Privacy Laws of the Australian States and Territories © Xamax Consultancy Pty Ltd,  1995-2024
HOME	eBusiness	Information Infrastructure	Dataveillance & Privacy	Identity Matters	Other Topics
What's New		Waltzing Matilda	Advanced Site-Search

This document is a partner to pages on Privacy Laws of the Australian Commonwealth, and on International Instruments

Introduction

Australia is a federation of 6 States and 2 Territories. A separate document provides access to federal laws, which are relevant to Commonwealth government agencies, and to some of the private sector throughout the country. This document provides access to the laws of those 8 jurisdictions relevant to privacy, under the headings below. If you're aware of errors or omissions, please tell me.

• Generic Laws
• N.S.W.
• Victoria
• Queensland
• Western Australia
• South Australia
• Tasmania
• A.C.T.
• Northern Territory

Generic Laws

A range of torts (civil wrongs) may apply in any and all States and Territories. They have potential applicability to some kinds of privacy issues. On the other hand, there appears to be very little case law, so the protections they offer may be theoretical rather than real.

• Interference with Location
  • the tort of Trespass to Land (unauthorised entry to real estate of which the person is the lawful occupant)
  • the tort of Nuisance (interference with a lawful occupant's quiet enjoyment of their property)
• Interference with a Person
  • the tort of Trespass to the Person (an act that has a 'direct' and 'substantial' interference with personal autonomy). Intent is not necessary
  • the tort of False Imprisonment (restriction in a person's movement within any area without justification or consent, with or without actual physical restraint)
  • the tort of Obstruction (interference with a person's freedom of movement or action)
  • the tort of Assault (an act intended to cause the reasonable apprehension of an immediate harmful or offensive contact).This is likely to be applicable to serious instances of bullying
• Interference with a Person's Emotional State
  • recently-emerged actions relating to the generation of anxiety in a person, through such actions as stalking, and perhaps harassment, pursuit and stake-out, and even offence and insult, at least where race is involved

---

N.S.W.

The primary legislation is:

• Privacy and Personal Information Protection Act 1998 (PPIPA)
• Health Records and Information Privacy Act 2002 (HRIP)

In 2009-10, the climate appeared to change. Firstly, the Government Information (Public Access) Act 2009 replaced the old Freedom of Information Act 1989 with a new and very positive regime, and created the Office of the Information Commissioner (OIC). But it was, of course, a false dawn. In late 2010, the Privacy and Government Information Legislation Amendment Act 2010 combined the two Commissioners into the Information and Privacy Commission (IPC), with the Information Commissioner dominating to the extent of almost eclipsing the privacy function.

The dismal history of the Privacy Commissioner function is documented here.

There are of course many further laws that are relevant to various aspects of privacy.

The Crimes (Domestic and Personal Violence) Act (NSW) relates to:

• Stalking (generally regarded as referring to persistent unwanted communications, approaches, pursuit and/or monitoring that creates apprehension or fear; or a course of conduct with the intention of causing physical or mental harm, or of arousing apprehension or fear for personal safety, including contacting, tracing, entering or loitering, keeping under surveillance)
• Harassment (generally regarded as a course of conduct that is demeaning, derogatory or intimidating)
• other forms of threatening behaviour

The Crimes Act (NSW) s.60E criminalises assault, stalking, harassment or intimidation of any school student or member of staff of a school while at school.

The Surveillance Devices Act 2007 appears to have replaced the Listening Devices Act 1984.

A provision relevant to 'revenge porn', aka 'image-based abuse', i.e. non-consensual distribution of "intimate images", is in the offence of 'publishing an indecent article', under the Crimes Act (NSW) s.578C.

The Workplace Surveillance Act 2005 is a very weak instrument that essentially authorises overt surveillance, but does require a warrant for covert surveillance, and bans cameras in toilet facilities. This replaced the Workplace Video Surveillance Act 1998, which was mildly privacy-protective (and hence distasteful to employers)

The Criminal Records Act 1991, Part 2 of which relates to Spent Convictions.

The Telecommunications (Interception and Access) (New South Wales) Act 1987.

'Computer Crimes' are regulated by the NSW Crimes Act at ss. 308-308I. Here is a law firm's summary of 'computer offences' in NSW, some of which are relevant to privacy, in particular 'Access restricted data held in computer'.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

The Summary Offences Act ss.21G-H 2004-08 related to 'filming for indecent purposes', but this was repealed in 2008, and no replacement provision has come to light.

