Information Privacy Act 2014

The Act defines a number of foundational concepts. Personal information is defined in s 8 as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in material form or not, but expressly excludes personal health information as defined in the Health Records (Privacy and Access) Act 1997. This means that health information is not subject to the TPPs but is governed by separate legislation. Public sector agency is defined exhaustively in s 9 and includes a Minister, an administrative unit, a statutory office-holder and staff, a territory authority, a territory instrumentality, ACTTAB Limited, an ACT court, or an entity prescribed by regulation. An interference with an individual’s privacy occurs under s 11 when an act or practice of a public sector agency breaches a TPP or a TPP code in relation to personal information about the individual, or when a contracted service provider does an act or practice that would be an interference if done by the relevant public sector agency. The TPPs (Territory Privacy Principles) are set out in Schedule 1 and consist of 11 principles numbered 1, 2, 3, 4, 5, 6, 8, 10, 11, 12 and 13. The numbering deliberately omits some numbers to maintain consistency with the Commonwealth Australian Privacy Principles (APPs), but not all APPs have a corresponding TPP (see Schedule 1 note 3). A breach of a TPP is defined in s 12 as an act or practice that is contrary to, or inconsistent with, the TPP, but does not include an act or practice done outside the ACT if required by a law of another jurisdiction or foreign country. The Act also creates a deemed breach under s 22: if a public sector agency discloses personal information to an overseas recipient and that recipient does an act that would breach a TPP (other than TPP 1) if the TPP applied, that act is taken to have been done by the agency and to be a breach. Consent is defined in the dictionary as express or implied consent. Sensitive information is defined in s 14 of Schedule 1 and includes information about racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, genetic information, biometric information used for automated verification or identification, and biometric templates. Permitted general situation is exhaustively defined in s 19 and covers circumstances such as serious threats to life or health, suspected unlawful activity or serious misconduct related to the agency’s functions, locating a missing person, legal claims, and confidential alternative dispute resolution. The concept is used in TPP 3 (collection of sensitive information), TPP 6 (use or disclosure), and TPP 8 (cross-border disclosure). Other important definitions include collects (s 15 - only if collected for inclusion in a record or generally available publication), holds (s 16 - possession or control of a record containing the information), solicits (s 17 - requesting another entity to provide the information or a kind of information containing it), and de-identified (s 18 - no longer about an identifiable or reasonably identifiable individual). The Act also defines enforcement body and enforcement-related activity in s 14 of Schedule 1, which are relevant to exceptions to certain TPPs, particularly TPP 6 and TPP 8.

The Act directly binds public sector agencies as defined in s 9. This includes all ACT government Ministers (when acting in relation to the affairs of an agency they administer), administrative units (departments), statutory office-holders (such as the Ombudsman, Auditor-General) and their staff, territory authorities (statutory corporations), territory instrumentalities, ACTTAB Limited, and ACT courts (the Supreme Court, Magistrates Court, Coroner’s Court and tribunals). The Act also applies to contracted service providers under government contracts. Section 10(1)(b) provides that a reference to an act or practice of a contracted service provider is a reference to an act done or practice engaged in for the purpose of performing obligations under the contract. For these providers, an interference with privacy is defined in s 11(2) by reference to what would be an interference if done by the relevant public sector agency. Importantly, the Act does not apply to private sector entities generally, only to those contracted by the Territory or a public sector agency. The Act also has a mechanism in s 23 whereby the Commonwealth APPs apply to certain prescribed public sector agencies when they engage in commercial activities, effectively switching the applicable privacy framework for those acts and practices. The Act contains notable exemptions in Part 4. Exempt public sector agencies under s 24 include boards of inquiry under the Inquiries Act 1991, judicial commissions and the judicial council under the Judicial Commissions Act 1994, royal commissions under the Royal Commissions Act 1991, Icon Water Limited and related entities, and any agency prescribed by regulation. Exempt acts or practices under s 25 cover a wide range: acts of a Minister not relating to the affairs of an administered agency; acts of an ACT court other than administrative matters; acts of the Office of the Legislative Assembly and officers of the Assembly relating to proceedings (other than administrative matters); acts in relation to information that is contrary to the public interest to disclose under the FOI Act; acts in relation to records from Commonwealth enforcement or intelligence bodies; disclosures to Commonwealth intelligence bodies upon written request and certification; and acts or practices of prescribed agencies in relation to prescribed matters. The Act also provides a significant exemption in s 12(2) for acts or practices done outside the ACT if required by a law of another jurisdiction or foreign country. Individuals are affected as data subjects whose personal information is collected, used, disclosed, and held by public sector agencies. They have rights under the TPPs to anonymity or pseudonymity (TPP 2), to notification of collection (TPP 5), to access their information (TPP 12), to correction (TPP 13), and to complain about interferences with privacy (Part 6). The Act also affects subcontractors of contracted service providers, as s 21 requires that government contracts contain provisions requiring subcontractors to comply with the TPPs, a TPP code, or a corresponding privacy law.

