The ACT Information Privacy Act

The ACT Information Privacy Act

The Information Privacy Act 2014 (ACT) applies to Australian Capital Territory (ACT) public sector agencies, directorates and some organisations providing services on behalf of the Act government.

The Information Privacy Act includes a set of Territory Privacy Principles (TPPs) that cover the collection, use, disclosure, storage, access to, and correction of, personal information.

Your rights under the Information Privacy Act

The Information Privacy Act gives you greater control over the way that your personal information is handled. Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.

The Information Privacy Act allows an individual to:

  • know why their personal information is being collected, how it will be used and who it will be disclosed to
  • have the option of not identifying themselves, or of using a pseudonym, in certain situations
  • ask for access to their personal information
  • ask for their personal information that is incorrect to be corrected
  • make a complaint about an agency or contractor covered by the Information Privacy Act, if they think the agency or contractor has mishandled their personal information.

Who has responsibilities under the Information Privacy Act?

The Information Privacy Act applies to ACT public sector agencies. This includes:

  • ministers (in their administrative capacities)
  • administrative units
  • statutory office-holders and their staff
  • territory authorities
  • territory instrumentalities
  • territory-owned corporations
  • ACT courts (in their administrative capacities)
  • any entity prescribed by regulation.

The Information Privacy Act also applies to some businesses who are contracted service providers (including subcontractors) for an ACT Government contract and are performing obligations under that contract.

What’s not covered by the Information Privacy Act?

The Information Privacy Act does not cover:

  • individuals acting in their own capacity, including your neighbours
  • private organisations (except to the extent that they are performing obligations under an ACT Government contract)
  • personal health information or health records (this is covered under the ACT Health Records (Privacy and Access) Act 1997
  • workplace privacy and surveillance.

Territory Privacy Principles

The Territory Privacy Principles (TPPs) set out standards, rights and obligations for the collection, use, disclosure, storage, accessing and correction of personal information (including sensitive information). They are principles-based rather than prescriptive.

Each ACT public sector agency needs to apply the principles to their own situation.

Individuals can make a complaint with the ACT HRC about the handling of their own personal information under the TPPs by ACT public sector agencies. Where an individual’s complaint is upheld, we must notify the individual that they can apply to a court for a remedy.

Health records held by ACT Government agencies (including public hospitals) are covered by the Health Records (Privacy and Access) Act 1997 (ACT). The ACT Human Rights Commission also handles health record complaints.

Notifiable data breaches and ACT public sector agencies

If an ACT public sector agency experiences an eligible data breach involving TFN information, it must notify affected individuals and the Office of the Australian Information Commissioner (OAIC)

However, ACT public sector agencies are not required to notify data breaches that affect other types of personal information they hold.

ACT Agencies can make a voluntary data breach notification to the ACT Information Privacy Commissioner about breaches regarding personal information and we may assist you with some guidance on how to respond to the breach.

Resources

These resources should be read with reference to the full text of the TPPs and are not a substitute for legal advice. The Information Privacy Act TPP’s generally reflect the Australian Privacy Principles in the Commonwealth Privacy Act 1998 so the guidance issued by the Commonwealth Privacy Commissioner about the APP’s is generally applicable to the ACT TPP’s.