What are the three rights under the Privacy Act

Privacy ProgramA Central Source for Information about SSA’s Privacy Compliance Program

The Privacy Act of 1974

The Privacy Act of 1974 is a federal law that governs our collection and use of records we maintain on you in a system of records. A system of records is any grouping of information about an individual under the control of a Federal agency from which information is retrievable by personal identifiers, such as name, social security number, or other identifying number or symbol.

Under the Privacy Act, Federal agencies may not disclose information without consent unless certain exceptions apply to the disclosure. The Privacy Act provides protections to individuals in three primary ways. It provides individuals with:

• the right to request their records, subject to Privacy Act exemptions;
• the right to request a change to their records that are not accurate, relevant, timely or complete; and
• the right to be protected against unwarranted invasion of their privacy resulting from the collection, maintenance, use, and disclosure of their personal information.

All System of Records Notices (SORNs) are published in the Federal Register. These notices provide the legal authority for collecting and storing records, individuals about whom records will be collected, what kinds of information will be collected, and how the records will be used. The Social Security Administration’s SORNs are available at https://www.ssa.gov/privacy/sorn.html.

If things go wrong

If you think an organisation has interfered with your privacy, you can:

Contact their privacy officer

In the first instance, you should always try to resolve your privacy issue with the organisation concerned. Contact the organisation’s privacy officer and follow the complaints process (if it has one).

How to complain

Contact the Privacy Commissioner

If you’re unhappy with how the organisation has dealt with your privacy concerns, you can make a complaint to the Privacy Commissioner.

Making a complaint(external link) — Office of the Privacy Commissioner

The Office of the Privacy Commissioner handles complaints regarding an organisation that has interfered with privacy.

An interference with privacy to an individual occurs when an organisation breaches one of the Information Privacy Principles(IPP) 1-5 and 8-13 under the Privacy Act and causes harm to that individual. 

Examples of harm can include:

• financial loss
• breach of your rights
• damage to an interest you have
• significant humiliation, loss of dignity or injury to your feelings.

Information Privacy Principals 6 and 7 are about your rights to access or correct your personal information.

Once you have complained, the Privacy Commissioner may choose to investigate your matter. The Commissioner’s focus will be on facilitating a resolution between the parties wherever possible.

If your complaint is about access to your personal information and the Privacy Commissioner upholds your complaint, but the organisation concerned fails to meet its obligations, the Privacy Commissioner may issue an access direction to require the organisation to grant you access to your personal information.

The Privacy Commissioner can’t award you compensation for any privacy breaches but does have the power to fine organisations up to $10,000 for serious breaches of the Privacy Act. For more information on this, please see the Office of the Privacy Commission’s website here: 

Privacy Commissioner(external link)

Apply to the Human Rights Review Tribunal

After going to the Office of the Privacy Commissioner the next step could include going to the Human Rights Review Tribunal (HRRT).

The HRRT is an independent judicial body that hears claims relating to breaches of human rights, including interferences with privacy under the Privacy Act.

Following the conclusion of the Privacy Commissioner’s investigation, you have six months to file a claim in the HRRT.

Make a claim(external link) — Human Rights Review Tribunal

The HRRT can award various remedies after hearing a case, including:

• a declaration that the organisation breached the law
• an order preventing repetition of the breach
• an order to do something to rectify the breach
• damages
• an award of costs against the losing party.

The HRRT has the power to make a binding decision on the parties, including awarding compensation. 

You can't go to the Disputes Tribunal or to court to complain about a breach of your privacy. 

More help

Get support at any point from:

• Citizens Advice Bureau (CAB) — this is a free, independent service, run by volunteers. CAB can advise you on your consumer rights and obligations, in person, by phone, or online.
• Community Law Centre — this service offers free one-on-one legal advice to people with limited finances. The organisation has 24 community law centres throughout the country. You can find legal information and other resources on its website.

Find a CAB(external link) — Citizens Advice Bureau

Our law centres(external link) — Community Law Centres

What are the privacy rights?

What are 13 Australian privacy Principles?

What is covered by the New Zealand Privacy Act?

What does the Australian Privacy Act cover?