There's the Crimes (Forensic Procedures) Act 2000.

Also the Access to Neighbouring Land Act 2000, esp. s.16 and s.26.

There's the State Records Act 1998.

The Local Court of New South Wales Practice Note 1 of 2008 declares an Identity theft prevention and anonymisation policy, which contains policy and recommendations to magistrates on how to suppress personal details from judgments and transcripts to minimize risks of identity theft and to protect privacy.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy

Historical Notes:

• 1975-98. Following Attorney-General John Madison's reference and Prof. Bill Morison's 1973 Report, NSW adopted a novel and practical approach to learning about all dimensions of privacy through the NSW Privacy Committee Act 1975. But momentum was lost, and successive NSW Governments were privacy-hostile. The Act was rescinded in 1998
• 1998-2011. The Committee was replaced with the NSW Privacy Commissioner's Office. It did not suit the NSW public service, and its protector, the Attorney-General's Department chief executive, Murray Glanfield, to have a part of the bureaucracy getting in the way. So it was by design, narrow, under-powered and under-resourced, with a 1-day-per-week Commissioner for a population of 7 million
• 2002-11. Privacy NSW was under outright assault by Governments for an extended period, with the Premier (Carr) seeking to fold the Privacy Commissioner's Office in beneath the Ombudsman's Office. Having failed to get that through a hostile upper house, Carr and his successors appointed Commissioners-of-convenience on rolling short-term contracts (variously the retired Chief Censor and a retired Chair of the Health Care Complaints Commission), and starved the Office of resources to the point of all-but closing it down
• 2011-. Privacy NSW was folded inside a new bureaucracy first called the Information Commissioner's Office (ICO), then the Information and Privacy Commissioner's office (IPC). The Privacy Commissioner remained part-time, and with minimal resources, and hence was all-but invisible. The Deputy Commissioner was summarily retrenched after providing evidence in a court-case that displeased the then Premier, O'Farrell. Updates to the farce that is NSW Privacy are here.

Victoria

In 2006, Victoria became only the second Australian jurisdiction to provide nominal, but entirely unenforceable, protection of human rights in the form of the Charter of Human Rights and Responsibilities Act. It is unclear whether it has done anything at all to improve human rights.

Under s.13, "a person has the [unenforceable] right (a) not to have his or her privacy, family, home or correspondence unlawfully or arbitrarily interfered with; and (b) not to have his or her reputation unlawfully attacked". However, this provision has done nothing whatsoever to stem the tide of privacy-invasive behaviour

The history of the Privacy Commissioner function, documented here, was positive from 1999 to 2012, but was since been destroyed by a Premier whose behaviour could be most charitably described as wayward and wilful, although venal, immoral and quite possibly corrupt are tenable alternatives. The Privacy Commissioner was removed from office in 2017, because he dared to conduct an investigation into behaviour in the Premier's Office. The role was downgraded into a junior position, called Privacy and Data Protection Commissioner, but beneath an Information Commissioner. This kind of downgrading has now been successfully imposed by the public services of the three States that have a Privacy Commissioner role – NSW, Qld and Vic – ensuring that privacy protection is accorded lower priority than the protection of privacy-abusive practices by government agencies. (Much the same approach was adopted at Commonwealth level, but it was unnecessary because the Privacy Commissioner was already a compliant apparatchik, and the Information Commissioner role was later de-funded).

The original legislation was the Information Privacy Act 2000 (Vic). It was an orthodox and not especially powerful statute. (Declaration: I was a member of the Victorian Data Protection Advisory Council, 1995-97, which drafted the Bill). It was rescinded in 2014 by the Privacy Data and Protection Act 2014, retaining the Information Privacy Principles, and perhaps increasing data security requirements. However this legislation considerably weakened the provisions of the repealed Act, e.g.:

• by enabling agencies to apply to the Privacy Commissioner to ratchet down the protections in three different ways:
  • by issuing a Public Interest Determination
  • by approving an 'information usage arrangement'
  • by issuing a 'current certificate' to the effect that a particular practice is legal
• by greatly increasing the range of agencies that come under the 'law enforcement' exemption
• by exempting Parliamentary Committees from the IPPs
• by merging two full-time posts into one. They were the Privacy Commissioner and the Commissioner for Law Enforcement Data Security. (The creation of CLEDS 8 years earlier, in 2006, had been a response to continual leakages from police law enforcement databases)
• by merging the Offices of the Victorian Privacy Commissioner and the CLEDS, and reducing the staff-count
• by requiring a considerable proportion of the new Office's resources to be applied to security matters unrelated to privacy protection

Several years later, the Premier was enraged by the Privacy Commissioner's investigation into the Premier's own Office, and sought a way to rid himself of the statutory appointee. This was achieved in the Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017, which established the Information Commissioner, and disestablished and re-created the Privacy and Data Protection Commissioner role, but now as a subservient position.

