Privacy Act

    The foundation of Australia’s national privacy regulatory regime. Regulates how personal information is handled, facilitates the free flow of information outside of Australia and ensures that individuals’ privacy rights are respected and enforced.

    Last Updated: July 30, 2019

  • General

    The Privacy Act 1988 is the foundation of Australia’s national privacy regulatory regime as it regulates how personal information is handled. It provides a basis for nationally consistent manner of handling personal data, facilitates the free flow of information outside of Australia and ensures that individuals’ privacy rights are respected and enforced.

    The Privacy Act includes thirteen Australian Privacy Principles (APPs), which apply to some private sector organisations, as well as most Australian Government agencies (collectively “APP entities”). The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research. Furthermore, the Privacy Act includes the Notifiable Data Breaches (NDB) scheme which outlines requirements for organisations experiencing data breaches – including notification obligations.

  • Lawfulness, Fairness and Nondiscrimination

    The Privacy Act requires the organisations to only collect personal information through fair and lawful means. Furthermore, the collection, use and disclosure of personal information must be justified on specific grounds. Additionaly, the Privacy Act also addresses the handling of unsolicited personal information.

    APP 3 outlines when an APP entity can collect personal information that it has asked for. In particular, this APP requires that organizations only collect personal information where it is reasonably necessary or directly related to their functions or activities. Higher standards are applied to the collection of “sensitive information” (see comparison table below); specifically, sensitive information may only be collected with consent, or where a listed exception applies.

    The Privacy Act does not specify an age after which the individuals can make their own privacy decisions. However, for a consent to be valid, an individual must have capacity to consent. Where consent is required for an organisation to handle personal information of an individual under the age of 18, the organisation will need to determine on a case-by-case basis whether that individual has the capacity to consent.

    Furthermore, the Privacy Act specifically distinguishes a category of sensitive personal data for which the processing is forbidden unless one of the legal exceptions applies.

  • Transparency and Free Access

    One of the APP principles enshrined in the Privacy Act is the Principle of Transparency, which is based on the requirement for the APP Entities to conduct open and transparent management of personal information.

    The free access principle is present in several requirements of the APP Entities mostly involving the free access and availability of the APP Entity’s Privacy Policy or making available the personal data to the individual upon his/her request.

  • Purpose Specification, Use Limitation and Suitability

    One of the Privacy Act’s APP Principles addresses the purpose specification & use limitation principle by limiting the use of personal information to the primary purpose, unless exceptions apply.

  • Data Minimisation, Storage Limitation and Accuracy

    The Privacy Act reflects the Data Minimisation principle on general level in selected requirements for the APP Entities. For example the APP Entities that are agencies not to collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.

    The principle of Accuracy is mirrored in Privacy Act’s APP Principle focusing on quality of personal information – requiring the APP entities to make sure that the personal information they collect and disclose is accurate, up-to-date, complete and relevant.

  • Security and Prevention

    Security is one of the APP principles of the Privacy Act. It requires APP entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorized access, modification or disclosure.

    Related Resources

    Office of the Australian Information Commissioner (OAIC)

  • Accountability and Recordkeeping

    Although Accountability is not expressly recognized as a principle under the Privacy Act, it is reflected in some of the obligations set forth for the APP entities.

    Specifically, the APP entities must take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs (and any applicable registered APP code) and to enable the individuals’ privacy complaints.

    Furthermore, an APP entity disclosing peresonal information to a recipient outside of Australia is in most cases accountable for a breach of the APPs by the recipient in relation to the information.

  • Privacy by Design

    One the Privacy Act’s APP principles and also the Privacy management framework adopt a privacy by design approach to privacy protection, where entities are considered better placed to meet their privacy obligations if they embed privacy protections in the design of their information handling practices.

  • Privacy Impact Assessment

    The Privacy Act requires a Privacy Impact Assessment to be performed for many new projects or updated projects involving personal information.

    Also, the Australian Privacy Commissioner may direct an agency to give a Privacy Impact Assessment.

  • Data Subject Rights

    The Privacy Act recognizes a set of rights of the individuals related to the processing of their personal data as well as corresponding obligations of the organisations holding such data to recognize and honor such rights.

    Under the Privacy Act, individuals are allowed to:

    1. know why their personal information is being collected, how it will be used and who it will be disclosed to;
    2. have the option of not identifying themselves, or of using a pseudonym in certain circumstances;
    3. ask for access to their personal information (including health information or credit report);
    4. stop receiving unwanted direct marketing;
    5. ask for their personal information to be corrected; and
    6. make a complaint about an entity covered by the Privacy Act, if it has mishandled their personal information.
  • Cross-Border Data Transfer and Data Localisation

    APP entities that disclose personal information overseas must comply with the related Privacy Act‘s requirements in APP 8. This generally provides that before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (exceptions apply). An APP entity that discloses personal information to an overseas recipient is mostly accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs.

  • Incident and Breach

    Under the Privacy Act, in cases when an organisation experiences an unauthorised access, disclosure, or loss of personal information (personal data breach), APP entities must, depending on the seriousness of the breach and success of any mitigation steps, notify the personal data breach to the affected individuals and to the Australian Information Commissioner. The notification must include content that covers not only a description of the breach circumstances and scope, but also the steps taken by the organisation and further advised to be taken by the individuals to limit the damage caused by the breach to the individuals.

  • DatabreachPedia


    In Australia, it is mandatory to notify ‘eligible’ personal data breaches which involve unauthorized access, disclosure, or loss of personal information. Data Notification Breach Scheme – Part IIIC of the Privacy Act 1988 (Cth) outlines the requirements for notification, whereas ‘eligible’ data breaches involve likely occurrence of serious harm to individuals as a result of the breach.

    Is it Mandatory to Notify Individuals?


    Is it Mandatory to Notify Regulator?


    Notification Deadline

    As soon as practicable.

    Responsible Regulator

    Office of the Australian Information Commissioner
    Level 3, 175 Pitt Street
    Sydney NSW 2000
    Tel. 1300 363 992
    Fax: +61 2 9284 9666

    Email: [email protected]

    Breach Notification Format

    The notification to individuals should contain identity and contact details for the notifying entity, eligible breach description, kinds of information involved, steps recommended to take by the individuals. The Office of the Australian Information Commissioner (OAIC) can be contacted through an online breach notification form.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.