The core duties are contained in the TPPs (Schedule 1), which public sector agencies must not breach (s 20). TPP 1 requires agencies to take reasonable steps to implement practices, procedures and systems that ensure compliance with the TPPs and to deal with inquiries and complaints. It also requires each agency to have a clearly expressed and up-to-date TPP privacy policy containing specified information (kinds of information collected, how collected, purposes, how to access and correct, how to complain, likely overseas disclosures and countries). The policy must be made available free of charge. TPP 2 gives individuals the option of not identifying themselves or using a pseudonym, unless the agency is required or authorised to deal with identified individuals or it is impracticable to do otherwise. TPP 3 restricts collection of personal information to what is reasonably necessary for the agency’s functions, with additional limits for sensitive information (which generally requires consent or an Australian law or permitted general situation or enforcement body functions). Collection must be by lawful and fair means and generally from the individual unless consent or authorisation exists or it is unreasonable or impracticable. TPP 4 requires agencies to deal with unsolicited personal information within a reasonable period by deciding whether it could have been collected under TPP 3; if not, and if not contained in a territory record, the agency must destroy or de-identify it. TPP 5 requires notification to the individual at or before collection (or as soon as practicable) of the agency’s identity, the fact and circumstances of collection, whether collection is required by law, the purposes, main consequences of not providing the information, usual disclosures, and information about the TPP privacy policy and complaint mechanisms. TPP 6 governs use or disclosure of personal information. The primary rule is that information collected for one purpose (the primary purpose) must not be used or disclosed for a secondary purpose unless the individual consents, or the individual would reasonably expect the use or disclosure and it is related (for non-sensitive) or directly related (for sensitive), or it is required or authorised by Australian law or court order, or a permitted general situation exists, or the agency reasonably believes it is reasonably necessary for enforcement-related activities. Special rules apply to disclosure of biometric information to enforcement bodies under guidelines (TPP 6.3). The agency must make a written note of any use or disclosure under the enforcement-related activity exception (TPP 6.5). TPP 8 requires that before disclosing personal information to an overseas recipient, the agency must take reasonable steps to ensure the recipient does not breach the TPPs (other than TPP 1). Exceptions exist if the recipient is subject to substantially similar protections, the individual consents after being informed that TPP 8.1 will not apply, the disclosure is required or authorised by law, a permitted general situation (other than legal claim or ADR) exists, an international agreement, or enforcement-related activities. TPP 10 requires the agency to take reasonable steps to ensure the personal information it collects is accurate, up to date and complete, and that information it uses or discloses is accurate, up to date, complete and relevant having regard to the purpose. TPP 11 requires the agency to take reasonable steps to protect information from misuse, interference, loss, unauthorised access, modification or disclosure, and to destroy or de-identify information when no longer needed (unless it is in a territory record or retention is required by law). TPP 12 gives individuals a right to access their personal information, subject to exceptions under the FOI Act or other access laws. The agency must respond within 30 days, give access in the way requested if reasonable and practicable, and cannot charge for the request or for access. If access is refused, the agency must give written reasons and information about complaint mechanisms. TPP 13 gives individuals a right to request correction of inaccurate, out of date, incomplete, irrelevant or misleading information. The agency must take reasonable steps to correct, and if requested, notify other agencies to whom the information was previously disclosed. If correction is refused, the agency must give written reasons and the individual may request that a statement be associated with the information. The agency must respond within 30 days and cannot charge. Additionally, s 21 imposes a duty on public sector agencies not to enter into a government contract unless it contains appropriate provisions requiring the service provider and any subcontractor to comply with the TPPs, a TPP code, or a corresponding privacy law. Part 7 allows for the development and adoption of TPP codes, which impose additional requirements not contrary to the TPPs and which bind specified agencies (s 51). The Act also creates a duty on the Information Privacy Commissioner to give a copy of a privacy complaint to the respondent (s 37) and to notify the relevant public sector agency if the respondent is a contracted service provider (s 48).

