🇦🇺Privacy Act 1988

A law built around accountability, not just principles

The Privacy Act 1988 (Cth) is Australia's foundational federal privacy law. It has been in force since 1989, but understanding what it actually does — and why — matters far more than knowing how long it has been around.

The Act is built around one central idea: if you hold someone's personal information, you are accountable for what happens to it. Not your cloud provider. Not your SaaS vendor. Not the contractor you hired. You. Every obligation in the thirteen Australian Privacy Principles flows from that premise.

Who the Act covers — and who it doesn't

The Act applies to Australian Government agencies and to private sector organisations with an annual turnover of more than AUD $3 million. It also applies to certain smaller organisations regardless of turnover — including health service providers, businesses that trade in personal information, operators of residential tenancy databases, and contracted service providers for Commonwealth contracts. If you handle personal information in any of these categories, you are almost certainly covered.

The Act has two distinct relief mechanisms that are often confused. Permitted general situations under section 16A allow collection, use or disclosure for specific purposes — including lessening or preventing a serious threat to health or safety, or where the information is reasonably necessary to establish, exercise or defend a legal claim — but the entity remains fully within scope of all other APP obligations. True exemptions remove certain acts or practices from the Act's reach: personal, family or household affairs; certain employee records held by organisations; acts by registered political parties in relation to political activities; and journalism by media organisations that have adopted a privacy code. These exemptions are narrow and fact-specific. Do not assume they apply without checking against the specific provision.

The Act introduces two key roles. The APP entity — whether an agency or organisation — is the body that holds personal information and remains accountable for how it is handled, including when third-party contractors and service providers process it on its behalf. The individual is the person whose information is held, and who has enforceable rights to access and correction. The contracted service provider relationship matters: an organisation that processes personal information under a Commonwealth contract is treated as bound by the APPs in relation to that information, and the accountability chain does not break when the work is subcontracted.

The purpose limitation at the centre of the framework

Under the Act, you can only use or disclose personal information for the purpose for which it was collected — the primary purpose — or for a secondary purpose if specific conditions are met. There is no general legitimate interest override. The framework is simpler than GDPR in structure, but that simplicity creates its own demands.

For non-sensitive information, a secondary use or disclosure is permitted if the individual would reasonably expect it and it is related to the primary purpose, or if the use or disclosure is required or authorised by Australian law, or a permitted general situation applies. For sensitive information — which includes health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation and biometric data — the threshold is higher: the secondary purpose must be directly related to the primary purpose, not merely related.

Collection itself is also constrained. Agencies may only collect personal information that is reasonably necessary for, or directly related to, their functions. Organisations must collect only what is reasonably necessary for their functions. Sensitive information requires consent, or one of the narrower exceptions. Collection must be by lawful and fair means, and where practicable, directly from the individual. If you receive unsolicited personal information that you could not have collected under APP 3, you must destroy or de-identify it as soon as practicable unless it is contained in a Commonwealth record.

The cross-border accountability trap

Not all entities recognise the full reach of APP 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the recipient will not breach the APPs in relation to that information. The default rule is that if the overseas recipient does breach the APPs, that breach is taken to have been committed by the disclosing entity. The liability does not transfer — it doubles.

There are limited exceptions. If the entity reasonably believes the recipient is subject to a law or binding scheme that overall provides substantially similar protection to the APPs and includes enforceable access mechanisms, the cross-border obligation does not apply. Alternatively, if the entity informs the individual that APP 8.1 will not apply and obtains consent, it can proceed — but that consent exception does not eliminate accountability if the entity has reason to doubt the overseas recipient's practices. The regulations may also prescribe countries or schemes as approved destinations. Outside these exceptions, the disclosing entity carries the risk.

Individual rights — and the response obligation

Every individual has the right to request access to personal information held about them, and the right to request correction of information that is inaccurate, out of date, incomplete, irrelevant or misleading. These are operational obligations, not aspirational ones.

On access, the entity must respond within a reasonable period and give access to the information. If access is refused, the entity must provide reasons and notify the individual of their right to complain. There is no fixed statutory timeframe, but an unreasonable delay in responding is itself a ground for complaint to the Commissioner. Fees for access may be charged but must not be excessive and must not apply to the making of a request.

On correction, if the entity is satisfied the information is inaccurate, it must correct it. If the entity declines to correct, it must associate a statement with the record that the individual believes the information is inaccurate. Where information has been corrected or a statement has been associated, and the entity previously disclosed the information to another APP entity, the entity must take reasonable steps to notify the recipient of the correction or statement — unless it is impracticable or unlawful to do so.

Individuals must be given the option of not identifying themselves, or using a pseudonym, when dealing with an APP entity — unless identification is required by law or is impracticable in the circumstances. This is not a theoretical right: it requires that anonymous transaction pathways actually exist where practicable.

Penalties — real exposure, real process

The Act's enforcement structure operates through the Office of the Australian Information Commissioner (OAIC). The Commissioner can investigate complaints from individuals, conduct own-motion investigations, and initiate assessments of whether an APP entity's practices comply with the APPs. The Commissioner can also direct entities to notify eligible data breaches, accept enforceable undertakings, seek injunctions, and apply to the Federal Court for civil penalty orders.

Civil penalties under the Act are expressed in penalty units. Serious or repeated interferences with privacy — including systemic failures — can attract significant penalties. Courts can also order compensation for individuals, direct entities to redress harm, require publication of statements about contraventions, and direct entities to cease non-compliant practices. The Commissioner may also issue infringement notices for specified contraventions, including failures to notify eligible data breaches in accordance with the Act. An entity that complies with a compliance notice is not taken to have admitted the contravention, but the notice itself represents a formal regulatory record.

Complaints follow a structured process: the individual complains to the Commissioner; the Commissioner attempts conciliation; if conciliation fails or is inappropriate, the Commissioner may make a determination; determinations are enforceable in the Federal Court. There is also a direct pathway to court for certain civil penalty contraventions, on application by the Commissioner. The Commissioner's investigation powers include the ability to summon persons, require production of documents, and examine witnesses on oath.