I. Introduction
Australia’s Privacy Act 1988 (Act), enacted by the Australian parliament at the end of 1988, is the country’s primary data privacy law. In an era marked by escalating data breaches and privacy violations, the Privacy Act aims to protect individuals' privacy rights by mandating several obligations on applicable entities.
Although introduced in 1988, the Act has undergone numerous amendments, taking into account the evolving privacy challenges and regulatory landscape. Significant amendments were made in 2000, 2014, 2022, and 2024.
The Privacy Act regulates the processing of personal information in both the private and public sectors. A core component of the Act is the Australian Privacy Principles (APPs), which are comprehensive guidelines that allow entities and agencies to customize their data handling practices to suit their business operations while meeting individuals' diverse privacy needs.
This overview examines the Privacy Act’s key provisions, obligations for applicable entities, data subject rights, enforcement authority, and how organisations can operationalise the Act in today's privacy-conscious and tightened regulatory context.
II. Who Needs to Comply with the Privacy Act
A. Material Scope
The Act applies to the processing (collection, use, and disclosure) of personal information by APP entities but excludes de-identified or anonymous data that cannot reasonably be re-identified.
The Act does not apply to data used for:
- Personal or Domestic Use: Processing by individuals in a private, non-business capacity.
- Employee Records: Held by the employer for employment purposes.
- Political Acts and Practices: Activities related to Members of Parliament or political representatives.
- Small Businesses: Businesses with an annual turnover of less than $3 million, unless they:
- Have a Commonwealth contract (in which case the exemption applies only to activities unrelated to the contract).
- Are involved in activities that require mandatory compliance under specific circumstances, such as health records or credit reporting.
- Media Organisations: Processing for journalistic purposes.
- Organisations Acting Under a Commonwealth Contract: Acts or practices of an organisation are exempt if:
- the organisation is a contracted service provider for a Commonwealth contract,
- the organisation would otherwise qualify as a small business operator,
- the act or practice is unrelated to fulfilling obligations under the Commonwealth contract,
- this exemption applies only to activities not tied directly or indirectly to the contract's obligations.
- Organisations Acting Under a State Contract: Acts or practices of an organisation are exempt if:
- the organisation is a contracted service provider for a State or Territory contract,
- the organisation would otherwise qualify as a small business operator,
- the act or practice is unrelated to fulfilling obligations under the State or Territory contract,
- similar to Commonwealth contracts, the exemption applies only to activities that are not directly or indirectly related to the contract's obligations.
B. Territorial Scope
The Act has a broad territorial scope. It applies to Australian Entities, which include private sector entities, Australian government agencies, and foreign organisations providing products or services to Australian individuals or "carrying on business" in Australia.”
This includes enterprises and nonprofits headquartered in Australia and foreign entities with an Australian link. However, the Privacy Act’s obligations only activate when the organisation processes Australian-related personal information, regardless of where or when the processing occurs.
III. Definitions of Key Terms
a. APP Entity
APP Entities include:
- Agencies: Mainly federal government bodies or office holders.
- Organisations: Includes individuals, corporations, partnerships, unincorporated associations, and trusts.
However, small business operators, registered political parties, and state or territory authorities are not considered APP entities.
Furthermore, a small business operator is considered an APP entity if they:
- operate another business with a turnover of $3 million or more,
- provide health services or hold health information (except employee records),
- collect or disclose personal information for a benefit, service, or advantage,
- are a contracted service provider for a Commonwealth contract, or
- are a credit reporting body.
b. Australian Link
Entities considered to have an Australian link include an Australian citizen or a person with permanent residency in Australia, a partnership/trust/ body corporate formed or incorporated in Australia, or an unincorporated association whose central management and control are based in Australia.
c. Consent
Consent may be express (explicitly given) or implied (reasonably inferred for non-sensitive information, provided individuals are informed and given an opt-out option).
Any information or an opinion about an identified individual or a reasonably identifiable individual whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
Sensitive information under the Act includes:
- personal details about racial or ethnic origin, political or religious beliefs, or membership in political, trade, or professional associations,
- sexual orientation or practices, and criminal records,
- health or genetic information, and
- biometric information and biometric templates.
IV. Obligations for Organisations Under the Privacy Act
A. Lawful Basis Requirements
The Privacy Act does not explicitly term lawful basis. However, the Act outlines the lawful handling of personal information in Section 16, while some are implied within the APPs. The Act allows the collection, use, and disclosure of personal information under specific circumstances, including:
- Necessary for Functions or Activities:
- APP entities may collect personal information when it is directly necessary for their legitimate functions or activities.
- The Act enables processing to complete or enforce contracts with individuals, such as managing payments or delivering services.
- Collection must occur through lawful, fair means, and, where reasonable, directly from the individual.
- Permitted General Situations:
The Act provides for specific situations where the collection, use, or disclosure of personal information is permitted, even without consent, under Section 16A. These include:
- Preventing Threats to Safety or Health: When it is unreasonable or impracticable to obtain consent, and the APP entity reasonably believes the processing is necessary to prevent or lessen a serious threat to the life, health, or safety of any individual, or to public health or safety.
- Addressing Unlawful Activity: If the APP entity suspects unlawful activity or serious misconduct related to its functions and reasonably believes the processing is necessary to take appropriate action.
- Locating Missing Persons: For assisting in locating a missing person, provided the processing complies with Commissioner-made rules.
- Legal Claims: If reasonably necessary for the establishment, exercise, or defense of legal or equitable claims.
- Alternative Dispute Resolution: For confidential alternative dispute resolution processes.
- Public Interest:
Personal information may be processed to support broader societal goals, such as public health, safety, and law enforcement, consistent with permitted general situations.
- Legal Obligations:
Processing is lawful when required by law or permitted by regulations, ensuring compliance with statutory or regulatory obligations.
- Employment Records Exemption:
Employers may process employee records directly related to the employment relationship without adhering to the APPs, under the exemption provided in Section 7B(3). While technically an exemption from the APPs rather than a specific lawful basis like consent or contractual necessity, it functions similarly by permitting the handling of employee data without consent in specific contexts. This creates an implicit lawful basis for processing employee data for payroll, performance management, or workplace health and safety tasks.
Additionally, the Act includes specific permitted bases for processing personal information in health situations under Section 16B, such as providing health services or conducting research. It also establishes distinct requirements for handling credit information under Part IIIA of the Act and the Privacy (Credit Reporting) Code 2014 (CR Code), which governs the collection, use, and disclosure of credit-related data by credit providers and reporting bodies.
B. Consent Requirements
The Act emphasizes consent as the primary basis for processing. It must be informed, voluntary, specific, relevant to the context of the data collection, and free from any kind of compulsion, especially for sensitive information, unless a permitted general situation or permitted health situation applies or the organisation is a non-profit entity dealing with its members' sensitive information.
Individuals must understand why their data is being collected, how it will be processed, and whether it will be shared with third parties or abroad.
C. Children’s Privacy
The Australian Senate passed the Privacy and Other Legislation Amendment Bill 2024 (2024 amendment) on 29 November 2024, which obtained Royal Assent on 10th December 2024. A key feature of the 2024 amendment is the establishment of the Children Online Privacy Code (COPC), which strengthens protections for children’s online data. This code applies to internet, electronic, and social media services accessed by children, except where specific exemptions apply.
D. Privacy Policy Requirements
Under APP 5, entities that collect personal information must take reasonable steps to notify individuals or ensure their awareness of specific matters at or before the time of collection or as soon as practicable afterward. This applies to both direct collection from individuals and indirect collection from third parties. The notification should be clear and can be delivered through various methods, such as forms, scripts, or layered privacy notices. As per the 2024 amendment, APP entities are required to disclose the use of automated algorithms in decisions significantly affecting individuals' rights or interests, ensuring transparency and accountability. This is subject to a two-year grace period, with an effective date of 10 December 2026.
Considerations for Notification
1. Reasonable Steps
Reasonable steps include considering the sensitivity of the information, potential adverse consequences for individuals, individual needs (like language or accessibility), and practicality, ensuring compliance without undue burden.
2. Exemptions
Notifications may be omitted if the individual is already informed, for recurring data collection, where there are risks to life or public safety, legal restrictions, or if the notification burden outweighs privacy benefits.
Matters to Notify
APP 5.2 specifies the required matters for notification, which may vary based on the context:
- entity identity and contact details,
- facts and circumstances of collection,
- legal basis for collection,
- purpose of collection,
- consequences of non-collection,
- usual disclosures;
- describe the entities, bodies, or persons (or types thereof) to which the personal information is usually disclosed,
- information about the entity’s APP privacy policy,
- whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located,
An APP entity must take reasonable steps to ensure that its APP privacy policy is accessible in a suitable format and at no cost. Furthermore, if an individual or organisation requests a copy of the privacy policy in a specific format, the entity must reasonably accommodate and provide the requested format.
E. Security Requirements
APP entities must take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure. The APP Principles, particularly APP 11, comprehensively outline security requirements, requiring organisations to implement measures appropriate to the sensitivity of their information.