An emergent tort of invasion of privacy was heralded by a County Court decision, Jane Doe v ABC and ors [2007] VCC 281, mirrored here. The ABC reported a woman's name as part of a radio news item about the sentencing of her husband, who was convicted of her rape. The Judge found that that the publication induced post traumatic stress disorder. But it appears that nothing's happened since.

The Personal Safety Intervention Orders Act (Vic) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

The Health Records Act 2001 includes a set of Health Privacy Principles. The Act appears to apply to any organisation that holds what people normally understand by the term 'health information', i.e. it is relevant to health care institutions, but also other organisations that handle 'health information. It is, however, highly permissive of personal data use and disclosure. And the Health Care Complaints Commissioner has been studiously useless on privacy matters. Additional information may be found on the site of the Health Services Commissioner.

There is a modern statute regulating devices that enable surveillance, including listening devices, optical surveillance devices, tracking devices and data surveillance devices – the Surveillance Devices Act 1999.

A provision relevant to 'revenge porn', aka 'image-based abuse', i.e. non-consensual distribution of "intimate images", is in the Summary Offences Act (Vic) ss.40-41DB.

There is a Freedom of Information Act 1982.

There is a Public Records Act 1973.

And a Telecommunications (Interception) (State Provisions) Act 1988.

There is no spent convictions law. For what it may be worth, there is a Victoria Police Records Information Release Policy.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy

Queensland

The primary legislation is the Information Privacy Act 2009

The pretty dismal history of the Privacy Commissioner function is documented here.

The Office of the Information Commissioner has existed since 2005, although the first appointment was made only 4 years later, on 30 July 2009. Shortly afterwards, the Right to Information Act 2009 rescinded the old Freedom of Information Act 1992.

It took until May 2010 for a Privacy Commissioner to be appointed, subordinate to the Information Commissioner. After the first, independent Privacy Commissioner declined to be dominated by the Information Commissioner, the post has since been occupied by career public servants on short-term appointments. The message is abundantly clear: the Privacy Commissioner's job is to protect the public service, not the public.

The OIC's web-site provides official guidance in relation to the Act.

The Domestic and Family Violence Protection Act (Qld) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

In 2005, s.227A-227C of the Criminal Code was inserted, to regulate 'observations or [visual] recordings in breach of privacy'. Guidance is provided in the Queensland Courts Bench Handbook (see items 131A.1, 2, 3).

There's a Public Records Act 2002.

The Criminal Law (Rehabilitation of Offenders) Act 1986 deals with spent convictions.

There appears to be no prohibition on surveillance devices generally, although police use is authorised and regulated by the Police Powers and Responsibilities Act ss. 321-364.

The Invasion of Privacy Act 1971 for some years contained provisions relating to credit reporting, long since repealed. It continues to address the following:

• Listening Devices ss.41-48
• Inspectors ss.5-7
• Invasion of the privacy of the home s.48A

The Police Powers and Responsibilities Act (Qld) includes ss.211-220, dealing with Covert Evidence Gathering Powers

The state's Telecommunications Interception Act 2009 was passed quite late, and has yet to be updated to the satisfaction of federal national security agencies.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.

Note too that Queensland is the only jurisdiction in Australia that has unequivocally recognised the existence of a tort of invasion of privacy, albeit only at the level of the District Court, in Grosse v Purvis [2003] QDC 151.

Some History:

• It took a very long time for the privacy law to be enacted.
• A Parliamentary report was tabled in April 1998, but to no effect.
• An unenforceable privacy code existed from 2001 to 2009, with limited impact. It was published as State Government Standard No. 42 (Sep 2001) with a special one – Standard No. 42A – for the Qld Dept of Health. None of the intended periodic reviews appears to have ever occurred (and the webmaster broke the link every time they reorganised the site). I'm unclear whether the Standards lapsed with the passage of the Act or remain in place
• In June 2008, the Solomon Report on the Right to Information made recommendations about both FOI and privacy. In December 2008, the Government invited submissions by 31 March 2009 in relation to a package of Bills and Regs (mirrors at 1, 2, 3 and 4). An election intervened in March 2009.
• The Bills were passed in June 2009, however, and came into force on 1 July 2009. The FOI law is the Right to Information Act 2009 and Regulation

Western Australia

No data privacy laws of any significance appear to be in place.

