of the Information Commissioner has existed since 2005, although the first appointment was made only 4 years later, on 30 July 2009. Shortly afterwards, the Right to Information Act 2009 rescinded the old Freedom of Information Act 1992.

It took until May 2010 for a Privacy Commissioner to be appointed, subordinate to the Information Commissioner. After the first, independent Privacy Commissioner declined to be dominated by the Information Commissioner, the post has since been occupied by career public servants on short-term appointments. The message is abundantly clear: the Privacy Commissioner's job is to protect the public service, not the public.

The OIC's web-site provides official guidance in relation to the Act.

The Domestic and Family Violence Protection Act (Qld) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

In 2005, s.227A-227C of the Criminal Code was inserted, to regulate 'observations or [visual] recordings in breach of privacy'. Guidance is provided in the Queensland Courts Bench Handbook (see items 131A.1, 2, 3).

There's a Public Records Act 2002.

The Criminal Law (Rehabilitation of Offenders) Act 1986 deals with spent convictions.

There appears to be no prohibition on surveillance devices generally, although police use is authorised and regulated by the Police Powers and Responsibilities Act ss. 321-364.

The Invasion of Privacy Act 1971 for some years contained provisions relating to credit reporting, long since repealed. It continues to address the following:

The Police Powers and Responsibilities Act (Qld) includes ss.211-220, dealing with Covert Evidence Gathering Powers

The state's Telecommunications Interception Act 2009 was passed quite late, and has yet to be updated to the satisfaction of federal national security agencies.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.

Note too that Queensland is the only jurisdiction in Australia that has unequivocally recognised the existence of a tort of invasion of privacy, albeit only at the level of the District Court, in Grosse v Purvis [2003] QDC 151.

Some History:


Western Australia

No data privacy laws of any significance appear to be in place.

To the extent that there's any history of privacy oversight in WA, it's documented here.

An election commitment resulted in the release of a discussion paper in 2003, but nothing more. Privacy went unmentioned during election campaigns such as those in early 2005 and 2017. The Attorney-General tabled an extremely weak Information Privacy Bill in March 2007, but a series of scandals relating to Brian Burke's influence in Government have slowed everything down since then.

A document exists called the 'Policy Framework and Standards for Information Sharing Between Government Agencies' (January 2003). It appears to be essentially permissive of whatever arrangements agencies choose to make, has not been revised, even to reflect the demise of the Clth NPPs, and is in any case unenforceable.

The Restraining Orders Act (WA) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

A law exists that places some (but somewhat vague) constraints on the use of devices that enable surveillance, including listening devices, optical surveillance devices, tracking devices and data surveillance devices: Surveillance Devices Act 1998.

There's a Freedom of Information Act 1992.

There's a State Records Act 2000.

There's a Spent Convictions Act 1988.

There's a Telecommunications (Interception and Access) Western Australia Act 1996.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.


South Australia

No privacy laws of any significance are in place.

To the extent that there's any history of privacy oversight in SA, it's documented here.

A Cabinet Administrative Instruction (No. 12, of 1983?/1989/1992/2009/2013/2016) exists. It appears to have limited impact. It also changes location from time to time, presumably thanks to the incompetence of the web-site administrators rather than an actual intention to hide it.

A Privacy Committee of S.A. exists, but it's unclear whether it actually does anything other than approve exemptions to the non-statutory principles. It's even unclear whether the Administrative Instruction applies to local government. The URL for this phantom is also unreliable.

During 2013-14, the SA Law Reform Institute conducted an Inquiry into a statutory cause of action for invasion of privacy. Here's the Institute's Issues Paper.

The Intervention Orders (Prevention of Abuse) Act (SA) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

There's a Listening and Surveillance Devices Act 1972 (which is really only a Listening Devices Act, despite the name-change in 2001).

A provision relevant to 'revenge porn', aka 'image-based abuse', i.e. non-consensual distribution of 'intimate images', was inserted in the Summary Offences Act (SA) s.26DA in 2016. It relates to threats "to distribute an invasive image of a person [which is very broadly defined]" with the intention of arousing "a fear that the threat will be, or is likely to be, carried out, or is recklessly indifferent as to whether such a fear is aroused" . This may, intentionally or not, extend to 'sexting'.

And a (badly dated?) Telecommunications (Interception) Act 1988.

A Spent Convictions Act 2009 has been in force since 2011.
An earlier Discussion Paper released on 5 May 2004 has disappeared from the Web.

There's a Freedom of Information Act 1991.

And a State Records Act 1997.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.


Tasmania

The dismal history of privacy oversight in Tasmania is documented here.

Until September 2005, no privacy laws of any significance were in place. A mere set of Information Privacy Principles existed.