Additionally, if personal information is no longer required for the obtained objective, the Privacy Act mandates that organisations securely delete, destroy or de-identify it.
F. Data Breach Requirements
APP entities must respond swiftly and effectively to data breaches involving personal information. An eligible data breach happens when an APP entity has unauthorized access to, discloses, or loses personal information, and a reasonable person would believe this is likely to cause serious harm to the affected individuals.
If an APP entity has good cause to suspect an eligible data breach or the Office of the Australian Information Commissioner (OAIC) directs it, it must notify the parties involved through the Notifiable Data Breaches (NDB) scheme. The NDB mandates that organisations notify affected individuals and the Commissioner. The Commissioner may obtain documents or information on actual or suspected eligible data breaches.
The notification must describe the breach, the data types compromised, and advice on personal safety measures. APP entities must also quickly minimize the impact and remediate the breach to avoid further damage. Furthermore, the APP entity has to assess whether there are reasonable grounds to believe these events constitute an eligible data breach and act accordingly, ensuring that the assessment is finished within 30 days of the entity’s awareness.
The 2024 amendment allowed APP entities to share personal data with authorities and emergency teams to prevent and manage damage during breaches or crises.
G. Privacy Impact Assessment (PIA)
The Privacy Act defines privacy impact assessment as a written assessment of an activity or function that identifies its potential impact on individuals' privacy and sets out recommendations for managing, minimising, or eliminating that impact.
If an agency proposes handling personal information about individuals and the Commissioner believes that the activity or function would significantly affect individuals' privacy, the Commissioner may, in writing, direct the agency to provide a privacy impact assessment.
H. Cross-Border Transfers
The Act also governs the transfer of personal information outside of Australia. Organisations must ensure that any personal information transferred to other countries is safeguarded. They must also make a good-faith effort to ensure that the receiver located abroad complies with the APPs or other comparable privacy laws. Additionally, per the 2024 amendment, personal data can be transferred to countries with privacy laws comparable to Australia’s standards, enhancing cross-border data flow while maintaining robust privacy safeguards.
V. Australian Privacy Principles (APPs)
The Act outlines 13 Australian Privacy Principles (APPs). These are:
| APP |
Title
|
Purpose
|
| APP 1 |
An Open and Transparent Management of Personal Information |
Organisations must handle personal information in a transparent and straightforward manner. They should provide a clear and accessible privacy policy that outlines the types of personal data collected, how it is obtained, the reasons for processing it, procedures for correcting information, and details on any data shared with foreign entities, including where it is shared. |
| APP 2 |
Anonymity and Pseudonymity |
Individuals should have the option to engage with organisations anonymously or using a pseudonym unless it is impractical or legally required to do otherwise. |
| APP 3 |
Collection of Solicited Personal Information |
Organisations should only collect personal information necessary for their operations, ensuring that the process is lawful and fair. Stricter requirements apply to the collection of sensitive information. |
| APP 4 |
Unsolicited Personal Information |
Organisations that receive unsolicited personal information must assess whether the data could have been obtained under APP 3. If not, the information must be deleted or de-identified. |
| APP 5 |
Notification of Collection of Personal Information |
When collecting personal information, organisations must inform individuals about their identity, the purpose of the collection, and who may receive the information. |
| APP 6 |
Use or Disclosure of Personal Information |
Personal information can only be used or shared for the original purpose of collection, except in cases where consent is given or legal obligations apply. |
| APP 7 |
Direct Marketing |
Organisations must offer individuals a simple way to opt-out and may only use or disclose personal information for direct marketing in specific permitted circumstances. |
| APP 8 |
Cross-Border Disclosure of Personal Information |
Before sharing personal information with overseas recipients, organisations must take reasonable steps to ensure the recipient complies with the APPs or has equivalent protections through contractual obligations. |
| APP 9 |
Adoption, Use, or Disclosure of Government-Related Identifiers |
Organisations must comply with APP 9 requirements before adopting, using, or disclosing a government-related identifier. In most cases, adopting, using, or disclosing such identifiers is prohibited. |
| APP 10 |
Quality of Personal Information |
Organisations must take reasonable steps to ensure personal information is accurate, up-to-date, complete, and relevant to the purpose of its use or disclosure. |
| APP 11 |
Security of Personal Information |
Organisations must take reasonable steps to protect personal information from interference, loss, misuse, unauthorized access, modification, or disclosure. |
| APP 12 |
Access to Personal Information |
Organisations must provide individuals access to their personal information on request unless specific exceptions apply. |
| APP 13 |
Correction of Personal Information |
Organisations must take reasonable steps to correct personal information to ensure it is accurate, up-to-date, complete, relevant, and not misleading if requested by an individual. |
VI. Data Subject Rights
The Act provides individuals with the following rights:
A. Right to Access
APP 12 outlines the right to access personal information. Individuals can request that the APP entity provide any information it has on them.
