The Privacy Act 1988 (Cth) ("Privacy Act") is the key legislation that governs the way in which business entities and Australian government agencies handle personal information in Australia, mainly through the 13 Australian Privacy Principles ("APPs") contained in Schedule 1 to the Privacy Act. There is also State and Territory privacy legislation, which primarily applies to State and Territory government agencies, but also to the private sector in some circumstances. This guidance relates only to the Privacy Act.

Key cases applying the Privacy Act include:

• Facebook Inc v Australian Information Commissioner [2022] FCAFC 9
  • The Full Federal Court considered when a company will be taken to be carrying on a business in Australia even when the bulk of its business is conducted elsewhere. The Court clarified that  in relation to international businesses that have little direct contact with Australia, if a company conducts business in a foreign jurisdiction and does acts within Australia as part of that business, which are:
    • activities undertaken as a commercial enterprise as a going concern with a view to profit; and 
    • carried on in a continuous and repetitive basis,
      it will be carrying on business in Australia.

• Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (known as the "Grubb case")
  • The primary issue considered was the meaning of National Privacy Principle ("NPP") 6.1, which provided "[i]f an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual…"  The National Privacy Principles have since been replaced with the APPs. National Privacy Principle 6.1 is substantively the same as APP 12.1 as it stands today. The case turned on the role of the words "about an individual"  in NPP 6.1. The Court did not accept the Privacy Commissioner's finding that information from which an individual's identity is apparent or can reasonably be ascertained is necessarily about that individual, as this would mean the words "about an individual" have no substantive operation. The Court held that "the words "about an individual" direct attention to the need for an individual to be a subject matter of the information or opinion" (at [63]). The Court commented that whether information is "about an individual" may depend on how broadly "from the information or opinion" is interpreted and that the looser the connection required by the word "from", the more information which could potentially be personal information and therefore the higher likelihood that the words "about an individual" in NPP 6.1 will exclude some of the personal information from the operation of NPP 6.1 (at [64]).  Although NPP 6.1 has now been replaced by APP 12.1, the reasoning in this case can equally apply to the interpretation of APP 12.1.

The regulator, the Office of the Australian Information Commissioner ("OAIC"), can also make determinations which illustrate the way in which it interprets the Privacy Act and APPs. 

The relevant concepts under the Privacy Act are "personal information" and "sensitive information".  "Personal information" is information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.

"Sensitive information" is personal information or an opinion about an individual's:

• racial or ethnic origin;
• political opinions;
• membership of a political association;
• religious beliefs or affiliations;
• philosophical beliefs;
• membership of a professional or trade association;
• membership of a trade union;
• sexual orientation or practices;
• criminal record that is also personal information;
• health information about an individual
• genetic information about an individual that is not otherwise health information
• biometric information that is used for the purpose of automated biometric verification or biometric identification; or 
• biometric templates. 

The ways in which APP entities may collect, use, and disclose personal information are set out in the APPs. 

"APP entities" are required to comply with the Privacy Act, including the APPs.  Broadly speaking, APP entities are Australian government agencies, including departments, ministers and statutory bodies (as distinct from State and Territory government agencies) and private sector organisations that collect personal information. 

An "organisation" is an individual (including a sole trader), a body corporate, a partnership, any other unincorporated association or a trust, unless it has an annual turnover of AUD 3 million or less. Private sector organisations are generally subject to the Privacy Act if they have an annual turnover exceeding AUD 3 million. 

There is no concept of  "data processing" in the Privacy Act. Rather, the concepts of "collection", "holding" "using" and "disclosing" are used.

An APP entity "collects" personal information for inclusion in a record or generally available publication.  An APP entity "holds" personal information if it has possession or control of a record that contains the personal information. "Collect" and "hold" are defined in the Privacy Act.

"Use" and "disclose" are not defined in the Privacy Act; however, guidance from the OAIC provides some insight in relation to the meaning of these terms:

• an entity "uses" personal information when it handles or manages that information within its effective control, including when an entity accesses and reads personal information, searches records for personal information, or makes a decision based on personal information; and
• an entity "discloses" personal information when it makes the information accessible and visible outside of the organisation and releases the subsequent handling of the personal information from its effective control.