The very weak Personal Information Protection Act 2004 commenced on 5 September 2005. It establishes a set of 10 Personal Information Protection Principles (PIPPs). They apply to Tasmanian government agencies, but with many exemptions and exceptions.

The Act empowers the Ombudsman to manage complaints. But the Ombudsman's web-site doesn't even mention privacy, and anyway the outcomes of complaints are unenforceable. It appears that this piece of legislation has not improved the privacy of Tasmanians in the slightest.

There's a Right to Information Act 2009, which repealed the Freedom of Information Act 1991.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

There's a Listening Devices Act 1991 and Regulations 1992.

And a Telecommunications (Interception) Tasmania Act 1999.

And an Archives Act 1983.

The Annulled Convictions Act 2003 deals with spent convictions.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.


A.C.T.

The dismal history of privacy oversight in the ACT is documented here.

The A.C.T. nominally provides people with a right to not to have their privacy, family, home or correspondence interfered with unlawfully or arbitrarily (s.12 of the Human Rights Act 2004). This was the first such statute in Australian jurisdictions. Unfortunately, the Human Rights Commissioner has had higher priorities, and it's not apparent that she has acted on, or even noticed, the privacy aspect of human rights. In any case, in breach of the legislature's obligations under the ICCPR, the provisions are completely unenforceable, i.e. it mumbles the words in ICCPR Art.17.1, but doesn't implement the critical Art.17.2.

(This pseudo-protection was then copied by Victoria. It's worse than no law at all, because it provides the appearance of human rights protections, and hence shields the public service and politicians from criticisms and enables the public service to get on with business in whatever way they like).

The Information Privacy Act 2014, has been in effect since 1 September 2014, although few people seem to have noticed. This adopts most of the Commonwealth APPs, and appears to have been modelled after the Clth law. But the ACT Government didn't bother to hold any consultations, so who'd know?

The Act is administered by the ACT Justice and Community Safety Directorate. Yet it appears that the agency's web-site has absolutely nothing on it about privacy, even under human rights. The Australian Privacy Commissioner exercises some of the functions of the ACT Information Privacy Commissioner. The Privacy Commissioner provides an information page. That's been the case since 1994, but it's not apparent that it's made any difference whatsoever to privacy in the ACT.

There's an A.C.T. Health Records (Privacy And Access) Act 1997, which appears to be a positive piece of legilsation.

The Personal Violence Act (ACT) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide top laws relevant to "technology-facilitated stalking and abuse".

There's an ancient Listening Devices Act 1992. It's never been upgraded to a Surveillance Devices Act, despite multiple problems occurring in the ACT. (The Crimes (Surveillance Devices) Act merely specifies how law enforcement agencies get warrants).

There's a Workplace Privacy Act 2011. It's another privacy-abusive instrument, in that its essential function is to authorise surveillance in the workplace, but it was given a title that makes it appear to be privacy-protective.

The Territory has a Freedom of Information Act 2016, which replaced an Ordinance, then Act, which dated back to 1989 and the Clth Act of 1982.

And a Territory Records Act 2002.

And a Spent Convictions Act 2000.

Note that agencies may have governing statutes that include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.

Historical entry:


Northern Territory

As befits a small jurisdicition, there is a combined FOI and privacy instrument called the Information Act 2002 (passed 8 November 2002). Among many other things, this created an Information Commissioner. Additional information may be found on the site of the N.T. Information Commissioner.

The history of privacy oversight in the NT is documented here.

Note that the NT government's own links may be broken, at any time, by the next incompetent who re-organises the government's web-sites without a skerrick of professionalism and without any sense of service to the community. (Fortunately, the statutes are now more reliably accessible on the AustLII site).

The Domestic and Family Violence Act (NT) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

There's a modern statute regulating devices that enable surveillance, including listening devices, optical surveillance devices, tracking devices and data surveillance devices. See the Surveillance Devices Act 2000.

There's a Telecommunications (Interception) Northern Territory Act 2001.

There's a Criminal Records (Spent Convictions) Act 1992.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.


Other Resources

The Office of the Federal Privacy Commissioner has at times provided some information relating to State Privacy Laws, which may disappear from time to time due to incompetent web-site management.

Andrew Nemeth provides a site on NSW Photo Rights, incl. privacy

Two papers on history and issues, Clarke (1998a-) and Clarke (1998b-)

AustLII's Australian Subject-Index for Privacy

Greenleaf G.W. & Waters N. (Eds.) (1994-2006) 'Privacy Law & Policy Reporter', monthly, available from http://www.austlii.edu.au/au/journals/PLPR/

Hughes G. (1991) 'Data Protection Law in Australia', Law Book Company, 1991



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 31 May 2000 - Last Amended: 1 April 2017 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PLawsST.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy