Australia’s Privacy Act: Everything You Need to Know

The Privacy Act 1988 is the key legislation regulating the handling of personal information in Australia. It aims to promote the protection of the privacy of Australian individuals and regulate how organizations handle their personal information.

Effective year: 1988

Official text: Australia Privacy Act 1988

The Privacy Act 1988 serves as the primary federal legislation designed to safeguard the privacy of Australian individuals and regulate the handling of their personal information. 

Introduced in 1988, over the years, it expanded to include credit reporting, the private sector, and the establishment of the Office of the Australian Information Commissioner. The Office of the Privacy Commissioner was formed in 2000, leading to reforms in 2014 that introduced the Australian Privacy Principles (APP) and enhanced enforcement. The Notifiable Data Breaches scheme began in 2018, with further targeted measures implemented in 2022 to align with community expectations and protect digital privacy.

The Act outlines 13 Australian Privacy Principles for managing personal information and established the Office of the Australian Information Commissioner (OAIC) in 2010 to oversee privacy regulation.

The Privacy Act applies to Australian Government agencies and organizations with an annual turnover exceeding AUD 3 million that handle the personal information of Australian residents. The definition of an ‘organization’ includes individuals, companies, partnerships, unincorporated associations, or trusts, except for certain exemptions like small business operators, registered political parties, and specific government entities. They can be overseas organizations participating in business activities within Australia, even if their primary business operations occur outside the country. 

Certain small businesses with turnovers of AUD 3 million or less may fall under the Privacy Act, such as private health service providers, businesses engaged in selling or buying personal information, credit reporting bodies, and specific service providers for government contracts.

The Privacy Act excludes state government agencies, individuals acting personally, most universities and public schools, certain employee record handling, many small businesses, committed media organizations, and registered political parties.

The Privacy Act defines personal information as

“information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.“

Some examples of personal information include an individual’s name, address, phone number, medical records, bank account details, photos, or employment details. Sensitive information like health information, genetic information, racial/ethnic background, sexual orientation, and political opinions are also considered personal information and given extra protections under the Act.

Australian Privacy Principle 1 – Open and transparent management of personal information

• Organizations must have an up-to-date, publicly available APP privacy policy.
• The policy must detail the information collected, the purposes of collection, and how individuals can access, correct, and complain about their information
• The APP privacy policy must be freely available to the public.

Australian Privacy Principle 2 – Anonymity and pseudonymity

• Individuals must have the option of being anonymous or using a pseudonym when dealing with an organization if lawful and practicable.

Australian Privacy Principle 3 – Collection of solicited personal information

• Organizations can only collect non-sensitive personal information if it’s necessary for their functions.
• Sensitive information requires individual consent or specific conditions to be collected.
• Personal information must be collected fairly, lawfully, and preferably directly from the individual.
• Organizations should collect directly from individuals unless unreasonable or impractical. 
• These principles apply to personal information requested by the organization.

Australian Privacy Principle 4 – Dealing with unsolicited personal information

• If an organization receives unsolicited personal information, determine if it could have been collected under APP 3. 
• Use or disclose this information solely for this determination.
• If collection is deemed improper, lawfully and reasonably destroy or de-identify the information.
• If it could have been collected under APP 3, treat it as if it was collected as such.

Australian Privacy Principle 5 – Notification of the collection of personal information

• Notify the individual or ensure their awareness as soon as possible when collecting personal information.
• The notification should include:
  • Organization identity and contact.
  • Circumstances of collection, especially from third parties or without awareness.
  • Legal mandates for collection.
  • Purpose of collection.
  • Consequences of not providing information.
  • Potential sharing with other parties.
  • APP privacy policy for access, correction, and complaints.
  • Potential overseas disclosures and countries if applicable.

Australian Privacy Principle 6 – Use or disclosure of personal information

• Use or disclosure must align with the primary purpose unless consent or specific conditions apply.
• Information can be used for secondary purposes if it is reasonably expected and directly related to the primary purpose.
• Legal requirements and permitted situations allow use or disclosure.
• Organizations must take steps to de-identify information before disclosing it if reasonable.
• This principle does not apply to the use/disclosure of direct marketing or government-related identifiers.

Australian Privacy Principle 7 – Direct marketing

• Organizations generally cannot use or disclose personal information for direct marketing without consent or other exceptions.
• Exceptions apply if the individuals would reasonably expect it, impracticable to get consent, or opt-out option is provided.
• Sensitive information requires explicit consent for direct marketing.
• Individuals can opt out of direct marketing. Organizations must enable simple opt-out and inform individuals.
• Individuals can request organizations not disclose their information for direct marketing to others.
• Individuals can request organizations provide the source of personal information used in direct marketing.

Australian Privacy Principle 8 – Cross-border disclosure of personal information

• Before disclosing personal information overseas, organizations must take reasonable steps to ensure overseas recipients comply with the APPs.
• Some exceptions apply, such as if the overseas law is substantially similar to the APPs, or if the individual consents after being expressly informed.

Australian Privacy Principle 9 – Adoption, use, or disclosure of government-related identifiers

• Organizations generally cannot adopt, use, or disclose government identifiers for individuals.
• There are exceptions if required by law or regulations allow it.

Australian Privacy Principle 10 – Quality of personal information

• Take reasonable steps to ensure personal information is accurate, up-to-date, and complete having regard to the purpose.

Australian Privacy Principle 11 – Security of personal information

• Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure.
• Destroy or de-identify information no longer needed for any purpose for which it may be used or disclosed under the APPs.

Australian Privacy Principle 12 – Access to personal information

• Individuals have a right to access their personal information held by an organization unless an exception applies.
• Access must be given on time and in the form requested if reasonable and practicable.

Australian Privacy Principle 13 – Correction of personal information

• Take reasonable steps to correct personal information to ensure it is accurate, up-to-date, complete, relevant, and not misleading, having regard to the purpose for which it is held.
• Notify third parties of corrections made if the individual requests.

The Privacy Act mandates consent as a crucial element in handling personal information mentioned in several APPs. Here’s the breakdown of how consent operates within the Act:

Collecting information: Organizations must obtain consent before collecting personal information unless the information is necessary for their functions, ensuring individuals understand why and how their data will be collected. Certain exceptions exist for sensitive information, requiring explicit consent or specific conditions.

Use and disclosure: Consent is generally required for using or disclosing personal information for purposes beyond the primary intent of collection. However, exceptions exist for legal requirements or certain conditions.

Direct marketing: Consent is essential for using personal information in direct marketing. Exceptions apply when individuals might reasonably expect it, or obtaining consent is impractical.

Cross-border transfer: Before sharing information overseas, organizations must ensure the overseas recipient complies with the Australian Privacy Principles, except in situations where overseas laws align substantially or if individuals provide informed consent.

The Privacy Act doesn’t specify an age for consent. Children under 15 are presumed to lack consent capacity, while those under 18 can consent if they understand. The Act doesn’t mandate verifying parental consent, unlike the GDPR. 

• Right to information: Individuals have the right to know why their personal information is being collected, how it will be used, and who it will be disclosed to.
• Right to anonymity: Individuals have the option of not identifying themselves or using a pseudonym in certain circumstances.
• Right to access: Individuals can ask for access to their personal information, including health information.
• Right to opt-out: Individuals have the right to stop receiving unwanted direct marketing.
• Right to correction: Individuals can ask for their incorrect personal information to be corrected.
• Right to complain: Individuals have the right to make a complaint about an organization or agency covered by the Privacy Act if they believe their personal information has been mishandled.

Organizations must notify individuals and the Commissioner about eligible data breaches. An “eligible data breach” is where personal information is lost or accessed/disclosed without authorization in a way likely to cause serious harm.

Organizations must assess suspected breaches within 30 days. If an eligible breach occurs, they must notify the Commissioner and provide: their identity and contact details, a description of the breach, the types of information involved, and recommendations for individuals.

The organization must also notify affected individuals directly or publicly if a large number are affected. The notification should include the contents of the statement to the Commissioner. Notification to individuals can be delayed if action is taken to prevent serious harm.

Exceptions to these notification requirements exist, particularly for law enforcement agencies when notification might impede their activities. Additionally, the Commissioner holds the authority to access breach-related information and can direct entities to notify individuals if deemed necessary.

The maximum penalty for an individual interfering with privacy is AUD 2.5 million.

For companies, the maximum penalty is the greater of:

• AUD 50 million,
• 3 times the interference’s benefit (if the court can determine this), or
• 30% of the company’s adjusted turnover during the breach period if the court can’t decide the benefit’s value.

Adjusted turnover is the value of the company’s taxable sales, excluding certain transactions. 

The breach period is 12 months or from the start of the breach until it ends or legal action begins, whichever is longer. 

• Maintain clear and updated privacy policies
• Only collect necessary personal information directly from individuals where possible
• Notify individuals about the collection with the required information
• Only use or disclose information for primary purposes or with consent
• Obtain consent for direct marketing and enable opt-out
• Take steps to ensure overseas recipients handle information consistent with APPs
• Take reasonable steps to keep information secure and accurate
• Assess and notify data breaches that may cause serious harm within 30 days

FAQ on the Privacy Act

What is the Privacy Act of Australia?

The Privacy Act 1988 is the key legislation regulating privacy and the handling of personal information in Australia. It applies to most Australian government agencies and organizations with an annual turnover of over AUD 3 million and contains 13 Australian Privacy Principles (APPs) that set out standards, rights, and obligations around the handling of personal information.

What happens if you breach the Privacy Act?

Breaching the Privacy Act could lead to serious repercussions, including investigations by the Office of the Australian Information Commissioner (OAIC) and potential demands for compliance, damages, or prevention of future breaches. Individuals could face a penalty of up to AUD 2.5 million, while companies might incur fines of either AUD 50 million, 3 times the determined benefit, or 30% of their adjusted turnover during the breach period.

Who regulates the Privacy Act in Australia?

The main regulator is the Office of the Australian Information Commissioner (OAIC). The OAIC has powers to conduct investigations, make determinations, seek civil penalties for breaches, and promote compliance through guidance, resources, and education.