Privacy Act — Key obligations, rights & enforcement

Updated 12 Mar 2026Content was accurate at the time of publication

What is the Privacy Act?

The Privacy Act 1988 is the primary statute regulating how personal information is handled by government agencies and certain organisations. It sets out the rights of individuals and the obligations of regulated entities regarding collection, storage, use, disclosure, access and correction of personal information.

The law aims to protect personal privacy while allowing information flows necessary for legitimate business, research and government functions. If your organisation collects customer data—whether for lending, subscriptions, HR or marketing—the Act establishes core legal duties you must follow.

Who does the Act apply to?

The Act applies to two broad groups:

Government agencies all federal government agencies and many state bodies.

Organisations that meet threshold tests. The most common test is the annual turnover threshold of more than $1 million. However, smaller organisations may be covered if they handle certain types of information, such as credit reporting, health records or sensitive personal information.

Exemptions include the employee records exemption (for employee records relating to current or former employment) and specific state or territory laws that interact with the Act.

To determine whether your organisation is covered, check your turnover, the nature of the data you handle (health, credit, sensitive data) and whether you offer services to or collect data from the public. The OAIC (Office of the Australian Information Commissioner) provides detailed coverage guidance.

What counts as personal information?

Personal information is any information or opinion about an identified individual, or an individual who is reasonably identifiable. Examples include:

Names, addresses, phone numbers and email addresses

Identifiers such as driver licence numbers, tax file numbers and account numbers

Sensitive information (subject to higher protection): health information, race, political opinions, religious beliefs, sexual life, genetic and biometric data

See the personal information guide for a detailed definition.

Australian Privacy Principles (APPs)

The APPs (1–13) form the backbone of the Privacy Act. Each principle sets out specific obligations and practical outcomes for how organisations must manage personal information.

APP 1 — Open and transparent management of personal information. You must manage personal information openly and publish a clear privacy policy. Maintain searchable policies and ensure staff understand their privacy responsibilities.

APP 2 — Anonymity and pseudonymity. Where lawful and practical, let individuals interact anonymously or by pseudonym. For example, offer a guest purchase option without requiring a full customer account.

APP 3 — Collection of solicited personal information. Only collect information reasonably necessary for your functions and collect it by fair and lawful means. HR should only collect emergency contact details necessary for employment.

APP 4 — Dealing with unsolicited personal information. If you receive information you did not request, you must determine whether you can keep it or must destroy or de-identify it.

APP 5 — Notification of collection. Tell individuals why you collect their data, how you use it and with whom you might share it. Include a short collection notice at the point of data capture on forms and online checkouts.

APP 6 — Use or disclosure. Use or disclose personal information only for the purpose it was collected, unless an exception applies or you have consent. Do not use customer contact details collected for billing to send unrelated marketing without consent.

APP 7 — Direct marketing. Use personal information for direct marketing only where permitted and provide clear opt-out mechanisms.

APP 8 — Cross-border disclosures. Before sending personal information overseas, take reasonable steps to ensure the overseas recipient will protect it as required by the APPs. Add contractual clauses and due-diligence checks; document these steps in a privacy impact assessment.

APP 9 — Government identifiers. Avoid using government identifiers (such as tax file numbers) as internal identifiers unless necessary.

APP 10 — Quality of personal information. Take reasonable steps to ensure personal information you hold is accurate, complete and up to date.

APP 11 — Security. Protect personal information from misuse, interference, loss and unauthorised access or disclosure. Use encryption for data at rest and in transit; maintain access logs and multi-factor authentication.

APP 12 — Access. Individuals can request access to their personal information; you must respond within a reasonable time and only refuse in specified circumstances.

APP 13 — Correction. Allow individuals to request corrections; make corrections or add a statement of disagreement where appropriate.

Notifiable Data Breaches (NDB) scheme

The NDB scheme requires prompt assessment and, where an eligible data breach occurs, notification to the regulator and affected individuals.

An eligible data breach exists when:

There is unauthorised access, disclosure or loss of personal information, and

A reasonable person would conclude the breach is likely to result in serious harm to one or more individuals.

If a breach occurs, take these steps immediately:

Contain the incident by isolating systems and revoking compromised credentials.
Conduct a rapid assessment to identify the data types involved, the number of affected individuals and the risk of serious harm.
If serious harm is likely, prepare an NDB notification to the OAIC and a statement for affected individuals. Include the nature of the breach, likely consequences and recommended steps individuals should take.
Document the incident, assessment, rationale and actions taken. Retain evidence for OAIC enquiries and internal review.

