IT Advocate: The privacy minefield

IT Advocate: The privacy minefield

There are significant differences between state and federal privacy legislation. CIOs who deal with government agencies or other public sector organisations must determine the privacy laws applicable to them – and how best to accommodate them.

New South Wales

The Privacy and Personal Information Protection Act 1998 (NSW) sets out how NSW public sector agencies (defined as State government departments and statutory authorities, and all local and county councils in NSW, but excludes state owned corporations) manage personal information.

Further, the Health Records and Information Privacy Act 2002 (NSW) governs the handling of health information in both the private and public sectors in NSW through the imposition of 15 information privacy principles and requires that private sector organisations comply with both the Health Records and Information Privacy Act and the private sector provisions of the Privacy Act concurrently.

Individuals can have access to information held about them by NSW government agencies both under the privacy legislation, and under the relevant freedom of information legislation.

Unlike Queensland, ACT and Commonwealth government legislation, the NSW legislation does not require contracted service providers to comply with the NSW legislation, or to be accountable under the NSW legislation.

Interestingly, NSW is the only state to have introduced workplace surveillance legislation which monitors the activities of employers undertaking workplace surveillance in respect of employees (such as reviewing emails etc) and requires employers to inform individuals of the surveillance activities that will be undertaken, and provide at least 14 days advance notice that this will occur.


The privacy system in Victoria is almost identical to that in New South Wales. The relevant legislation is Information Privacy Act 2000 (Vic) overseen by the Victorian Office of the Privacy Commissioner and Health Records Act 2001 (Vic) overseen by the Victorian Health Services Commissioner and applicable to both public and private sector health care organisations. Interestingly though, the health records legislation contains principles dealing with transfer of medical records to another practitioner, and making information available to another health practitioner.

Also, provided that there is a clause in a service contract between a Victorian Government Agency and a service provider binding the service provider to comply with the IPPs, the service provider will be accountable under the Information Privacy Act.


The Personal Information and Protection Act 2004 (Tas) applies to the public and local government sectors of Tasmania, together with the University of Tasmania, and essentially requires Tasmanian government agencies to comply with privacy principles that mirror the NPPs. The legislation is administered by the Department of Justice. Complaints can be made to the Tasmanian Ombudsman and if the Ombudsman decides to deal with a complaint, the Ombudsman must conduct any investigations in relation to the complaint in accordance with the Ombudsman Act 1978 (Tas).

There is no separate regime for health records maintained by the private or public sector in Tasmania and further, service providers are not liable or accountable under the legislation.

Individuals must access the personal information held about them by a Tasmanian government agency under the State’s freedom of information regime.

Northern Territory

The Northern Territory Information Act 2002 (NT) contains provisions regarding freedom of information, information privacy and record/archive management. The privacy principles in the NT legislation mirror the NPPs.

As in Tasmania, there is no separate regime for health records maintained by the private or public sector in Tasmania and further, service providers are not liable or accountable under the legislation.

Western Australia, South Australia

Both Western Australia and South Australia are currently without legislative privacy regimes. Various confidentiality provisions cover government agencies in Western Australia and the South Australian government has issued an administrative instruction requiring its government agencies to generally comply with a set of IPPs.


As you can see, the obligations that businesses will be required to comply with in terms of privacy of personal information (particularly for businesses that are service providers to government agencies or to businesses that provide health services, perhaps even on a national level) are extraordinarily complex and particular care will need to be taken when taking steps to ensure compliance with the relevant laws.
Emma Weedon is a Senior Associate in McCullough Robertson’s Intellectual Property Group, who advises on a range of corporate and commercial matters, including protection and commercialisation of intellectual property rights, and privacy compliance. Emma has worked for a range of clients in the franchising, life sciences, telecommunications, resources, and commercial manufacturing industries. Emma can be contacted at:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags legalIT advocateMcCullough Robertson

More about ACTDepartment of HealthDepartment of JusticeQueensland GovernmentUniversity of Tasmania

Show Comments