Australia Privacy Act: Business Compliance and Data Handling

Australia's Privacy Act 1988 (Cth) is the primary federal privacy legislation protecting personal information of Australians. Significantly strengthened through the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Act 2021 and the Privacy and Other Legislation Amendment Act 2024, Australia's privacy framework is undergoing its most substantial reform since the introduction of the Australian Privacy Principles (APPs) in 2014.

The 2024 reforms introduced a statutory tort for serious invasions of privacy, significantly increased penalties (now up to $50 million AUD per contravention), expanded the Office of the Australian Information Commissioner's (OAIC) enforcement powers, and added new obligations for data retention, direct marketing, and algorithmic transparency. Understanding both the existing APP framework and the new reforms is essential for any organisation operating in Australia.

Key Takeaways

• The Privacy Act applies to Australian Government agencies and private sector organisations with over $3 million annual turnover (lower threshold with reforms)
• Thirteen Australian Privacy Principles (APPs) govern collection, use, disclosure, quality, security, access, and correction of personal information
• The Notifiable Data Breaches (NDB) scheme requires notification to OAIC and affected individuals within 30 days of a qualifying breach
• The 2024 reforms introduced: a statutory privacy tort, higher penalties ($50M AUD), direct action rights for individuals, and new children's privacy obligations
• Sensitive information (health, racial origin, biometrics, religion, sexual orientation, etc.) requires explicit consent for collection and use
• Cross-border disclosure restrictions require accountability for overseas recipients of personal information
• The OAIC can conduct audits, accept complaints, and refer serious matters for civil penalty proceedings in Federal Court
• The reforms will introduce a Children's Online Privacy Code for services directed at children

---

Who Must Comply with the Privacy Act

Coverage Thresholds

The Privacy Act applies to:

Australian Government agencies: All Commonwealth government departments and agencies, plus some state/territory agencies in certain contexts.

APP entities (private sector): Organisations with annual turnover exceeding $3 million in any financial year. This threshold has been a subject of reform discussion — proposals to lower or eliminate the threshold to cover more businesses are ongoing.

Small businesses with specific activities: Regardless of turnover, the Privacy Act applies if the organisation:

• Is a health service provider (including private practice)
• Trades in personal information
• Is a contracted service provider to the Australian Government
• Has opted-in to the Privacy Act
• Operates a residential tenancy database
• Is related to an entity covered by the Act

Extraterritorial scope: The Privacy Act applies to Australian organisations and their overseas activities. Offshore entities without an Australian presence that collect personal information of Australians through an Australian link (e.g., Australian server, Australian business relationship) may also be subject to the Act.

Key Exemptions

• Employee records (for private sector organisations in relation to their employment relationship)
• Journalism and media (registered news organisations regarding journalistic activities)
• Acts done outside Australia by Australian citizens/residents (complex exemption)
• Small businesses below the turnover threshold (with exceptions noted above)

---

The Australian Privacy Principles (APPs)

The thirteen APPs form the substantive framework for privacy compliance:

APP 1 — Open and transparent management: Have a clearly expressed, up-to-date Privacy Policy. Make it available on request, free of charge.

APP 2 — Anonymity and pseudonymity: Where lawful and practicable, give individuals the option to interact with you anonymously or using a pseudonym.

APP 3 — Collection of solicited personal information: Only collect personal information that is reasonably necessary for your functions. Collect sensitive information only with consent (or in specific circumstances). Collect directly from the individual where reasonably practicable.

APP 4 — Dealing with unsolicited personal information: If you receive personal information you did not solicit and would not have been permitted to collect under APP 3, destroy or de-identify it as soon as practicable.

APP 5 — Notification of the collection: At or before collection (or as soon as practicable after), take reasonable steps to notify individuals of: who you are, how to contact you, whether the collection is required by law, the purposes of collection, consequences of not providing information, who else might receive the information, and how to access/correct it.

APP 6 — Use or disclosure of personal information: Only use or disclose personal information for the primary purpose of collection, a related secondary purpose the individual would reasonably expect, with consent, or under a specific APP 6 exception (required by law, law enforcement, health/safety).

APP 7 — Direct marketing: Must not use or disclose personal information for direct marketing unless conditions are met (provided by the individual, consent for sensitive information, unsubscribe mechanism provided). Individuals can request to opt out.

APP 8 — Cross-border disclosure: Before disclosing personal information to overseas recipients, take reasonable steps to ensure the recipient does not breach the APPs. You remain accountable for the overseas recipient's handling. Disclosure permitted if individual consents or if the recipient is in a country with substantially similar laws.

APP 9 — Adoption, use, or disclosure of government-related identifiers: Restrictions on use of government identifiers (e.g., Medicare number, Centrelink reference) for private sector purposes.

APP 10 — Quality of personal information: Take reasonable steps to ensure that personal information is accurate, up-to-date, and complete before collection, use, or disclosure.

APP 11 — Security of personal information: Take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure. Destroy or de-identify personal information when no longer needed.

APP 12 — Access to personal information: Provide individuals with access to their personal information within 30 days, in the format requested where reasonable. Exceptions include: where access would pose serious threat, unreasonable impact on others' privacy, access would be unlawful.

APP 13 — Correction of personal information: Upon request (or on your own initiative), correct personal information that is inaccurate, incomplete, out of date, irrelevant, or misleading. If you refuse to correct, notify the individual and allow them to associate a statement of correction with their record.

---

Sensitive Information

The Privacy Act defines sensitive information as a subset of personal information requiring a higher standard of protection. Sensitive information includes:

• Health information
• Genetic information
• Biometric information for identification purposes
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Sexual orientation or practices
• Trade union membership
• Criminal record information
• Government-issued identification details

APP 3.3: Organisations may only collect sensitive information if:

• The individual has consented, and collection is reasonably necessary for the organisation's functions; or
• One of eight specific exceptions applies (required by law, preventing serious threat, etc.)

Health information: Receives additional protections — health service providers are covered regardless of turnover, and specific health privacy guidelines issued by OAIC apply.

---

Notifiable Data Breaches (NDB) Scheme

The NDB scheme (Part IIIC of the Privacy Act) requires APP entities to notify the OAIC and affected individuals about eligible data breaches.

What Is an Eligible Data Breach?

An eligible data breach occurs when:

1. There is unauthorised access, disclosure, or loss of personal information held by an entity; and
2. A reasonable person would conclude that the access/disclosure/loss is likely to result in serious harm to any of the individuals to whom the information relates

Serious harm assessment: Consider the type of information, the sensitivity, whether security technology applied, who accessed/received it, and potential harm (financial, physical, psychological, reputational).

Notification Timeline

Emergency data breaches — where there is likely to be serious harm and entities are aware of this immediately — should be notified to OAIC and individuals as soon as practicable, not waiting 30 days.

OAIC notification content:

• Entity name and contact details
• Description of the breach
• Categories of individuals affected and approximate number
• Information involved (type and approximate number of records)
• Steps taken or planned in response

---

The 2024 Privacy Act Reforms

The Privacy and Other Legislation Amendment Act 2024 (enacted November 2024) introduced significant changes. Key reforms include:

Statutory Tort for Privacy Invasion

A new statutory cause of action allows individuals to sue organisations directly for serious invasions of privacy in Federal Court, without requiring OAIC involvement. Remedies include damages (including aggravated and exemplary damages), injunctions, and account of profits. This private right of action significantly increases litigation risk for businesses.

Two types of invasion: (1) Intrusion upon seclusion — physical or electronic intrusion into private affairs; (2) Misuse of private information — collecting, using, or disclosing private information.

An invasion is actionable only if a reasonable person would regard it as highly offensive, and the plaintiff had a reasonable expectation of privacy in the circumstances.

Higher Penalties

The maximum civil penalty for serious or repeated privacy interferences increased to $50 million AUD per contravention (up from $2.22 million). Courts can also order penalties based on three times the benefit gained from the contravention, or 30% of Australian turnover during the contravening period — whichever is highest. These match the highest tier penalties in Australia's competition law.

Expanded OAIC Powers

The OAIC now has:

• Power to conduct own-motion investigations without a complaint
• Infringement notice powers for less serious contraventions
• Powers to seek preliminary discovery and interim injunctions
• Ability to share information with overseas privacy authorities

Children's Online Privacy Code

The 2024 Act creates a framework for a Children's Online Privacy Code — mandatory requirements for online services directed to children (those under 18 who are at a relevant age for the service). The code will impose specific obligations on data minimisation, transparency to parents, and child-appropriate design. Development is ongoing; organisations should monitor OAIC developments.

Direct Marketing Reforms

Enhanced restrictions on direct marketing: individuals can opt out of targeted advertising based on their personal information, including profiling for targeted advertising purposes.

Automated Decision-Making Transparency

New requirements for transparency about significant automated decisions using personal information — organisations must be able to explain the logic of automated decisions with significant effects on individuals.

---

Cross-Border Disclosure (APP 8)

APP 8 is one of the most misunderstood APPs. When you disclose personal information to overseas recipients:

Default rule: You must take reasonable steps to ensure the overseas recipient does not breach the APPs with respect to that information. You remain accountable for the overseas recipient's handling.

Consent exception: You can disclose across borders without remaining accountable if you have expressly informed the individual that you might share their information with overseas recipients and that you may not be accountable for the overseas recipient's handling — and the individual consents.

Adequacy exception: Disclosure permitted if the OAIC has determined the overseas country has substantially similar privacy protections.

Practical implications for cloud and SaaS:

• If your cloud provider stores data outside Australia, APP 8 applies
• You cannot simply point to the cloud provider's terms — you must take reasonable steps (contractual protections, security assessments)
• If data is stored in multiple international regions, each location is a potential disclosure

---

OAIC Enforcement and Complaint Process

Complaints pathway:

1. Individual makes complaint to the organisation (organisation has 30 days to respond)
2. If unresolved or entity fails to respond, individual can complain to OAIC
3. OAIC conciliates the complaint; if unresolved, OAIC can investigate
4. OAIC can make a determination including ordering compensation

Civil penalty proceedings:

• OAIC refers serious matters to the Federal Court
• Court can impose civil penalties (up to $50 million)
• OAIC can also accept enforceable undertakings

Regulatory investigations:

• OAIC can initiate own-motion investigations
• Can require entities to provide information, attend interviews, produce documents
• Can conduct audits (planned or unannounced)

Notable enforcement actions: OAIC has pursued major cases including Uber Technologies (breach of NDB scheme), RI Advice Group (inadequate security), and the Australian Electoral Commission (APP 11 security failure). The Optus data breach (2022, affecting 9.8 million Australians) and Medibank breach (2022, 9.7 million customers) prompted significant regulatory and legislative attention.

---

Australia Privacy Compliance Checklist

• Privacy Act applicability confirmed (turnover threshold, specific activities)
• Privacy Policy published, up-to-date, and covers all APPs
• APP 5 notification provided at point of collection (collection notices on all data capture forms)
• Sensitive information identified — consent obtained for collection
• Data minimisation reviewed — only collecting reasonably necessary information
• APP 6 secondary use/disclosure assessment documented
• Direct marketing opt-out mechanism implemented (APP 7)
• Overseas disclosure assessment completed — reasonable steps to ensure recipient APP compliance (APP 8)
• Data security measures implemented and documented (APP 11)
• Data retention and destruction/de-identification policy implemented (APP 11.2)
• Individual access and correction procedures documented (APPs 12, 13)
• NDB response procedure documented and tested (30-day assessment timeline)
• OAIC breach notification template prepared
• Children's data practices reviewed — prepare for Children's Online Privacy Code
• Automated decision-making transparency review conducted
• Staff training on APPs and NDB scheme completed

---

Frequently Asked Questions

Does the Privacy Act apply to my small business?

Generally, the Privacy Act only applies to private sector organisations with annual turnover exceeding $3 million. However, you may be covered regardless of turnover if you are a health service provider, trade in personal information, are a government contractor, operate a residential tenancy database, or are related to a covered entity. Additionally, state/territory privacy laws may apply to your business activities — particularly in Queensland, NSW, and Victoria for specific sectors.

What counts as "sensitive information" under Australian law?

Sensitive information is a defined category including health information, genetic information, biometric information (for unique identification), racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or practices, trade union membership, and criminal record information. Collection of sensitive information requires consent and must be reasonably necessary for your functions. Health information receives the most comprehensive protections and additional guidance from OAIC.

What is the 30-day assessment period under the NDB scheme?

When an organisation becomes aware that a data breach may have occurred, it has 30 days to conduct an assessment and determine whether it is an eligible data breach (one likely to result in serious harm). During this 30-day window, organisations should investigate what happened, what information was involved, who was affected, and whether serious harm is likely. If an eligible breach is identified, notification to OAIC and affected individuals must occur as soon as practicable — there is no additional waiting period once the eligible breach determination is made.

How does APP 8 apply when using AWS or Azure in Australia?

If you use AWS or Azure services deployed entirely within Australian data centres (AWS ap-southeast-2 Sydney, Azure Australia East), you may not have an overseas disclosure issue — data stays in Australia. If you use services with global infrastructure (content delivery networks, global replication, support access from overseas), you may be disclosing data overseas. Review your cloud provider's data processing documentation carefully. Many providers offer Australian data residency guarantees and Data Processing Agreements covering APP 8 requirements through contractual protections for overseas sub-processing.

What is the new statutory tort for privacy and how does it affect businesses?

The statutory tort (introduced by the 2024 Privacy Act reforms) creates a direct right for individuals to sue organisations in the Federal Court for serious privacy invasions without going through OAIC. There are two categories: intrusion upon seclusion and misuse of private information. The tort applies where a reasonable person would regard the invasion as highly offensive and the individual had a reasonable expectation of privacy. Potential remedies include compensatory damages, aggravated damages, exemplary damages, injunctions, and account of profits. This significantly increases the litigation risk for businesses handling personal information — class actions are now a realistic prospect for serious data breaches.

---

Next Steps

Australia's Privacy Act reforms signal a shift toward stronger enforcement, higher penalties, and greater individual rights — more closely aligning with global standards. Whether you are assessing compliance for the first time or updating your programme to account for the 2024 reforms, ECOSIRE's team can help design privacy-by-design systems and compliance processes appropriate for your business.

Get started: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Australian privacy law is subject to ongoing reform. Consult qualified Australian legal counsel for advice specific to your organisation.