Overview
The Australian Privacy Act 1988, amended most recently through the Privacy Act Review in 2023-2024, governs how organizations handle personal information. At its core are the 13 Australian Privacy Principles (APPs), which establish standards for collecting, holding, using, disclosing, and securing personal information. The Act applies to Australian Government agencies, private sector organizations with annual turnover above $3 million AUD, and specific categories of smaller organizations. The Notifiable Data Breaches (NDB) scheme, introduced in 2018, mandates breach notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals.
The 13 Australian Privacy Principles
| APP | Title | Core Requirement |
|---|---|---|
| APP 1 | Open and transparent management | Maintain and make available a clearly expressed privacy policy |
| APP 2 | Anonymity and pseudonymity | Give individuals the option to interact anonymously where practicable |
| APP 3 | Collection of solicited personal information | Collect only information that is reasonably necessary for your functions |
| APP 4 | Dealing with unsolicited personal information | Determine whether you could have collected unsolicited information; if not, destroy or de-identify it |
| APP 5 | Notification of collection | Notify individuals about what you collect, why, and who you share it with |
| APP 6 | Use or disclosure | Use or disclose personal information only for the primary purpose of collection or a related secondary purpose |
| APP 7 | Direct marketing | Only use personal information for direct marketing with consent or reasonable expectations |
| APP 8 | Cross-border disclosure | Take reasonable steps to ensure overseas recipients comply with the APPs |
| APP 9 | Adoption of government identifiers | Do not adopt government identifiers as your own identifier without authorization |
| APP 10 | Quality of personal information | Take reasonable steps to ensure information is accurate, up-to-date, and complete |
| APP 11 | Security of personal information | Protect personal information from misuse, interference, loss, and unauthorized access |
| APP 12 | Access to personal information | Provide individuals access to their personal information upon request |
| APP 13 | Correction of personal information | Take reasonable steps to correct personal information upon request |
Notifiable Data Breaches (NDB) Scheme
Under the NDB scheme, organizations must notify the OAIC and affected individuals when a data breach is likely to result in serious harm. The assessment must be completed within 30 days of becoming aware of a suspected breach. You must assess the type of information involved, the likely recipients, the nature of the harm that could result, and any steps taken to reduce harm. Notification to the OAIC must include the identity of the organization, a description of the breach, the kinds of information involved, and recommendations for affected individuals. Failure to comply with NDB obligations can result in civil penalties.
Implementation Checklist
- Develop and publish a comprehensive privacy policy covering all 13 APPs
- Conduct a personal information audit to identify what data you collect, store, use, disclose, and destroy
- Implement collection notices that inform individuals about the purpose, type, and handling of their data at or before collection
- Establish processes for handling access and correction requests within 30 calendar days
- Implement reasonable security measures proportionate to the sensitivity of information held
- Develop a data breach response plan with defined roles, assessment criteria, and NDB notification templates
- Review cross-border data transfer arrangements to ensure overseas recipients meet APP requirements
- Conduct Privacy Impact Assessments (PIAs) for new projects or significant changes to data handling practices
- Train employees who handle personal information on APP obligations and breach reporting procedures
- Implement data retention schedules and secure destruction procedures for information no longer needed
- Review third-party contracts to include privacy obligations and breach notification requirements
Privacy Act Review 2023-2024 Changes
The Australian Government accepted or agreed in principle to most recommendations from the Privacy Act Review Report. Key proposed changes include expanding the definition of personal information to cover technical identifiers and inferred information, introducing a fair and reasonable processing requirement, creating a statutory tort for serious invasions of privacy, expanding the NDB scheme, increasing penalties for repeat offenders, and strengthening enforcement powers of the OAIC. Organizations should prepare for these changes as they move through the legislative process.
Penalties and Enforcement
The OAIC can apply to the Federal Court for civil penalties. For serious or repeated interferences with privacy, maximum penalties reach $50 million AUD, three times the benefit obtained from the breach, or 30% of adjusted turnover during the relevant period (whichever is greatest). The OAIC can also issue enforceable undertakings, make determinations requiring compensation to affected individuals, and conduct Commissioner-initiated investigations. Recent enforcement actions have focused on large-scale data breaches, insufficient security practices, and failure to comply with NDB requirements.
Frequently Asked Questions
Does the Privacy Act apply to small businesses?
Small businesses with annual turnover of $3 million AUD or less are generally exempt. However, exceptions apply to businesses that trade in personal information, provide health services, are related to a larger entity, are contracted service providers for the government, or have opted in to coverage. The Privacy Act Review recommended removing the small business exemption.
What constitutes "serious harm" for NDB purposes?
Serious harm includes physical, psychological, emotional, financial, and reputational harm. The OAIC considers factors such as the kind of information involved, its sensitivity, whether it is protected by security measures (like encryption), the nature of the recipients, and the likelihood that harm will occur.
How does the Privacy Act handle employee records?
Employee records held by a current or former employer are exempt from the APPs when the information is directly related to the employment relationship. However, this exemption does not apply to government agencies, and it only covers the employer's use. Once employee information is shared externally, the exemption may not apply.
What are the cross-border transfer requirements?
Under APP 8, before disclosing personal information to an overseas recipient, you must take reasonable steps to ensure the recipient handles it in accordance with the APPs. You remain accountable for any acts or practices of the overseas recipient. Contractual protections, binding schemes, or laws of the recipient's country that are substantially similar to the APPs can satisfy this requirement.
Is a Privacy Impact Assessment mandatory?
PIAs are not currently mandatory for all organizations under the Privacy Act (though they are required for government agencies under certain circumstances). However, the OAIC strongly recommends conducting PIAs for any project involving personal information. The Privacy Act Review recommended making PIAs mandatory for high-risk processing activities.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.