The Privacy Act introduced in 1988, later amended in 2000, is an Australian law to protect the privacy and personal information of individuals living in the country. The law applies to ‘APP entity’ defined as an agency or organization. The Act sets out the Australian Privacy Principles (APPs) and regulates how organizations must handle certain personal information. The Australian Information Commissioner’s Office (the OAIC) implements the Act. They ensure compliance with current legislation regarding the protection of personal data for all individuals living in Australia.

Official text: The Privacy Act 1988.

What is the Privacy Act 1988?

The Australian government established the Privacy Act 1988 at the end of the year 1988. Later many amendments led to the latest comprehensive text of the law. It applies to government agencies and private organizations that deal with the personal information of Australian residents.

The main objectives of the law are:

  • To protect the privacy of individuals.
  • To maintain a sustainable balance between the protection of the privacy of individuals with the interests of entities.
  • To provide guidelines for the regulation of privacy and the handling of personal information.
  • To promote responsible and transparent handling of personal information.
  • To ensure safe and smooth cross-border data transfer.
  • To let individuals complain about any privacy-related interferences or violations.
  • To implement Australia’s international obligation concerning privacy.

Who does the Privacy Act apply to?

The Act applies to all APP entities, such as government agencies and organizations. It governs the handling of personal information by

  • federal agencies and
  • private sectors or organizations that have an annual turnover of more than AUD 3 million.

The Privacy Act defines an organization as  “an individual, including a sole trader (except those acting in a personal capacity), a body corporate, a partnership, unincorporated association or a trust.”

The Act does cover small businesses with an annual turnover of AUD 3 million or less if the organization 

  • is a private sector health service provider
  • sells or purchases personal information, 
  • has opted-in to the Privacy Act, or
  • is controlled by an entity subject to the Act, 

among others (read the full definition here).

What is personal information under the Privacy Act?

The Privacy Act defines ‘personal information’ as any “information or an opinion about an identified individual, or an individual who is reasonably identifiable.” E.g., name, signature, home address, email address, telephone number, date of birth, and bank account details.

Other than that, some special types of information also qualify as personal information and need to be handled specifically:

  • ‘Sensitive’ information means any information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation, criminal record, health information, genetic information, or biometric information.
  • ‘Credit’ information
  • ‘Employee record’ information
  • ‘Tax file number information

What are the Australian Privacy Principles?

The Australian Privacy Principles (APP) explains the requirements and suggestions for the APP entities and how to handle the personal information, as well as the rights individuals have under the Privacy Act 1988.

Australian Privacy Act Principles

Let us see what each of them means.

#1 Open and transparent management of personal information

Organizations must handle personal information openly and transparently. They must disclose details related to the collection and processing of personal information to the individuals. The Act encourages organizations to maintain an up-to-date privacy policy that informs about:

  • the type of personal information you collect and hold;
  • how you collect and hold the personal information;
  • the purposes of collecting, holding, using and disclosing the personal information;
  • how individuals can request to access and correct the personal information liked to them;
  • how individuals can complain about a breach of the Australian Privacy Principles, and how your organization will deal with it; and
  • whether you share personal information with international organizations and in which countries.

Not sure how to write a privacy policy?

Create a custom privacy policy statement for your business with CookieYes Privacy Policy Generator in just a few clicks!



#2 Anonymity and pseudonymity

Individuals have the right to not identify themselves, or of using a pseudonym, except when:

  • the APP entity is required by Australian law for matters related to the concerned individuals or
  • An entity can’t deal with an individual using a pseudonym.

#3 Collection of Solicited Personal Information

The organization or agency must collect personal information only when it is necessary for its functions or activities. They can only do that by fair and lawful means. Agencies can only collect information if they have an individual’s consent or it is necessary to comply with Australian law. 

If an entity wants to collect sensitive personal information, it must acquire the concerned individual’s explicit consent.

#4 Dealing with unsolicited Personal Information

If an organization receives information without being solicited, it must prove that it could be collected according to Principle 3 if it were solicited. Otherwise, it must destroy or de-identify the information.

#5 Notification of the collection of personal information

An entity must inform individuals at or before the point of collecting the personal information or ensure that the individuals are aware of it. The notification must include:

  • The entity’s identity and contact details.
  • If the collection is necessary for compliance with Australian law or court.
  • All the details that a privacy policy must include.

#6 Use or disclosure of personal information

The entities can use the personal information for a secondary purpose other than the primary purpose if the individual consents to it or the individual expects the entity to use the information for a secondary purpose. 

The exceptions, in this case, include disclosing information to protect the health, safety, or public interest.

