Privacy and data protection
This is the 12th chapter of Lander & Rogers’ Guide to Doing Business in Australia.
Previous chapter Exports and imports | Next chapter Real property
Overview of Australian privacy laws
Privacy laws have been enacted by the Federal Government and most states and territories. State and territory privacy laws primarily govern state and territory agencies.
The Privacy Act 1988 (Cth) (Privacy Act) is federal legislation that applies to “APP entities” and regulates the handling of “personal information” about individuals. The Privacy Act is administered by the Office of the Australian Information Commissioner (OAIC).
Amongst other things, the Privacy Act confers on individuals the right to access personal information, reject unwanted direct marketing, correct personal information, and make a complaint to the OAIC regarding a breach of privacy.
What is an “APP entity”?
An “APP entity” is defined under the Privacy Act to mean an “agency” or “organisation”.
Broadly speaking, an “agency” is a federal government department or agency or a body established by or under federal legislation for a public purpose.
An “organisation” is defined broadly to include an individual (e.g. a sole trader), a body corporate, a partnership, any unincorporated association or a trust, that is not a small business operator, a registered political party, an agency, a state or territory authority or a prescribed instrumentality of a state or territory.
The “small business operator” exemption applies to entities with an annual turnover of A$3 million or less, except where the entity:
- is related to a business the Privacy Act covers;
- is a health service provider;
- trades in personal information;
- provides services under a Commonwealth contract;
- operates a residential tenancy database;
- is a credit reporting body;
- is a reporting entity for the purposes of the Commonwealth Anti-Money Laundering and Counter-Terrorism Financing Act 2006;
- has opted in to be covered by the Privacy Act.
What is “personal information”?
Personal information is defined under Section 6 of the Privacy Act to mean: “information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not”.
Examples of personal information include information about a person’s life (such as their name, date of birth, address and contact details), commentary or opinion about a person and a person’s employment details.
Personal information that is considered “sensitive information” is afforded greater protection under the Privacy Act. Sensitive information includes health information, genetic information, biometric information, biometric templates, or information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record.
Australian Privacy Principles
The Privacy Act establishes 13 Australian Privacy Principles. These principles set out standards, rights, and obligations for the handling, holding, disclosure, use, access, and correction of personal information.
|
|
Australian Privacy Principles |
Summary |
|
Consideration of personal information privacy |
AAP1 Open and transparent management of personal information |
Requires an APP entity to have a clearly expressed and up-to-date privacy policy that is available free of charge. |
|
AAP2 Anonymity and pseudonymity |
Individuals must have the option of not identifying themselves or using a pseudonym. |
|
|
Collection of personal information |
AAP3 Collection of solicited personal information |
Requires an APP entity to collect personal information only where it is reasonably necessary for its functions or activities and by lawful and fair means. Personal information must be collected directly from the individual unless it is unreasonable or impracticable to do so. |
|
AAP4 Dealing with unsolicited personal information |
Outlines how an APP entity should deal with the receipt of unsolicited personal information, including whether the APP entity is entitled to hold that information or whether it must destroy or deidentify the information. |
|
|
AAP5 Notification of the collection of personal information |
Outlines when an APP entity should notify an individual about the collection of information and the requirements of such notification. |
|
|
Dealing with personal information |
AAP6 Use or disclosure of personal information |
Outlines how an APP entity may use or disclose personal information other than government related identifiers. |
|
AAP7 Direct marketing |
Outlines when an APP entity can use or disclose personal information for direct marketing. This APP does not apply to the extent the Commonwealth Do Not Call Register Act 2006 or the Commonwealth Spam Act 2003. |
|
|
AAP8 Cross‑border disclosure of personal information |
Outlines how an APP entity may disclose personal information outside Australia. |
|
|
AAP9 Adoption, use or disclosure of government related identifiers |
Limits the adoption, use and disclosure of government related identifiers. |
|
|
Integrity of personal information |
AAP10 Quality of personal information |
Requires an APP entity to take reasonable steps ensure personal information is accurate, complete and up-to-date. |
|
AAP11 Security of personal information |
Requires an APP entity to take reasonable steps to protect personal information from misuse, inference and loss, and from unauthorised access, modification or disclosure. |
|
|
Access to, and correction of, personal information |
AAP12 Access to personal information |
Requires an APP entity to grant access to personal information and sets out how the entity must deal with access requests. |
|
AAP13 Correction of personal information |
Requires an APP entity to take reasonable steps to correct personal information held and sets out how the entity must deal with correction requests. |
Privacy Act reform
In December 2024 a number of important amendments to the Privacy Act were introduced, including:
- a statutory tort for serious invasions of privacy which empowers an individual to sue another person where that person has invaded the individual’s privacy by intruding upon their seclusion or misusing information relating to them;
- new transparency obligations requiring entities to update their privacy policies to disclose when decisions are made using automated processes (due to come into effect on 20 December 2026);
- obligation on the OAIC to develop and register a code addressing online privacy for children by 10 December 2026;
- a ‘white list’ mechanism for the Government to prescribe countries that provide substantially similar privacy protections to the Australia Privacy Principles, to assist entities to assess whether to disclose personal information overseas;
- new regulatory powers for the OAIC including the power to issue infringement notices and compliance notices; and
- clarification on the ‘reasonable steps’ required to protect the security of personal information under Australian Privacy Principle 11 to include the implementation of technical and organisational measures.