B. Right to Correction
APP 13 outlines the right to correct personal information. Individuals have the right to request that the APP entity correct any information about them that is inaccurate, out of date, incomplete, irrelevant, or misleading.
Individuals have the right to be notified about relevant matters at or before the collection of personal information or, if not possible beforehand, as soon as practicable. Individuals also have the right to be informed if their personal information may be disclosed to overseas recipients and, where practicable, the countries involved.
D. Right to Object Opt-Out/Right to Request Not to Receive Direct Marketing
If an organisation uses or discloses personal information for direct marketing or to facilitate direct marketing for others, the individual has the right to request not to receive such communications, to prevent the organisation from using or disclosing their information for this purpose, and to ask the organisation to disclose the source of their information.
E. Right to Withdraw Consent
Organisations must ensure the withdrawal process is straightforward and accessible, clearly explaining any potential consequences, such as losing access to a service. After consent is withdrawn, they can no longer use or disclose your personal information based on the consent previously provided.
F. Right to Anonymity and Pseudonymity
Individuals have the right to engage with organisations anonymously or under a pseudonym, provided it is practical and lawful.
VII. Regulatory Authority
The Office of the Australian Information Commissioner (OAIC) is the regulatory entity responsible for administering the Privacy Act in Australia. It is an independent statutory agency under the Attorney-General's ministry. Additionally, the 2024 amendment increased the OAIC’s enforcement powers to strengthen privacy law compliance.
VIII. Penalties for Non-Compliance
Noncompliance with Australia’s Privacy Act may result in severe fines and other enforcement proceedings, especially if the violation is severe or ongoing. These include:
A. Civil Penalties
The OAIC can seek civil penalties for severe or recurring privacy violations. As of the recent amendments in 2022, the maximum penalty for significant or repeated violations may be up to AUD 50 million, three times the value of any profit derived via the misuse of information or 30% of the organisation’s adjusted turnover in the relevant period. Moreover, AUD 2.5 million may be imposed on individuals who violate the APPs repeatedly or conduct a serious breach.
B. Infringement Notices
The OAIC issues infringement notices for violations of privacy requirements, especially substantial or recurrent interferences with privacy. These notifications may impose financial penalties on entities that fail to comply with the Act's obligations.
C. Enforceable Undertakings
The OAIC has the authority to accept an enforceable undertaking from an organisation that has violated the provisions of the Privacy Act. This document is a legally binding commitment made by the organisation to undertake certain activities to rectify the violation and ensure compliance in the future. Noncompliance with a legally binding agreement might result in legal proceedings.
D. Injunctions
The OAIC has the authority to seek an injunction from either the Federal Court or the Federal Circuit Court to prevent continuing or future violations of the Privacy Act.
E. Statutory Tort
The 2024 amendment introduced a statutory tort for privacy invasion, empowering individuals to sue for privacy violations and misuse of personal data. The remedies available include injunctions and damages, providing stronger recourse for affected individuals. This is set to commence either on a date to be proclaimed or by 10 June 2025, whichever comes first.
IX. How Can an Organisation Operationalise the Privacy Act
To operationalise the Act, organisations can take the following steps:
- appoint a privacy officer or team to supervise compliance with the Act;
- conduct privacy impact assessments to identify and mitigate privacy risks;
- establish a comprehensive, transparent and accessible privacy policy outlining how personal information is collected, used, stored, and disclosed;
- create and maintain a data breach response plan in compliance with the Notifiable Data Breaches (NDB) scheme;
- implement robust data security measures, such as encryption, access controls, and regular audits, to protect personal information from unauthorized access, disclosure, or loss;
- maintain detailed records of personal information handling practices, including consent obtained from individuals, privacy impact assessments, and responses to data breaches.
- ensure contracts with third-party service providers, including privacy and data protection clauses;
- honour data subject access and correction requests; and
- provide regular training to all employees on privacy obligations under the Privacy Act.
X. How Securiti Can Help
Securiti emerges as a pivotal catalyst for organisations seeking to navigate and comply with Australia’s Privacy Act 1988. Securiti’s robust modules fortify organisations against potential cyber threats and ensure alignment with Australia’s stringent data privacy laws.
Securiti is the pioneer of the Data Command Center, a centralised platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
Request a demo to learn more.