APPs that relate directly to the  "collection", "holding", "use" and "disclosure" of personal information are:

• APP 3, which deals with the collection of solicited personal information;
• APP 5, which sets out notification obligations when personal information is being collected;
• APP 6, which deals with the use and disclosure of personal information that an APP entity holds;
• APP 7, which deals with the use of personal information for the purposes of direct marketing; and  
• APP 8, which deals with cross-border disclosure of personal information.

Please refer to our response to question 5, "What are the principles applicable to personal data processing?"

APP 11 deals with the security and retention of personal information. and requires APP entities to:

• take active measures to ensure the security of personal information it holds, and to actively consider whether it is permitted to retain personal information;
• take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification, or disclosure; and
• destroy or deidentify personal information it holds once that information is no requires information that is no longer needed for any purpose for which it may be used or disclosed by the APP entity.  This requirement does not apply where the personal information is contained in a Commonwealth record or where the APP entity is required by law or a court/tribunal order to retain the personal information. 

Individuals are entitled to:

• make a complaint about a breach of the APPs or a registered APP Code (if any) that binds the APP entity;
• have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter;
• be given access to their personal information that an entity holds, except where the APP entity is an agency or is authorised to refuse to give the individual access; or in other limited circumstances where the APP entity is an organisation. If an APP entity refuses to give an individual access to their personal information, they are required to provide written reasons to the individual, and
• request that their personal information that is held by an APP entity is corrected if it is inaccurate, out of date, incomplete, irrelevant or misleading.  If an APP entity refuses to correct the information, it must provide the individual with written reasons.

APP 3 requires an APP entity to obtain the consent of an individual whose sensitive information it wishes to collect.  In addition, an APP entity must only collect sensitive information in limited circumstances, including where the information is reasonably necessary for one or more of the entity's functions or activities. APP  3.6 provides that an APP  entity may collect personal information from someone other than the individual in limited circumstances, including where the individual consents.

APP  6 provides that an APP  entity may use or disclose personal information for a purpose other than the purpose for which it was collected in limited circumstances, including where the individual has consented.
APP 7 provides that consent may also be required if an APP entity wishes to use an individual's personal information for the purpose of direct marketing.  However, consent will not be required if it is not practical to obtain that consent. There are other criteria that must be satisfied before an APP  entity can use personal information for direct marketing, which are set out in our response to question 16 below. Consent is also required in order for an APP entity to use or disclose sensitive information for the purpose of direct marketing.

APP  8  provides that an APP entity may disclose personal information overseas if the individual whose personal information is being disclosed has provided their consent after being informed that the protections under APP  8.1 will not apply to them once that information is disclosed.

APP 6 provides that personal information collected for a primary purpose must not be used or disclosed for a secondary purpose unless the individual has consented, or an exception applies. Exceptions are limited and include where the individual would reasonably expect the use or disclosure for a purpose related to (or directly related to, in the case of sensitive information) the primary purpose for which the information was collected, or where the use or disclosure is required or authorised by law.

APP 8 and s 16C of the Privacy Act create a framework for the cross-border disclosure of personal information.  APP 8.1 requires APP entities to take reasonable steps to ensure that the overseas recipient does not breach the APPs (excluding APP 1) in relation to the information. 

APP 8.1 does not apply if the APP entity reasonably believes that the overseas recipient is subject to a law or binding scheme that provides substantially similar protection to the APPs, and there are accessible mechanisms for individuals to enforce those protections. Additionally, as noted in our response to question 9 above, the requirement is waived if the individual consents to the disclosure after being informed that after being informed that the protections under APP 8.1 will not apply to them once that information is disclosed. Other exceptions include disclosures required or authorised by Australian law or a court/tribunal order, or where certain permitted general situations exist.  However, practically, APP entities generally implement data transfer agreements with the overseas recipient of the personal information, which require the recipient to comply with the APPs (other than APP 1). 

