The private sector provisions of the Privacy Act 1988 (Cth) apply to organisations (including not-for-profits) with an annual turnover of more than $3 million. The provisions also apply to all health service providers regardless of turnover, government contractors, and some small businesses with an annual turnover of $3 million or less.

In addition, even if an organisation is covered by the Act, certain acts and practices of the organisation will be exempt. These are:

The Australian Privacy Principles set out how Commonwealth public sector agencies and private sector organisations should collect, use, keep secure and disclose personal information. The principles give individuals a right to know what information an organisation holds about them and a right to correct that information if it is wrong.

The APPs relate to collection, use, disclosure, quality, security, openness, access to and correction of personal information, including sensitive information and health information. There are also principles on the use of government identifiers, the right to remain anonymous, the flow of data across borders.

The Privacy Act 1988 (Cth) treats private sector government contractors, known as contracted service providers (CSPs) differently. The Act requires agencies to take contractual measures to ensure that CSPs, including subcontractors, do not breach the APPs. The CSP's privacy obligations are derived from the contract. Therefore agencies need to ensure that contractual clauses are consistent with the privacy obligations that apply.

The Act applies to CSPs regardless of when the contract was entered into. Therefore there is an obligation on agencies to include privacy clauses in contracts prior to the commencement of the Act . The provisions also apply to acts and practices of CSPs after completion or termination of the contract. A small business operator that is also a CSP will be subject to the legislation in respect of the performance of that contract. That is, it cannot benefit from the small business exemption for contractual matters.

To ensure that people are able to find out what privacy standards apply, agencies and CSPs are required to release on request details of privacy clauses in their contracts.

Complaints

All complaints in relation to the acts or practices of Contracted Service Providers (CSPs) are to be handled by the Office of the Australian Information Commissioner. The CSPs are liable for their own acts and practices. The outsourcing agency is to be given notice of any determination against a CSP.

In circumstances where an individual is unable to obtain a remedy from a CSP, the Office of the Australian Information Commissioner can substitute the agency for the CSP. This ensures that the agency remains ultimately responsible for the acts and practices of its CSPs.

See: Obtaining Medical Records

It is accepted law in Australia that clients have a right to their personal files once they have paid their legal fees. All legal documents such as contracts, summonses and pleadings must be released to the client. However, a lawyer does not have to disclose speculations, memos or any documents of a commentary nature to a client.

Employees should be told whether personal files are kept on them and whether they may have access to those files. Many organisations have a policy to allow access to employee information. Employees wanting access should firstly make use of such policies where they exist.

Commonwealth or State government employees can apply under the relevant FOI Act for access to personal information.

Employers have a responsibility to maintain pay and time records of employees and make these available under the Fair Work Act 2009 (Cth). See the Fair Work Ombudsman's information on Record-Keeping and Pay Slips for more information.