Further privacy reform has also been flagged by the Australian government, intended to continue to bring Australia’s privacy laws more into line with global standards.
Mandatory notification of data breaches
The Privacy Act contains a mandatory data breach notification scheme (Scheme). Under the Scheme, an APP entity is required to notify the OAIC and affected individuals as soon as reasonably practicable if there are reasonable grounds to believe that an “eligible data breach” has occurred.
An “eligible data breach” occurs if the unauthorised access, disclosure or loss of the personal information is reasonably likely to result in serious harm to any of the individuals to whom the information relates.
If an APP entity suspects that an “eligible data breach” has occurred, the APP entity is required to engage in a self-assessment exercise to determine whether the breach is an “eligible data breach”.
The OAIC has prepared a five-part guide in relation to the Scheme which assists APP entities to prepare for and respond to data breaches in line with their obligations under the Privacy Act.
Recent changes to the Privacy Act have set up a framework where the Minister may make a declaration that permits the collection, use and disclosure of personal information that would otherwise not be permitted under the Australian Privacy Principles, where this is necessary to prevent or reduce the risk of harm to individuals in the event of an eligible data breach.
State and territory-based privacy legislation
State and territory privacy laws primarily regulate state and territory agencies, which are generally not governed by the federal Privacy Act. However, in some states, there is also legislation governing the use of health information which applies to both public and private health service providers. For example, in the State of Victoria, the applicable state laws include the Privacy Data and Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic).
Consequences of non-compliance
Amongst other things, the OAIC is empowered to investigate complaints made by individuals, investigate breaches of the Privacy Act on its own volition, accept an undertaking by an APP entity to comply with the Privacy Act, and make determinations requiring an APP entity to perform certain acts or refrain from specified action.
An APP entity may be liable for civil penalties for breaches of the Privacy Act. For example, liability for serious or repeated interferences with privacy can result in civil penalties of up to A$2.5 million for individuals, and for a body corporate, an amount not exceeding the greater of A$50 million, 3 times the value of the benefit obtained from the contravening conduct, or if the value of the benefit cannot be determined, 30% of the body corporate’s adjusted turnover during the breach period.
Spam
The Spam Act 2003 (Cth) (Spam Act) is federal law that prohibits the sending of unsolicited commercial electronic messages with an Australian link.
A message becomes an electronic commercial message when it has a “commercial purpose”. An example of a commercial electronic message can include an SMS.
A message has an Australian link if the message originates or was commissioned in Australia or is sent from outside Australia to an address accessed in Australia.
The Australian Communications and Media Authority administers the Spam Act and accepts complaints, reports, and enquiries about spam with an Australian link.
Do Not Call Register
The Do Not Call Register was established by the Do Not Call Register Act 2006 (Cth) and is administered by the Australian Communications and Media Authority.
The Do Not Call Register is a register of numbers that telemarketers and fax marketers are prohibited from calling. Registration of a number is free and can be completed www.donotcall.gov.au.
The onus is on an organisation in the telemarketing or fax marketing business to monitor whether a number has been registered on the Do Not Call Register. Upon registration of a number into the Do Not Call Register, telemarketers and fax marketers have 30 days to recognise the registration and subsequently refrain from contacting the registered number.
Lander & Rogers' comprehensive guide presents the key considerations for foreign organisations doing business in Australia