Skip to main content

Privacy Act 1988 (Australia)

Australia's Privacy Act 1988 regulates handling of personal information through 13 Australian Privacy Principles, overseen by the OAIC. It includes a notifiable data breach scheme and, after 2022 reforms, substantially higher penalties.

Jurisdiction
Australia

The Privacy Act 1988 is Australia's principal national privacy law. It commenced in 1988 and has been amended many times, most notably with the Australian Privacy Principles (APPs) that took effect in 2014 and the Notifiable Data Breaches scheme that began in 2018. The Act regulates how personal information is collected, used, disclosed, and secured. It is overseen by the Office of the Australian Information Commissioner (OAIC). A significant reform process is underway to modernize the Act.

The Act is principles-based and applies the 13 Australian Privacy Principles to covered entities, known as APP entities.

Who It Applies To

The Privacy Act applies to most Australian Government agencies and to private-sector and not-for-profit organizations with an annual turnover of more than AUD 3 million, plus some smaller organizations such as health service providers, businesses that trade in personal information, and credit reporting bodies. It also has extraterritorial reach to overseas organizations that carry on business in Australia and collect or hold Australians' personal information. The small-business exemption is a notable feature, though reforms may narrow it.

Key Requirements

The 13 Australian Privacy Principles cover open and transparent management of personal information, anonymity and pseudonymity, collection of solicited and unsolicited information, notice, use and disclosure, direct marketing, cross-border disclosure, adoption of government identifiers, data quality, data security, and access and correction. APP entities must have a clear privacy policy, collect only what is reasonably necessary, secure information, and let individuals access and correct it. The Notifiable Data Breaches scheme requires entities to notify the OAIC and affected individuals of eligible data breaches likely to result in serious harm. Cross-border disclosure generally makes the disclosing entity accountable for the overseas recipient's handling.

Penalties for Non-Compliance

The OAIC can investigate, accept enforceable undertakings, and seek civil penalties for serious or repeated interferences with privacy. Following 2022 amendments, maximum penalties for serious or repeated breaches rose to the greater of AUD 50 million, three times the benefit obtained, or 30 percent of adjusted turnover during the breach period.

How to Comply

Determine whether you are an APP entity. Publish a compliant privacy policy and collect only necessary information with appropriate notice. Secure personal information and provide access and correction. Manage direct marketing and cross-border disclosures in line with the APPs. Implement a data breach response plan that meets the Notifiable Data Breaches scheme. Monitor ongoing reforms that may broaden coverage and add new rights.