Enforcement under the Act operates through a multi-layered process: internal handling, complaints to the Information Privacy Commissioner, conciliation, and ultimately application to a court for orders. There is no direct civil penalty for a breach of a TPP; instead the primary remedy is through the complaint mechanism. However, the Act does create specific criminal offences. Section 53 makes it an offence for a person who exercises or has exercised a function under the Act to use or divulge protected information (information disclosed to or obtained by them because of the exercise of a function) if they are reckless about it being protected information. The maximum penalty is 50 penalty units, imprisonment for 6 months, or both. At the republication date, one penalty unit is $160 for an individual and $810 for a corporation (see Legislation Act s 133). Exceptions exist if the use or disclosure is under the Act or another territory law, in relation to the exercise of a function, in a court proceeding, or with the person’s consent. Additionally, s 44B creates an offence for a party to a conciliation who fails to attend a conciliation after being directed in writing, without a reasonable excuse, with a maximum penalty of 50 penalty units. The Criminal Code applies to all offences under the Act (s 5). The main enforcement pathway for privacy breaches is the complaints process in Part 6. An individual may make a privacy complaint to the Commissioner (s 34). The Commissioner may decide not to deal with a complaint on several grounds: the act is not an interference; the complaint was made more than 12 months after the complainant became aware of the act; the complaint is frivolous, vexatious, misconceived, lacking in substance or not made in good faith; the matter is being dealt with adequately under another law; it would be better dealt with under another law; dealing further is not warranted; or the respondent has dealt or is dealing adequately with the complaint (s 39). The Commissioner may also decide not to continue dealing with a complaint if the complainant does not comply with a reasonable request, has not cooperated, cannot be contacted, or conciliation ends without agreement (s 40). If the Commissioner deals with a complaint and is reasonably satisfied that the act or practice is an interference with privacy, the Commissioner must give notice to the parties that the complainant may apply to a court (s 45). The complainant then has 6 months from notification to apply to a court (s 46). The court may make one or more of the following orders under s 47: an order that the complaint is substantiated, together with an order that the respondent must not repeat or continue the act or practice, must engage in a stated act to compensate for loss or damage, must amend a record, or must pay compensation for economic loss or damage of not more than $100,000; an order that the complaint is substantiated but no further action is required; an order that the complaint is not substantiated and is dismissed; or an order that the complainant be reimbursed for expenses reasonably incurred. The Commissioner may also refer a complaint to another investigative entity (s 42), report serious or repeated interferences to the Minister (s 43), and may obtain information from anyone, with a mandatory obligation on public sector agencies and public officials to comply (s 44). The Act also provides for the development of TPP codes, and a breach of a TPP code is treated as an interference with privacy (s 11(1)(b)) and a breach of the duty in s 51 not to do an act or practice that breaches a notified TPP code. The Commissioner’s annual report to the Minister must include the total number of complaints made, dealt with, and in relation to which a s 45 notice was given, and must identify each respondent but not the complainant’s personal information (s 54).

