Introduction to Australian Privacy Law
Privacy is a fundamental human right, and it is a concept which is very well understood by all of us. It can be described as the right to preserve aspects of our lives from the knowledge of others. It is a right of control over certain private information. Privacy rights and concerns arise each and every day, from concerns as to lack of privacy if a dividing fence is of sufficient height, to personal details being stolen from a server from a company who you provided your details to (think for instance, hacks that have occurred to Medibank, Optus and Qantas alike).
Without privacy, we would not be able to live any moment of our live free from the judgment or prying eyes of others.
It was for this reason we decided to establish Australian Privacy Lawyers, to provide small to medium sized Australian businesses with affordable, quality legal advice on all aspects of privacy law in Australia. And for our first article, we have decided to write a detailed introduction to all things privacy law related from an Australian context. We therefore hope you find our overview useful, and if you have any further privacy related questions, or need assistance with a privacy related matter, you can always contact Australian Privacy Lawyers.
The foundations of privacy law in Australia
Privacy Law in Australia focuses mainly on the protection of information privacy. This is better understood as the right to certain information to remain private and subject to protections in certain circumstances. Other forms of privacy which have less formal legal protections in Australia include, but are not limited to:
- Territorial privacy;
- Bodily privacy (albeit, certain criminal laws have been enacted to address this);
- Communication privacy.
Most privacy related legal rights in Australia are contained in statutes (that is, legislation) passed by parliament, with the privacy rights having only been subjected to limited judicial consideration on a handful of occasions in Australia. This is distinction from equity’s breach of confidence which has a greater, more concrete recognition in the United Kingdom.
Key legislation in Australia: The Privacy Act 1988 (Cth)
Both States and Territories, as well as the Federal Government, can legislate with respect to privacy related matters. One example of this is the Victorian Privacy and Data Protection Act 2014 (Vic). However, the main piece of legislation more commonly known throughout Australia is a Federal statue named the Privacy Act 1988 (Cth). Individual States and Territories have only legislated with respect to privacy on a limited number of occasions. We will examine those in separate, distinct articles in future.
Origin & scope of the Privacy Act 1988 (Cth)
The Privacy Act 1988 (Cth) (hereinafter, the Privacy Act), was passed by Federal Parliament in 1988, but did not take effect until 1989. It is the main legislation dealing with privacy related matters in Australia, and applies in all States and Territories of Australia, including the Norfolk Islands since 1 January 2011. It underwent significant changes in the year 2000, 2014 and again in 2024.
The Privacy Act’s purpose is to regulate how personal information is collected, stored, used and disclosed by certain entities, include:
- Australian Government agencies;
- Private businesses with a turn over more than $3,000.000 AUD;
- Specified industry businesses, such as health service providers;
- Credit reporting and consumer credit provider entities;
- TFN recipients – that is, any person who is in possession or control of an Australian tax file number.
Most recent amendments to the Privacy Act
The Privacy Act underwent substantial reforms by way of amendments in 2025, and which introduced a statutorily recognised tort of serious invasions of privacy. We have published separately on this, as it is a new law which requires its own article to thoroughly touch upon in detail.
The definition of personal information
The definition of personal information under the Privacy Act is extremely broad. It includes any information, or an opinion, that could identify an individual. What can constitute personal information is likely to vary depending on the circumstances, and whether a person can be identified or is reasonably capable of being identified from that information. Accordingly, certain information may be personal information in one situation, but not personal information in another situation.
However, good examples of personal information include:
- an individual’s name, signature, address, date of birth of phone number;
- sensitive information, such as racial or ethnic origin, religious or political belief, sexual orientation and criminal record information amongst other things;
- credit information;
- employee record information;
- photographs;
- biometric data, such as fingerprints, voice print, etc; and
- location data, such as GPS records in respect of a person’s mobile phone.
The Australian Privacy Principles
If a particular entity or government agency is covered by the Privacy Act, they will be subjected to the Australian Privacy Principles (the APPs), which are a key feature of the Privacy Act.