There is no fixed deadline from discovery to notification, but you must act promptly and without undue delay. The OAIC expects timely decisions and well-documented assessments.

Keep an incident log that records the date and time discovered, who discovered the breach, systems affected, data categories involved, assessment of harm, containment steps, notifications sent and remediation actions taken.

Enforcement and penalties

The OAIC enforces the Privacy Act and has broad powers, including:

Conducting investigations and audits

Issuing determinations ordering remedial action or compensation

Accepting enforceable undertakings (formal commitments to take specific steps)

Conducting public inquiries and issuing guidance

For serious or repeated breaches, the regulator can seek civil penalties through the courts. Consult the consolidated Privacy Act for current penalty amounts.

Individuals who experience a breach can lodge complaints with the OAIC, which may lead to determinations requiring correction, deletion or other remedial steps. In some cases, individuals may seek compensation through the courts.

Recent enforcement trends show the regulator prioritises effective breach response and notification, demonstrable security controls and governance, and transparent remediation measures.

Practical compliance steps for organisations

Implement this action-oriented checklist now:

Governance and policy. Publish and maintain a clear privacy policy. Appoint a privacy officer and define roles and responsibilities.

Risk assessment and design. Run a privacy impact assessment for new projects and major system changes. Embed privacy-by-design in procurement and architecture.

Contracts and transfers. Require data processing agreements with vendors and subcontractors. For cross-border transfers, document the reasonable steps you took to ensure overseas recipients will protect personal information.

Security and technical controls. Encrypt sensitive data in transit and at rest. Use multi-factor authentication, least-privilege access and logging and monitoring. Regularly patch systems and conduct vulnerability testing.

Training and culture. Run mandatory privacy and security training for staff, including simulated phishing exercises. Maintain a records retention policy and an archive and deletion schedule.

Incident readiness. Maintain and test a data breach response plan quarterly. Keep an incident log template covering discovery details, scope, assessment, notifications, remediation and lessons learned.

Recordkeeping and evidence. Keep contracts, PIAs, risk assessments, training logs and incident documentation to demonstrate compliance during audits or investigations.

Common exemptions and special areas

Employee records exemption. Personal information in employee records is generally exempt from the APPs while used in an employment context, though other laws and best-practice privacy protections still apply.

Small business turnover threshold. Most small businesses under the turnover threshold are exempt unless they handle health information, engage in credit reporting or meet other specified criteria.

Health information. Treated as sensitive information and subject to additional rules; healthcare providers often have specific obligations under related legislation.

Research and statistical use. The Act provides for certain research exceptions, but de-identification and ethics approvals are critical.

Credit reporting. Regulated by dedicated provisions within the Act; see OAIC guidance for specific rules.

Recent notable enforcement examples

High-profile incidents highlight recurring vulnerabilities and practical lessons.

The Optus breach demonstrated the importance of robust identity verification, segmentation of customer data and timely public communication.

The Medibank incident showed the need for end-to-end encryption, rapid detection tools, documented incident response and customer support plans.

Key takeaways from these cases: faster detection reduces exposure and harm; clear, accurate notifications reduce downstream harm and regulatory scrutiny; and thorough documentation demonstrates that you took reasonable steps before and after an incident.

Refer to OAIC case pages and media releases for official outcomes and detailed determinations.

FAQ

How do I make a privacy complaint?

You can lodge a complaint with the OAIC after first trying to resolve the issue with the organisation. The OAIC website explains steps and timelines.

Does the Act cover my small business?

Possibly. Check turnover thresholds, the nature of the data you handle (health, credit), and whether you offer services to or collect data from the public.

What is an APP?

APPs are the Australian Privacy Principles 1–13 that set out privacy obligations for regulated entities.

When must I notify the OAIC about a data breach?

If the breach is an eligible data breach (likely to result in serious harm), you should notify the OAIC and affected individuals promptly under the NDB scheme.

Can I outsource data processing overseas?

Yes, but you must take reasonable steps to ensure the overseas recipient will handle the data in compliance with the APPs.

What records should I keep after a breach?

Keep the incident log, assessment materials, containment steps, notification drafts and final notices, vendor communications and remediation plans.

Key takeaways

The Privacy Act establishes core obligations for organisations handling personal information, centred on the 13 Australian Privacy Principles. The Notifiable Data Breaches scheme requires prompt assessment and notification when breaches are likely to cause serious harm. Organisations must implement practical controls—governance, training, security, incident response and recordkeeping—to demonstrate compliance. Regular privacy impact assessments and vendor management protect both individuals and your organisation.