Section 6 provides that the Act does not affect the operation of any other territory law, and expressly lists the Freedom of Information Act 2016, the Health Records (Privacy and Access) Act 1997, the Residential Tenancies Act 1997 part 7 (residential tenancy databases), and the Territory Records Act 2002. This means that the TPPs operate alongside, but do not override, those specific regimes. For example, access to personal information under TPP 12 is subject to any refusal required or authorised under the FOI Act (see TPP 12.2). The definition of personal information in s 8 deliberately excludes personal health information, which is covered by the Health Records (Privacy and Access) Act 1997. That Act has its own principles and access rights, and the Information Privacy Act does not apply to health information. The Act also interacts with Commonwealth privacy law. Section 23 provides that if a public sector agency is prescribed by regulation and engages in commercial activities, the Commonwealth APPs apply to those acts and practices as if the agency were an organisation within the meaning of the Commonwealth Privacy Act 1988. This creates a dual regime: the TPPs apply to non-commercial activities, and the APPs apply to commercial activities of that agency. The Commonwealth APPs are defined in the dictionary as the Australian privacy principles set out in the Commonwealth Act schedule 1. Section 21 allows government contracts to require compliance with a corresponding privacy law, which includes the Commonwealth Privacy Act 1988 and laws of States, external territories or foreign countries prescribed by regulation. This facilitates interoperability with other jurisdictions. The Act also provides for referrals of privacy complaints from the ACT Ombudsman, the Human Rights Commission, and entities with corresponding functions under State or Commonwealth laws (s 36). This allows complaints to be transferred between jurisdictions where appropriate. The exemptions in Part 4 recognise the primacy of other legal frameworks. For instance, acts in relation to records that have originated with Commonwealth enforcement or intelligence bodies are exempt (s 25(1)(f)), and disclosures to Commonwealth intelligence bodies upon written request and certification are exempt (s 25(1)(g)). These exemptions prevent the Act from conflicting with national security and law enforcement operations. The Act also recognises the operation of the Criminal Code via s 5, and the Legislation Act 2001 applies to matters such as appointment, delegation, and the making of instruments. The Act’s dictionary incorporates definitions from other legislation, such as the Territory Records Act 2002 for territory record, and the Corporations Act for related body corporate. The regulation-making power (s 58) allows the Executive to prescribe additional agencies, acts, entities, and matters, which can expand or refine the Act’s interaction with other laws over time.

The Act was originally enacted as A2014-24 and commenced on 1 September 2014. It has been amended on multiple occasions. The most significant structural amendment occurred via the Justice and Community Safety Legislation Amendment Act 2025 (No 3) A2025-22, which inserted the entire Division 6.3A (Conciliation of privacy complaints) comprising new sections 44A to 44I. This introduced a formal conciliation process into the complaints mechanism, including definitions, mandatory attendance obligations with a penalty, provisions for conduct of conciliation, conciliation agreements, admissibility of evidence, and protection from civil liability for attendees. The same Act also substituted s 45 (Commissioner must tell parties application may be made to court) to clarify the process after conciliation. The Statute Law Amendment Act 2025 A2025-29 made a range of minor amendments affecting s 19 (permitted general situation - replaced references to “subrule” with “subsection”), s 35 (privacy complaint - updated formatting), s 50 (development of TPP codes - cross-reference updated), s 55 (guidelines - cross-reference updated), s 56 (instruments - updated), s 57 (approved forms - updated), and s 58 (regulation-making power - minor text change). Earlier amendments include: A2014-49 (Justice and Community Safety Legislation Amendment Act 2014 (No 2)) which amended the definition of public sector agency and the exemptions. A2015-1 (Judicial Commissions Amendment Act 2015) amended the exempt agencies to include the judicial council. A2015-15 (Statute Law Amendment Act 2015) made minor amendments to the exempt agencies list. A2016-55 (Freedom of Information Act 2016) updated cross-references following the enactment of the FOI Act, and amended s 6, s 23, s 25, and TPP 12. A2017-5 (Justice and Community Safety Legislation Amendment Act 2017) amended s 21 (contract requirements). A2018-52 (Integrity Commission Act 2018) amended the definitions of enforcement body and enforcement-related activity to include the integrity commission, and updated the dictionary. A2021-12 (Statute Law Amendment Act 2021) made minor amendments to the exemptions in s 25. A2024-16 (Crimes Legislation Amendment Act 2024 (No 2)) amended s 25 to update references to Commonwealth enforcement bodies. The Act has been republished 13 times, with the latest effective date 16 December 2025. The republication history shows that the Act underwent significant changes in 2025 with two amending Acts. The amendment history is fully documented in endnote 4.

