Software, by Jayden

Key legislation

Nov 13, 20254 min read

Backlinks

Copyright Act 1968

The Copyright Act of 1968 is a federal law that applies to all states and territories in Australia.

The purpose of the act is to define and protect intellectual property, or IP.

Main points

  • Ownership: IP belongs to the individual who created it unless assigned otherwise (e.g. to an employer).
  • Automatic protection: Copyright is automatic and free once the work is fixed in a tangible form, although copyright notices are encouraged.
  • Types of works protected: Covers literary, dramatic, musical and artistic works, as well as films, sound recordings and broadcasts.
  • Exclusions: Does not cover ideas, concepts, names, slogans or images of people.
  • Control of usage: Owners can control how and when material is used and shared.
  • Employer rights: Employers hold copyright over works employees produce as part of their job duties.
  • Personal use exception: Allows individuals to copy music they legally own from a CD to a digital device, but only for personal use.

Privacy act 1988

The Privacy Act of 1988 is a federal law that applies to all states and territories in Australia.

The purpose of the act is to outline ethical business practices related to user privacy and data.

The act specifically targets:

  • Commonwealth government departments
  • ACT government agencies
  • Private organisations that fall into any of the following categories:
    • Turnover at least $3 million per year or
    • Holds information about an individual’s health or
    • Buys or sells personal information for profit or
    • Contracted to provide a service to the Commonwealth

Australian Privacy Principles (APPs)

Outlined in the Privacy Act 1988, the following are guidelines defined to handle data.

Main points

  • Only collect information that is necessary.
  • Only use information for the purpose it was intended.
  • Do not disclose information to a third party for any purpose other than what it was intended.
  • Individuals may have access and opportunity to correct information held about them.
  • The organisation must have a privacy policy that is available to be viewed by the public.
  • The organisation must take steps to ensure the quality and security of the information.

Privacy and Data Protection Act 2014

The Privacy and Data Protection Act of 2014 is a state law covering only Victoria.

The purpose of this act is to outline how the Victorian private sector should handle data collection, privacy and storage.

The private sector includes:

  • Victorian government departments and public sector agencies
  • Victoria Police
  • State government schools
  • Public Victorian universities
  • Public hospitals and health services, with regards to non-medical information (medical information is covered by the Health Records Act 2001)
  • Organisations providing services funded by government departments

Information Privacy Principles (IPPs)

Similar to APPs, the IPPs are applicable to Victoria’s public sector and aligns with the APPs.

  • IPP 1 – Collection: IPP 1 emphasises that personal information must be collected fairly, lawfully and not intrusively. For developers, this means designing systems that ask only for necessary information and informing users about the collection purpose.
  • IPP 2 – Use and Disclosure: This principle restricts how personal information can be used or disclosed, aligning with APP 6. Developers should ensure data is only shared according to privacy policies and user consent, with built-in permissions management.
  • IPP 4 – Data Security: Data must be protected from misuse, loss, unauthorised access and modification. Software developers are responsible for incorporating robust security features, including encryption, secure authentication mechanisms, and regular security updates.
  • IPP 5 – Openness: Agencies must be open about how personal information is managed. Developers should facilitate this by including privacy policy links and clear documentation within applications, detailing how user data is handled and secured.
  • IPP 7 – Unique Identifiers: This principle restricts the use of unique identifiers assigned by other organisations. An organisation can only adopt a unique identifier assigned by another organisation if it is necessary for its functions, with the individual’s consent, or if it is an outsourcing organisation using the identifier created by a contracted service provider.
  • IPP 9 – Transborder Data Flows: Personal information must not be transferred outside Victoria unless the recipient jurisdiction has equivalent privacy protections. Developers should consider data localisation strategies or ensure cross-border data transfers comply with relevant regulations.
  • IPP 10 – Sensitive Information: This principle requires stricter handling of sensitive information, such as health or ethnic background data, reinforcing the need for high security and limited access in software systems that handle such data.

Main points

The private sector should:

  • have strong security protocols.
  • prevent unauthorised access.
  • have security assessments
  • follow data encryption practices
  • optional, but recommended - notify users in significant data breach