To the extent that there's any history of privacy oversight in WA, it's documented here.

An election commitment resulted in the release of a discussion paper in 2003, but nothing more. Privacy went unmentioned during election campaigns such as those in early 2005 and 2017. The Attorney-General tabled an extremely weak Information Privacy Bill in March 2007, but a series of scandals relating to Brian Burke's influence in Government have slowed everything down since then.

A document exists called the 'Policy Framework and Standards for Information Sharing Between Government Agencies' (January 2003). It appears to be essentially permissive of whatever arrangements agencies choose to make, has not been revised, even to reflect the demise of the Clth NPPs, and is in any case unenforceable.

The Restraining Orders Act (WA) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

A law exists that places some (but somewhat vague) constraints on the use of devices that enable surveillance, including listening devices, optical surveillance devices, tracking devices and data surveillance devices: Surveillance Devices Act 1998.

There's a Freedom of Information Act 1992.

There's a State Records Act 2000.

There's a Spent Convictions Act 1988.

There's a Telecommunications (Interception and Access) Western Australia Act 1996.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.

South Australia

No privacy laws of any significance are in place.

To the extent that there's any history of privacy oversight in SA, it's documented here.

A Cabinet Administrative Instruction (No. 12, of 1983?/1989/1992/2009/2013/2016) exists. It appears to have limited impact. It also changes location from time to time, presumably thanks to the incompetence of the web-site administrators rather than an actual intention to hide it.

A Privacy Committee of S.A. exists, but it's unclear whether it actually does anything other than approve exemptions to the non-statutory principles. It's even unclear whether the Administrative Instruction applies to local government. The URL for this phantom is also unreliable.

During 2013-14, the SA Law Reform Institute conducted an Inquiry into a statutory cause of action for invasion of privacy. Here's the Institute's Issues Paper.

The Intervention Orders (Prevention of Abuse) Act (SA) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

There's a Listening and Surveillance Devices Act 1972 (which is really only a Listening Devices Act, despite the name-change in 2001).

A provision relevant to 'revenge porn', aka 'image-based abuse', i.e. non-consensual distribution of 'intimate images', was inserted in the Summary Offences Act (SA) s.26DA in 2016. It relates to threats "to distribute an invasive image of a person [which is very broadly defined]" with the intention of arousing "a fear that the threat will be, or is likely to be, carried out, or is recklessly indifferent as to whether such a fear is aroused" . This may, intentionally or not, extend to 'sexting'.

And a (badly dated?) Telecommunications (Interception) Act 1988.

A Spent Convictions Act 2009 has been in force since 2011.
An earlier Discussion Paper released on 5 May 2004 has disappeared from the Web.

There's a Freedom of Information Act 1991.

And a State Records Act 1997.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.

Tasmania

The dismal history of privacy oversight in Tasmania is documented here.

Until September 2005, no privacy laws of any significance were in place. A mere set of Information Privacy Principles existed.

The very weak Personal Information Protection Act 2004 commenced on 5 September 2005. It establishes a set of 10 Personal Information Protection Principles (PIPPs). They apply to Tasmanian government agencies, but with many exemptions and exceptions.

The Act empowers the Ombudsman to manage complaints. But the Ombudsman's web-site doesn't even mention privacy, and anyway the outcomes of complaints are unenforceable. It appears that this piece of legislation has not improved the privacy of Tasmanians in the slightest.

There's a Right to Information Act 2009, which repealed the Freedom of Information Act 1991.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

There's a Listening Devices Act 1991 and Regulations 1992.

And a Telecommunications (Interception) Tasmania Act 1999.

And an Archives Act 1983.

The Annulled Convictions Act 2003 deals with spent convictions.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.

A.C.T.

The dismal history of privacy oversight in the ACT is documented here.

The A.C.T. nominally provides people with a right to not to have their privacy, family, home or correspondence interfered with unlawfully or arbitrarily (s.12 of the Human Rights Act 2004). This was the first such statute in Australian jurisdictions. Unfortunately, the Human Rights Commissioner has had higher priorities, and it's not apparent that she has acted on, or even noticed, the privacy aspect of human rights. In any case, in breach of the legislature's obligations under the ICCPR, the provisions are completely unenforceable, i.e. it mumbles the words in ICCPR Art.17.1, but doesn't implement the critical Art.17.2.