The Act does not refer to any specific case law or litigation outcomes. The source text itself does not mention any judicial decisions. The Act’s enforcement mechanism, however, contemplates court proceedings: under s 46, a complainant may apply to a court for an order under s 47 within six months after being notified by the Commissioner. The court is defined in the dictionary as the Supreme Court, Magistrates Court, Coroner’s Court or a tribunal, and includes a judge, magistrate, tribunal member or other person exercising a function of the court or tribunal. The Act does not prescribe a specific court; therefore applications under s 46 may be made to any ACT court with jurisdiction. Section 47 provides a range of orders, including declarations that the complaint is substantiated, injunctions to restrain repetition or continuation of the act or practice, orders to engage in a stated act to compensate for loss or damage, orders to amend a record, and compensation orders of not more than $100,000 for economic loss or damage. The Act also provides for the admissibility of evidence relating to conciliation: s 44H applies the Evidence Act 2011, s 131 (exclusion of evidence of settlement negotiations) to communications and documents prepared in relation to a conciliation, except for a conciliation agreement if the parties have agreed to allow the Commissioner to use it. This protects the confidentiality of conciliation discussions. The Act does not create a private right of action directly; rather, a complainant must first exhaust the complaint process (or have it dealt with by the Commissioner) before applying to court. The Commissioner’s notice under s 45 is a prerequisite to a court application. It is noteworthy that the Act has been in force since 2014 and has been amended several times, but the text provides no information about the volume or outcomes of court applications. Practitioners should note that the limitation period for a court application is six months from the date of the Commissioner’s notice (s 46), and the maximum compensation is $100,000. The Act does not provide for punitive damages; compensation is for economic loss or damage. The offence provisions under s 53 (use or divulge protected information) are criminal matters that would be prosecuted in the Magistrates Court. No case law is referenced in the Act itself.

Several aspects of the Act can trip up practitioners. First, the definition of personal information in s 8 expressly excludes personal health information. This means that a complaint about a public sector agency’s handling of health information cannot be made under this Act; it must go to the Health Records (Privacy and Access) Act 1997. This can lead to confusion where an agency holds mixed datasets. Second, the deemed breach provision in s 22 for overseas disclosures is strict: if a public sector agency discloses personal information to an overseas recipient, and that recipient does an act that would breach a TPP (other than TPP 1), the agency is deemed to have breached the TPP. The agency cannot avoid liability by arguing that it took reasonable steps under TPP 8.1; the deemed breach applies unless an exception in TPP 8.2 exists. This means agencies must carefully assess whether any of the TPP 8.2 exceptions apply before relying on reasonable steps. Third, the 12-month limitation in s 39(b) is a hard bar: the Commissioner may decide not to deal with a complaint made more than 12 months after the complainant became aware of the act or practice. There is no discretion to extend this time. Fourth, the requirement in s 21 for government contracts to contain appropriate contractual provisions is mandatory (agency must not enter into a contract without them). Failure to include such provisions does not affect the agency’s or provider’s obligations under the Act (s 21(3)), but it leaves the agency exposed to potential breach of the Act itself. The term “appropriate contractual provisions” is not defined, creating uncertainty about what is sufficient. Fifth, the exemptions in Part 4 are broad and may be overlooked. For example, acts done by an ACT court in relation to a matter of an administrative nature are exempt (s 25(1)(b)), but acts of an administrative nature are subject to the Act. Similarly, acts done by a Minister other than in relation to the affairs of a public sector agency administered by the Minister are exempt (s 25(1)(a)), which can create gaps. Sixth, the TPP 2 right to anonymity or pseudonymity has exceptions that may be invoked broadly - it is impracticable for the agency to deal with individuals who have not identified themselves, or where a law or court order requires identification. Agencies may over-rely on this exception. Seventh, the conciliation process added in 2025 imposes an obligation on parties to attend conciliation, and failure to attend without reasonable excuse is an offence (s 44B). This creates a new compliance risk for respondents. Eighth, access charges under TPP 12.7: the agency must not charge for making the request or for giving access. This is absolute; no fee can be imposed even for copying costs. However, the FOI Act may still allow charges for some access requests, and TPP 12.2 defers to that Act. Practitioners must check which regime applies. Ninth, the offence of use or divulge protected information (s 53) applies to any person who exercises or has exercised a function under the Act, which includes not only the Commissioner but also any delegate or person authorised. Recklessness is the fault element, and the penalty is significant. This can catch staff of public sector agencies who come across complaint-related information. Tenth, the court order under s 47(1)(a)(iv) is capped at $100,000 compensation for economic loss or damage. There is no provision for non-economic loss (e.g. distress) in the Act, though an order to engage in a stated act to compensate for loss or damage could potentially cover other forms of compensation. The cap applies per complaint, not per individual, so if a complaint is brought on behalf of multiple individuals under s 34(2), the total compensation is capped at $100,000 for the group unless separate complaints are made.

