Allens Arthur Robinson

• Introduction
• Overview
  • Who, what & when
    • Exemptions
    • Old information
  • International data flow
  • Sensitive information
  • Chronology
  • Spam
  • Tort of invasion of privacy
• NPPs & codes
• Complying
• Legislation & links
• Industries
• News
• Contacts
• Glossary
• Publications

• Who do the private sector provisions of the Privacy Act apply to?
• What is protected?
• When did the private sector provisions of the Act come into effect?
• What about information collected before that time?

Who do the private sector provisions of the Privacy Act apply to?

The private sector provisions of the Privacy Act (the Act) apply to private sector organisations with a link to Australia, including:

• individuals who collect, use or disclose personal information in the course of a business. For example, a sole trader's business activities will be regulated (unless it's a small business), but information gathered outside business activities won't be;
• bodies corporate; and 
• partnerships, unincorporated associations and trusts - any act or practice of a partner, committee member or trustee is attributed to the organisation.

Organisations outside Australia must comply with the provisions in some circumstances. Sending information out of Australia is also regulated - for more, see the International data flow section.

There are also exemptions, and the private sector provisions usually don't cover:

• a small business operator; 
• a registered political party;
• a Commonwealth Government agency; 
• a media organisation - journalism; 
• certain transfers of personal information between related bodies corporate; 
• a State or Territory authority; or 
• a prescribed instrumentality of a State or Territory. 

For details, see the Exemptions page.

What is protected?

The Act regulates the way in which private sector organisations collect, handle, disclose, use and store personal information. So what's personal information? Basically, any information - including an opinion - that can be used to identify a person. It could simply be their name, address, telephone number or date of birth. There are extra protections for sensitive information, such as information about an individual's race, sexual preference or health.

When did the private sector provisions of the Act come into effect?

The private sector provisions came into effect on 21 December 2001 for most organisations and 21 December 2002 for most of the small businesses that are subject to them.

What about information collected before that time?

Personal information collected before 21 December 2001 is generally affected by some, but not all, NPPs. But if information is later updated, all the NPPs will apply. So it's important to be able to tell whether information was collected before or after the cut-off date. For more, see our page on old information.