The APPs contained 13 individual principles regulating the collection, storage, use and disclosure of personal information. They are in essence, standards, rights and obligations when handling personal information, and they are designed to ensure transparency, fairness and accountability. We have summarised each of the APPs below –
APP1: Open and transparent management of personal information
APP2: Anonymity and pseudonymity
APP3: Collection of solicited personal information
APP4: Dealing with unsolicited personal information
APP5: Notification of the collection of personal information
APP6: Use or disclosure of personal information
APP7: Direct marketing
APP8: Cross-border disclosure of personal information
APP9: Adoption, use or disclosure of government identifies
APP10: Quality of personal information
APP11: Security of personal information
APP12: Access to personal information
APP13: Correction of personal information
Each Australian Privacy Principle contains details as to how an APP entity is to handle personal information and what they are to do in certain circumstances, amongst other things.
The Office of the Australian Information Commission (the OAIC)
Originally, the Privacy Act established the Privacy Commissioner. However, in 2010, the Federal Government passed the Australian Information Commissioner Act 2010 which established the OIAC, which integrated the Privacy Commission into the OAIC, along with the Freedom of Information Commissioner.
The OAIC is headed by the Australian Information Commissioner, which is an independent regulatory responsible for oversight and ensuring compliance with the Privacy Acy. The Commissioner handles privacy complaints, conduct privacy related investigations and promotes awareness about privacy rights, obligations and related issues.
Some of the enforcement powers the Commissioner has include, but are not limited to:
- conducting audits and assessments of APP entities’ privacy practices;
- issuing determinations and enforceable undertakings;
- publishing materials and guides on privacy matters to help APP entities comply with the APP and the Privacy Act more effectively; and
- imposing civil penalties or otherwise ordering corrective actions.
A brief overview of State and Territory privacy legislation
In addition to the Privacy Act, most states and territories have passed privacy laws governing their own government agencies, albeit, the application of such legislation varies from state to state. Some examples include:
- the Privacy and Personal Information Protection Act 1998 (NSW);
- the Privacy and Data Protection Act 2014 (Vic);
- the Information Privacy Act 2009 (Qld);
- the Information Privacy Act 2014 (ACT); and
- the Personal Information Protection Act 2004 (Tas).
Data breach notifications and notifiable data breaches (NDB) scheme
In 2018, the Australian Government introduced the Notifiable Data Breaches scheme. This scheme is an important part of Australia’s privacy framework, and requires certain entities which are covered by the Privacy Act and the APPs to notify the OAIC and affected individuals of a data breach in certain circumstances, usually where the breach has been serious, or is likely to cause harm.
Ordinarily, a notifiable data breach occurs when personal information is accessed or disclosed without authorisation (usually because a hack has occurred), or where it has been lost and has likely be accessed without authorisation.
The future of privacy law in Australia
Whilst Australia’s legal framework governing privacy has continued to be monitored and advanced since the introduction of the Privacy Act, it has from time to time experienced difficulty in meeting the expectations of Australians as far as it concerns the protection of their privacy. It is for that reason that as data becomes more and more centralised, such as in data centres, whether they are located overseas or in Australia, laws may need to be passed regulating the use of certain specified data protection systems, or their installations.
Need help with privacy law in Australia?
Allen Lawyers provide tailored, effective and appropriate, affordable advice on all aspects of privacy law in Australia. From advising on notifiable data breaches, to the implementation of appropriate privacy policies and privacy system mechanisms and installation, we can help. If you need help with any aspect of privacy law in Australia, get in touch today. We are able to provide immediate, on the spot privacy advice in most matters, and within a matter of hours. We are here when you need us the most.
Phone: (03) 7020 6563
Email: lee@allenlawyers.com.au
Website: www.allenlawyers.com.au
Disclaimer: This article is general in nature and does not constitute legal advice. Please contact Allen Law for advice tailored to your particular needs and circumstances.