Compliance with the Act requires a systematic approach grounded in the TPPs and the obligations in Part 3. The starting point is TPP 1: each public sector agency must take reasonable steps to implement practices, procedures and systems that ensure compliance with the TPPs and any applicable TPP code, and that enable the agency to deal with inquiries and complaints. This means agencies should conduct a privacy impact assessment (PIA) for any new or changed functions or activities that involve personal information, develop internal policies and procedures for each TPP, and designate a privacy officer. The agency must also have a TPP privacy policy (TPP 1.3) that includes the kinds of information collected, how it is collected, purposes, how to access and correct, how to complain, and whether overseas disclosures are likely (including countries if practicable). This policy must be made available free of charge and in appropriate forms (e.g. website, hard copy). Agencies should review the policy annually and update it to reflect changes in functions or law. For collection (TPP 3), agencies must only collect personal information that is reasonably necessary for their functions. For sensitive information, consent must be obtained unless an exception applies (Australian law, permitted general situation, enforcement body functions). Collection must be by lawful and fair means, and generally from the individual. Where collection is from a third party, the agency must consider whether the individual’s consent is required or if it is unreasonable or impracticable to collect from the individual. Notification under TPP 5 must occur at or before collection, or as soon as practicable after. Agencies should develop standard collection notices that cover all matters listed in TPP 5.2, including the agency’s identity, the fact of collection, any legal authority, purposes, consequences of not providing the information, usual disclosures, and information about the privacy policy and complaint mechanisms. For unsolicited information (TPP 4), agencies must have a process to receive, assess and decide within a reasonable period whether the information could have been collected under TPP 3. If not, and if it is not in a territory record, the information must be destroyed or de-identified as soon as practicable and if lawful and reasonable. A log of such decisions is advisable. Use and disclosure (TPP 6) requires agencies to identify the primary purpose for which information was collected and to have a mechanism to assess secondary purposes. If a secondary use or disclosure is proposed that does not fall within an exception (consent, reasonable expectation, law, permitted general situation, enforcement-related activity), it must not occur. For enforcement-related disclosures, a written note must be made (TPP 6.5). Agencies should train staff on when to make such notes. Cross-border disclosures (TPP 8) require due diligence on the overseas recipient’s ability to protect information. Where possible, agencies should seek to bring the disclosure within an exception in TPP 8.2, such as the individual’s informed consent or the recipient being subject to substantially similar protections. If relying on the reasonable steps obligation, agencies should enter into contractual protections and verify the recipient’s practices. Data quality (TPP 10) and security (TPP 11) require ongoing processes: regular data cleansing, staff training on accuracy, access controls, encryption, breach response plans, and secure destruction or de-identification when information is no longer needed. For access requests (TPP 12), agencies must respond within 30 days and cannot charge. They must have a process for handling requests that integrates with the FOI Act where relevant. If access is refused, written reasons and complaint mechanisms must be provided. Correction requests (TPP 13) also require a 30-day response, no charge, and if correction is refused, written reasons and an opportunity for the individual to associate a statement with the information. For government contracts (s 21), agencies must ensure that all contracts for services include provisions requiring the service provider and any subcontractor to comply with the TPPs, a TPP code, or a corresponding privacy law. Legal teams should develop standard clauses. Agencies should also consider whether to adopt a TPP code (Part 7) tailored to their functions; this requires public consultation (minimum 28 days) and notification as a notifiable instrument. Complaints handling is critical. Agencies should have their own internal complaint process (as encouraged by TPP 1.2(b)) to deal with complaints before they reach the Commissioner. If a complaint is made to the Commissioner, the agency must cooperate, respond to requests for information (s 44), and attend conciliation if required (s 44B). Finally, the agency must report annually to the Commissioner as required by s 54, and the Commissioner must report to the Minister. Agencies should monitor the Information Privacy Commissioner’s guidelines (s 55) and any notifiable instruments made under the Act.