(This pseudo-protection was then copied by Victoria. It's worse than no law at all, because it provides the appearance of human rights protections, and hence shields the public service and politicians from criticisms and enables the public service to get on with business in whatever way they like).

The Information Privacy Act 2014, has been in effect since 1 September 2014, although few people seem to have noticed. This adopts most of the Commonwealth APPs, and appears to have been modelled after the Clth law. But the ACT Government didn't bother to hold any consultations, so who'd know?

The Act is administered by the ACT Justice and Community Safety Directorate. Yet it appears that the agency's web-site has absolutely nothing on it about privacy, even under human rights. The Australian Privacy Commissioner exercises some of the functions of the ACT Information Privacy Commissioner. The Privacy Commissioner provides an information page. That's been the case since 1994, but it's not apparent that it's made any difference whatsoever to privacy in the ACT.

There's an A.C.T. Health Records (Privacy And Access) Act 1997, which appears to be a positive piece of legilsation.

The Personal Violence Act (ACT) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide top laws relevant to "technology-facilitated stalking and abuse".

There's an ancient Listening Devices Act 1992. It's never been upgraded to a Surveillance Devices Act, despite multiple problems occurring in the ACT. (The Crimes (Surveillance Devices) Act merely specifies how law enforcement agencies get warrants).

There's a Workplace Privacy Act 2011. It's another privacy-abusive instrument, in that its essential function is to authorise surveillance in the workplace, but it was given a title that makes it appear to be privacy-protective.

The Territory has a Freedom of Information Act 2016, which replaced an Ordinance, then Act, which dated back to 1989 and the Clth Act of 1982.

And a Territory Records Act 2002.

And a Spent Convictions Act 2000.

Note that agencies may have governing statutes that include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.

Historical entry:

• From 1995 until 2014, the Territory chose to adopt the Commonwealth Privacy Act 1988. As a result, the Office of the Federal Privacy Commissioner was supposed to perform the functions of an A.C.T. Privacy Commissioner. The authority for that is the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (which followed on from the 1988 Act that imposed self-government on the Territory), in particular s.23, Schedule 2 and Schedule 3. Unfortunately, it was very difficult to find any evidence of this actually having meant anything at all in practice

Northern Territory

As befits a small jurisdicition, there is a combined FOI and privacy instrument called the Information Act 2002 (passed 8 November 2002). Among many other things, this created an Information Commissioner. Additional information may be found on the site of the N.T. Information Commissioner.

The history of privacy oversight in the NT is documented here.

Note that the NT government's own links may be broken, at any time, by the next incompetent who re-organises the government's web-sites without a skerrick of professionalism and without any sense of service to the community. (Fortunately, the statutes are now more reliably accessible on the AustLII site).

The Domestic and Family Violence Act (NT) relates to Stalking, Harassment and other Forms of Threatening Behaviour.

This page provides a guide to laws relevant to "technology-facilitated stalking and abuse".

There's a modern statute regulating devices that enable surveillance, including listening devices, optical surveillance devices, tracking devices and data surveillance devices. See the Surveillance Devices Act 2000.

There's a Telecommunications (Interception) Northern Territory Act 2001.

There's a Criminal Records (Spent Convictions) Act 1992.

Note that most agencies' governing statutes include provisions that intentionally or incidentally provide privacy protections.

Note that the common law includes features that intentionally or incidentally protect privacy, including dimensions of privacy other than information privacy.

Other Resources

The Office of the Federal Privacy Commissioner has at times provided some information relating to State Privacy Laws, which may disappear from time to time due to incompetent web-site management.

Andrew Nemeth provides a site on NSW Photo Rights, incl. privacy

Two papers on history and issues, Clarke (1998a-) and Clarke (1998b-)

AustLII's Australian Subject-Index for Privacy

Greenleaf G.W. & Waters N. (Eds.) (1994-2006) 'Privacy Law & Policy Reporter', monthly, available from http://www.austlii.edu.au/au/journals/PLPR/

Hughes G. (1991) 'Data Protection Law in Australia', Law Book Company, 1991

The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax. From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021. Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer

Xamax Consultancy Pty Ltd ACN: 002 360 456 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916

Created: 31 May 2000 - Last Amended: 20 October 2018 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PLawsST.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy