Australia Privacy Act 1988: 101 - What You Need to Know

What Is the Australia Privacy Act 1988?

Australia’s Privacy Act 1988 is a long-standing federal law that regulates how personal information is handled. Parliament passed major reforms in November 2024 through the Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10th December 2024. These reforms implement staged changes through 2026.

The Privacy Act applies to Australian Government agencies, businesses with annual turnover of A$3 million or more, all private health service providers, and some small businesses meeting specific criteria. Importantly, it also applies to international businesses that handle Australian personal information, meaning UK businesses serving Australian customers must comply.

The 2024 reforms significantly strengthen enforcement powers and penalties, introduce a statutory tort for serious privacy invasions, and create new obligations around automated decision-making and children’s online privacy.

Key Definitions

Before diving into the details, here are the key terms you’ll encounter:

Personal information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in material form or not.
Sensitive information: A subset of personal information that includes health information, genetic information, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal records.
APP entity: An organisation or agency covered by the Australian Privacy Principles—includes government agencies and businesses with turnover over A$3 million.
Collection: Gathering, acquiring, or obtaining personal information from any source and by any means.
Disclosure: Making personal information accessible to others outside the entity, including publishing information.
Use: Handling personal information within an entity, such as accessing, searching, or making decisions based on the information.

How Does Australia’s Privacy Act Compare to Other Privacy Laws?

Understanding how Australia’s Privacy Act compares to other major privacy frameworks helps organisations operating across multiple jurisdictions. Here’s a detailed comparison:

Aspect	Australia Privacy Act	EU GDPR	UK GDPR	California CPRA
Effective Date	1988 (major reforms Dec 2024)	May 2018	January 2021 (post-Brexit)	January 2023
Scope Threshold	A$3 million annual turnover	No revenue threshold	No revenue threshold	$25M revenue, 100K consumers, or 50% revenue from data sales
Right to Erasure	Not explicit (under review)	Yes (Article 17)	Yes	Yes
Right to Data Portability	Not explicit	Yes (Article 20)	Yes	Yes
Right to Opt-Out of Sale	No	No (different approach)	No (different approach)	Yes
DPO Required	No	Yes (certain cases)	Yes (certain cases)	No
Privacy Impact Assessment	Recommended, not mandatory	Mandatory (high risk)	Mandatory (high risk)	Mandatory (high risk)
Breach Notification	“As soon as practicable”	72 hours	72 hours	“Most expedient time”
Maximum Penalty (Corp)	A$50 million or 30% turnover	€20M or 4% global turnover	£17.5M or 4% global turnover	$7,500 per intentional violation
Private Right of Action	Yes (statutory tort from June 2025)	Yes	Yes	Yes (data breaches only)

Key takeaways from this comparison:

Australia has caught up on penalties: The 2024 reforms bring Australia’s maximum penalties (A$50 million or 30% of turnover) in line with GDPR-level consequences.
Rights gaps remain: Unlike GDPR and CPRA, Australia’s Privacy Act doesn’t explicitly provide rights to erasure or data portability—though these are under consideration in future reform tranches.
Revenue threshold is unique: Australia’s A$3 million threshold means many small businesses are exempt, unlike GDPR which applies regardless of size.
New statutory tort is significant: From June 2025, Australians can sue directly for serious privacy invasions—a powerful enforcement mechanism.

Who Must Comply?

The Privacy Act applies to organisations conducting business in Australia or handling Australian personal information. You must comply if you’re an Australian Government agency, a business with annual turnover of A$3 million or more, a private health service provider regardless of turnover, or a small business that provides credit reporting services, is a related entity of a larger covered business, or contracts to provide services to a covered entity.

International businesses must comply if they collect or hold personal information in Australia, even if they have no physical presence there. If your UK business has Australian customers and collects their personal information, the Privacy Act likely applies to you.

The A$3 million threshold is significantly lower than most US state privacy laws, meaning the Privacy Act captures far more businesses. Additionally, the threshold applies to overall business turnover, not to the number of individuals whose data you process.

The 13 Australian Privacy Principles (APPs)

The Privacy Act requires compliance with 13 Australian Privacy Principles that govern how you collect, use, store, and disclose personal information. These principles replaced the National Privacy Principles on 12 March 2014 and form the cornerstone of Australian privacy compliance.

The APPs are structured around the personal information lifecycle and grouped into five parts:

Part 1: Consideration of Personal Information Privacy

APP 1 – Open and Transparent Management of Personal Information
Organisations must manage personal information openly and transparently. This requires having a clearly expressed, up-to-date privacy policy that explains what information you collect, why you collect it, how you use it, who you share it with, and how individuals can access or correct their information.

APP 2 – Anonymity and Pseudonymity
Individuals must have the option to interact with your organisation anonymously or using a pseudonym where practicable. You can only require identification where it’s impractical to deal with unidentified individuals or where law requires you to identify them.

Part 2: Collection of Personal Information

APP 3 – Collection of Solicited Personal Information
You may only collect personal information that is reasonably necessary for your functions or activities. Sensitive information has stricter requirements—you generally need consent and must demonstrate the information is reasonably necessary. All collection must be by lawful and fair means.

APP 4 – Dealing with Unsolicited Personal Information
If you receive personal information you didn’t request, you must determine whether you could have collected it under APP 3. If not, you must destroy or de-identify the information as soon as practicable (unless doing so would be unlawful).

APP 5 – Notification of the Collection of Personal Information
At or before the time of collection, you must notify individuals about: who you are and how to contact you, the fact you’re collecting their information, the purposes of collection, the consequences if you don’t collect it, who you usually disclose it to, your privacy policy, and whether you’re likely to disclose it overseas.

Part 3: Dealing with Personal Information

APP 6 – Use or Disclosure of Personal Information
You must only use or disclose personal information for the primary purpose for which it was collected. Secondary uses or disclosures require consent, or the individual must reasonably expect the secondary use and it must be related to the primary purpose (or directly related for sensitive information).

APP 7 – Direct Marketing
You must not use personal information for direct marketing unless specific conditions are met. For information collected directly from the individual, you need either consent or reasonable expectation of direct marketing plus an easy opt-out mechanism. Sensitive information requires explicit consent for marketing use.

APP 8 – Cross-border Disclosure of Personal Information
Before disclosing personal information to an overseas recipient, you must take reasonable steps to ensure the recipient doesn’t breach the APPs. Alternatively, you can rely on the individual’s consent, binding corporate rules, or the recipient being subject to substantially similar privacy protections.

APP 9 – Adoption, Use or Disclosure of Government Related Identifiers
You must not adopt government identifiers (such as Medicare numbers, tax file numbers, or driver’s licence numbers) as your own identifier for individuals. You can only use or disclose these identifiers in specific circumstances permitted by law.

Part 4: Integrity of Personal Information

APP 10 – Quality of Personal Information
You must take reasonable steps to ensure the personal information you collect, use, or disclose is accurate, up-to-date, complete, and relevant to the purpose for which it’s used or disclosed.

APP 11 – Security of Personal Information
You must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. When information is no longer needed for any purpose permitted under the APPs, you must destroy or de-identify it.

Part 5: Access to, and Correction of, Personal Information

APP 12 – Access to Personal Information
On request, you must give individuals access to their personal information within a reasonable period. You can refuse access in certain circumstances (e.g., if access would pose a serious threat to health or safety, or unreasonably impact others’ privacy), but you must provide reasons for any refusal.

APP 13 – Correction of Personal Information
You must take reasonable steps to correct personal information to ensure it’s accurate, up-to-date, complete, relevant, and not misleading—either on the individual’s request or when you become aware of inaccuracies. If you refuse a correction request, you must provide written reasons.

Individual Rights Under the Privacy Act

Australians have the right to access their personal information held by organisations, request corrections to inaccurate or outdated information, complain to the Office of the Australian Information Commissioner about privacy breaches, and seek compensation through the Commissioner or courts for privacy violations.

Starting 10th June 2025, Australians also have a statutory tort for serious invasions of privacy. This means individuals can sue directly in court for serious privacy violations without needing to go through the Commissioner first. This represents a significant shift, giving individuals a powerful enforcement tool beyond regulatory action.

What Are Your Obligations?

You must maintain an up-to-date privacy policy that clearly explains your information handling practices in plain language. You must provide individuals with the option to deal with you anonymously or using a pseudonym where practicable.

You must collect personal information only when reasonably necessary for your functions and only through lawful, fair, and non-intrusive means. When collecting information directly from individuals, you must notify them about who you are, why you’re collecting their information, who you’ll disclose it to, your privacy policy, and how they can access their information or complain.

You must use or disclose personal information only for the purpose you collected it, unless an exception applies. Direct marketing restrictions specifically limit how you can use information for marketing. Before disclosing information overseas, ensure the recipient will handle it consistently with Australian Privacy Principles.

You cannot adopt government identifiers like tax file numbers as your own identifiers. You must keep personal information accurate, up-to-date, complete, and relevant. You must protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure through appropriate technical and organisational measures.

You must provide individuals access to their personal information within a reasonable period unless an exception applies. If you refuse access, provide reasons. You must correct information when requested or when you identify inaccuracies.

You must have a complaints process and must investigate and respond to complaints within a reasonable period.

By December 2026, you must provide meaningful information about automated decision-making that significantly affects individuals and comply with the Children’s Online Privacy Code when providing online services likely accessed by children.

Training Your Team

Whilst the Privacy Act doesn’t explicitly mandate training, compliance requires staff who understand their obligations. Your programme should cover what personal information your organisation collects, the Australian Privacy Principles relevant to staff roles, how to handle access and correction requests, data breach notification procedures, security practices, and your specific privacy policies.

Customer service teams need training on privacy requests and complaints. IT teams need security and system training. Marketing teams need direct marketing restrictions training. Management needs breach reporting and governance training. Regular refresher training maintains a privacy-aware culture.

For comprehensive privacy training options, see our guide to GDPR training requirements—while focused on GDPR, the fundamental privacy principles apply across jurisdictions.

Enforcement and Penalties

The Office of the Australian Information Commissioner enforces the Privacy Act. The 2024 reforms significantly strengthened enforcement powers and increased penalties.

The Commissioner can now issue compliance notices requiring organisations to take specific actions to remedy breaches. Failure to comply with a compliance notice carries penalties up to A$330,000 for corporations. This provides an alternative to immediate court action.

The new penalty structure has three tiers:

Low-tier violations: Infringement notices issued directly by the Commissioner
Mid-tier violations: Non-serious interferences with privacy carry maximum penalties of A$660,000 for individuals or A$3.3 million for companies
High-tier violations: Serious or repeated contraventions carry maximum penalties of A$50 million, three times the value of any benefit obtained, or 30% of adjusted turnover during the breach period—whichever is greater

These penalties represent a massive increase from previous maximum penalties and bring Australia’s privacy enforcement in line with GDPR-level consequences.

The Commissioner can also seek injunctions, declarations, and orders requiring organisations to implement privacy management programmes or conduct audits.

With the statutory tort now in effect since June 2025, individuals can sue directly for serious invasions of privacy. Courts can award damages for financial loss, emotional distress, and harm to reputation. This creates significant liability risk beyond regulatory penalties.

Recent enforcement demonstrates the Commissioner’s active approach. Following the major Medibank data breach in 2022, the Commissioner launched an investigation that resulted in significant scrutiny of data security practices. In 2024, the Commissioner ordered Bunnings to cease using facial recognition technology in its stores, finding the retailer collected sensitive biometric information without adequate notification or consent. These cases signal focus on data breaches, inadequate security, emerging technologies like facial recognition, and transparency failures.

Preparing for Compliance

Determine whether the Privacy Act applies to your organisation. Australian businesses with turnover over A$3 million, health service providers, and international businesses handling Australian personal information must comply.

Review your privacy policy against the Australian Privacy Principles. Ensure it’s comprehensive, current, clearly written, and explains your information handling practices in plain language.

Implement processes for handling access and correction requests, including identity verification, information location, access provision or refusal explanation, correction processing, and response documentation.

Review data security measures. Implement technical safeguards like encryption, access controls, and secure storage. Implement organisational measures including policies, training, incident response procedures, and vendor management.

If you disclose information overseas, review cross-border transfer arrangements and ensure appropriate safeguards like contractual protections or adequacy assessments.

Prepare for December 2026 deadlines for automated decision-making transparency and the Children’s Online Privacy Code. Develop a data breach response plan covering detection, harm assessment, containment, notification, and remediation.

Train your staff on privacy obligations relevant to their roles.

Frequently Asked Questions

Does the Australian Privacy Act apply to my UK business?

Yes, if you collect or hold personal information about Australian residents, even without a physical presence in Australia. The Privacy Act has extraterritorial reach—if your UK business has Australian customers and collects their personal information, you must comply with the APPs.

What’s the difference between the Privacy Act and GDPR?

While both regulate personal information handling, key differences include: GDPR applies regardless of business size while Australia has an A$3 million threshold; GDPR requires Data Protection Officers in certain cases while Australia doesn’t; GDPR explicitly provides rights to erasure and data portability while Australia doesn’t (yet); and GDPR mandates privacy impact assessments for high-risk processing while Australia only recommends them.

What are the penalties for breaching the Privacy Act?

Since the December 2024 reforms, maximum penalties for serious or repeated breaches are A$50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period—whichever is greatest. Mid-tier violations can attract penalties up to A$3.3 million for companies. Additionally, individuals can now sue directly for serious privacy invasions.

Do I need to appoint a Data Protection Officer?

Unlike GDPR, the Australian Privacy Act doesn’t require appointment of a Data Protection Officer. However, designating someone responsible for privacy compliance is considered best practice, especially for organisations handling significant volumes of personal information.

How quickly must I notify the OAIC of a data breach?

Under the Notifiable Data Breaches scheme, you must notify the OAIC and affected individuals “as soon as practicable” after becoming aware of an eligible data breach (one likely to result in serious harm). This is less prescriptive than GDPR’s 72-hour requirement but still demands prompt action.

What changes are coming by December 2026?

By December 2026, organisations must comply with new requirements for automated decision-making transparency (explaining how automated decisions significantly affect individuals) and the Children’s Online Privacy Code (additional protections for online services likely to be accessed by children). A second tranche of reforms addressing further Privacy Act Review recommendations is also expected.

Where to Get Help

The Office of the Australian Information Commissioner provides comprehensive guidance and resources. Review the Australian Privacy Principles Guidelines for detailed interpretation of each APP.

For international businesses, consult lawyers familiar with Australian privacy law and your jurisdiction’s laws. Privacy consultants can conduct gap assessments and help implement privacy management programmes.

Measured Collective offers privacy training covering universal principles underlying privacy regulations worldwide. The Australian Privacy Principles share common concepts with GDPR, UK GDPR, and US state laws—transparency, data minimisation, purpose limitation, security, accountability.

The 2024 reforms position Australia among the world’s strictest privacy regimes. Significantly increased penalties, new enforcement powers, and individual litigation rights create substantial compliance pressure. Start your compliance efforts now, particularly for December 2026 obligations. The A$50 million maximum penalties make Australian privacy compliance business-critical.

Related Privacy Laws

If you’re navigating privacy compliance across multiple jurisdictions, you may also find these guides helpful:

Official Sources:

Author

Scott Dooley

Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

View all posts

Australia Privacy Act 1988: 101 – What You Need to Know