Under section 16C of the Privacy Act, if an overseas recipient breaches the APPs, the APP entity may be held accountable for the breach as if it had occurred within Australia. 

In Australia, the relevant concept is an "eligible data breach".  An eligible data breach occurs when:

• there is unauthorised access to, or unauthorised disclosure of, personal information, and a reasonable person would conclude that this access or disclosure is likely to result in serious harm to any of the individuals to whom the information relates; or
• personal information is lost in circumstances where unauthorised access or disclosure is likely to occur, and a reasonable person would conclude that such access or disclosure would likely result in serious harm to the individuals concerned.

However, there will not be an eligible data breach if the entity has taken action in relation to the access or disclosure before the access or disclosure results in serious harm to any of the individuals to whom the information relates, and as a result of that action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of the individuals.

If an entity has reasonable grounds to suspect that there may have been an eligible data breach, and is not aware of reasonable grounds to believe that the circumstances amount to a eligible data breach, it must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach.  The entity must take all reasonable steps to carry out this assessment within 30 days. 

If the entity has reasonable grounds to believe there has been an eligible data breach, it must prepare a statement to the OAIC and impacted individuals as soon as practicable after the entity becomes aware of the eligible data breach. 

The OAIC is notified through an online form.  Impacted and at-risk individuals may be notified individually (if it is practicable for the entity to do so).  If that is not practicable, the statement may be published on the entity's website, or the entity may take reasonable steps to publicise the contents of the statement.

The regulator overseeing the Privacy Act is the OAIC.

From December 2024, if a written statement does not comply with the content requirements under the Privacy Act, an entity could be subject to a civil penalty.  While the eligible data breach regime is not otherwise directly subject to civil penalties, the OAIC could apply for a civil penalty order for other civil penalty provisions, such as a serious or repeated interference with privacy.  

The maximum civil penalty for bodies corporate is the greater of:

• AU 50 million;
• three times the value of the direct or indirect benefit the body corporate obtained as a result of the eligible data breach (if the court can determine this); and
• 30% of the company's adjusted turnover during the breach turnover period. 

For individuals, the maximum civil penalty is  AU 2.5 million.

The OAIC has several enforcement powers to respond to an interference with privacy, including an enforceable undertaking, making a determination, seeking an injunction to prevent ongoing activity or recurrence or applying to court for a civil penalty order for a breach of a civil penalty provision which includes a serious or repeated interference with privacy.

In December 2024, mid-range civil penalties of up to 10,000 penalty units for bodies corporate or 2,000 penalty units for individuals (by operation of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) ("Regulatory Powers Act")) were introduced for interferences with privacy which lack the "serious" element. 

Electronic marketing in Australia is primarily regulated under the Spam Act 2003 (Cth) ("Spam Act"). The Spam Act establishes a framework to control the sending of commercial electronic messages, such as emails and text messages, and aims to reduce unsolicited communications while protecting consumers and businesses. The Spam Act prohibits the sending of unsolicited commercial electronic messages that have an Australian link unless the recipient has provided consent. APP 7 (direct marketing) only operates to the extent that the Spam Act does not (i.e., would apply in relation to direct marketing by way of mail). 

The Telecommunications Act 1997 ("Telecommunications Act") contains a number of provisions that deal with personal information held by carriers, carriage service providers, and others.  A "carrier" is a holder of a carrier licence granted under s 56 of the Telecommunications Act.  A "carriage service provider" is a person who supplies a listed carriage service to the public using by a network unit owned by one or more carriers, or a network unit in relation to which a nominated carrier declaration is in force. There are also a number of voluntary codes that have been enacted under the Telecommunications Act. 

Part IIIA of the Privacy Act sets out specific obligations for credit reporting bodies and credit providers. The Privacy (Credit Reporting) Code 2024 supplements Part IIA of the Privacy Act, the Privacy Regulation 2013 (Cth), and is a mandatory code that applies to credit providers and credit reporting bodies. 

The Privacy (Australian Government Agencies – Governance APP Code 2017 provides that Australian Government agencies (excluding Ministers) are required to:

• appoint a Privacy Officer, or Privacy Officers, and ensure that particular Privacy Officer functions are undertaken; and
• appoint a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information

There is no express requirement for an APP entity that is an organisation to appoint a Data Protection Officer or a similar role.  However, the OAIC considers doing so to be best practice.

APP 11.2 requires APP entities to take reasonable steps to either destroy or de-identify personal information when that information is no longer needed for any purpose for which it may be used or disclosed by the entity, unless the information is contained in a Commonwealth record or if the entity is required by Australian law or a court/tribunal order to retain the information.

In Australia, the equivalent of a Data Protection Impact Assessment is a Privacy Impact Assessment ("PIAs").

It is not mandatory for private sector APP entities to provide PIAs; however, the Commissioner may direct an agency to give a privacy assessment.

To the extent that an APP entity discloses personal information to third parties, this should be disclosed in its public-facing Privacy Policy (which must comply with the content requirements set out in APP 1.4) and privacy collection notices (which must comply with the content requirements set out in APP 5). 

To the extent that personal information is disclosed overseas, please refer to our response to question 11.

In addition to the penalties set out in our response to question 15, from December 2024, the following matters attract a civil penalty of up to 200 penalty units for individuals and 1,000 penalty units for bodies corporate (by operation of the Regulatory Powers Act):

• failure to have a clearly expressed and up-to-date privacy policy;
• not including the content requirements set out in APP 1.4 in the privacy policy;
• not giving individuals the option to not identify themselves, or to use a pseudonym, when dealing with an APP entity;
• not making a written note when personal information is used or disclosed by an APP entity because the entity reasonably believes that the use or disclosure is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body;
• not providing a simple means for individuals to opt out of direct marketing communications;
• not drawing to an individual's attention their ability to opt out of direct marketing communications;
• not giving effect to an individual's request to unsubscribe from direct marketing communications in a reasonable period;
• not providing an individual with the source of their personal information that has been used or disclosed for the purposes of direct marketing if the individual has so requested it;
• not responding to requests by individuals for a correction of their personal information held by an APP entity, or if the APP entity refuses to make that correction, the entity does not respond to a request by the individual to associate with their personal information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading, within:
• 30 days of the request (if the APP entity is an agency); or 
• a reasonable period (if the APP entity is an organisation); 
• charging a fee to the individual to make any request referred to in the above bullet point; and
• preparing a statement in relation to a notifiable data breach that does not comply with the content requirements contained in the Privacy Act.

As of 16 September 2025, one penalty unit is AU 300. The Commissioner can also issue infringement notices for the above breaches.

The Privacy Act also includes a statutory tort for serious invasions of privacy, which allows individuals to take action against organisations or individuals. Courts may award total damages for non-economic loss up to the greater of  AU 478,550 and the maximum amount of damages for non-economic loss that may be awarded in defamation proceedings under Australian law. Courts also have discretion to grant additional remedies, including an account of profits, injunctive relief, orders for apologies or corrections, orders for the destruction or delivery of material obtained or misused during the invasion of privacy, and to make declarations that a defendant has seriously invaded the plaintiff’s privacy. 

There are no express audit requirements for APP entities under the Privacy Act.  APP 1.2 generally requires APP entities to take reasonable steps to implement practices, procedures and systems that ensure the entity complies with the APPs and any binding registered APP Code, and is able to deal with related inquiries and complaints. 

Credit reporting bodies are required to ensure that regular audits are conducted of certain agreements with credit providers by an independent person.  

From 11 December 2025, APP entities' privacy policies will need to include information about automated decision-making processes.  

Powers for the Governor-General to declare a "whitelist" of countries with equivalent privacy protections to Australia were introduced in December 2024, with a view to facilitating the overseas disclosures of personal information. So far, no whitelist has been announced. It is therefore possible that this whitelist will be introduced in the future.