#7 Direct marketing

An organization cannot use or disclose for direct marketing if:

  • the organization collected the information from individuals and they would reasonably expect the organization to use or disclose the information for that purpose; and
  • the organization obtained consent from individuals and allows them to opt out of using their information for direct marketing.

#8 Cross-border disclosure of personal information

An entity must ensure that the overseas organization it wants to disclose personal information complies with the Australian Privacy Principles, via contractual obligation. If the recipient breaches the principles, the entity will also be held responsible for it, except if:

  • the entity believes the overseas organization has an equivalent privacy regulation in its region.
  • the entity has obtained consent from the individual who consented to disclose the information with overseas parties and is aware that the entity is not responsible for the privacy legislation in that region.

#9 Adoption, use or disclosure of government related identifiers

An entity cannot adopt, use or disclose a government-related identifier of an individual unless it is authorized by Australian law or the identifier verifies the identity of the individual. 

#10 Quality of personal information

An entity must ensure that the personal information that it collects, uses, or discloses is accurate, up-to-date, complete, and relevant.

#11 Security of personal information

An entity must take reasonable measures to protect personal information from misuse, interference and loss, and unauthorized access, modification, or disclosure.

In case the information is no longer necessary for the purpose for which it was collected or by Australian law, the entity must destroy or de-identify it.

 #12 Access to personal information

An entity must give individuals access to their personal information upon their request, unless:

  • the entity is an agency and the right to access has been refused by the law or court.
  • the organization believes that giving access would pose threat to the life, health or safety of the individual, or public health or public safety; or
  • The organization believes that giving access would interfere with the privacy of other individuals; or
  • it is unlawful.

#13 Correction of personal information

Entities must take reasonable measures upon request by an individual to correct the personal information and ensure that it is accurate, complete, up-to-date, relevant, and not misleading.

It must also notify the other affected entities when the correction is made.

An entity can refuse to correct information for a genuine reason and it must explain it to the individual. 

When and how to report data breach under the Privacy Act?

The Privacy Act requires organizations to notify the OAIC and affected individuals in the event of an “eligible data breach”.

An “eligible data breach” is when:

  • there is an unauthorized access to or disclosure of, the personal information,
  • the breach is likely to result in serious harm tothe related individuals, and
  • the organisation was unable to take remedial action to rpevent the serious harm.

The level of harm caused by the breach depends on the type of information, sensitivity, the remedial action taken, or the nature of the breach.

The Act requires organizations to conduct an assessment within 30 calendar days to determine whether an eligible breach has taken place. The notification of data breach to OAIC and affected individuals must cover:

  • the name and contact details;
  • description of the data breach;
  • the type of personal information affected;
  • the remedial action undertaken to mitigate the damage; and
  • recommendations about the steps individuals should take.

In case the organizations are unable to notify all affected individuals, they can put up a statement on their website about the details of the breach.

What are the penalties for breaching the Privacy Act principles?

On October 25, 2021, the Australian government aligned privacy and consumer law penalties. The new, increased fine for privacy violations is $2.1 million for serious or repeated breaches of privacy, which can go up to:

  • Not more than $10 million,
  • three times the value of any profit gained from the violation, or
  • 10 percent of the entity’s annual Australian turnover.

EU GDPR vs. The Privacy Act, Australia [Infographics]

EU GDPR vs The Privacy Act

Steps to comply with the Privacy Act

Following are some best practices for your business website to comply with the Australia Privacy Act:

  • Update your privacy policy and include all the necessary details.
  • Get consent when or before collecting personal information.
  • Ensure that you collect, use and disclose personal information for a lawful purpose, and will not have any other purpose unless it is reasonably expected, required by law or consented to by the individual concerned.
  • Do not collect, use or disclose personal information for direct marketing unless you have consent from the individuals
  • If your website uses cookies that collect or use personal information, you must inform users about it and get their consent. 

Using cookies without user consent may get your website fined


Try CookieYes, the leading cookie compliance manager used by over a million websites.



*No credit card required. Upgrade any time.

  • Ensure that information you collect is accurate and relevant to the purpose and is not misleading.
  • For cross-border data transfers, ensure that the recipient organization is covered by a privacy legislation equivalent to the Act.
  • Give access to and correct personal information on request of the individuals.
  • Keep the personal information collected safe and protected against breach, theft, unauthorized access or misuse. You must ensure that the third party entities also have equivalent mesures to secure the data. 

FAQ on the Privacy Act 1988

What is the purpose of the Privacy Act 1988?

The purpose of the Act is to protect the privacy of Australian residents and their rights over their personal information. It provides guidelines for the liable entities on how to handle personal information without interfering with the privacy and rights of the people. 

Who is covered by the Privacy Act 1988?

The Act covers personal information which means a piece of information or opinion that can be used to identify a person living within Australia. It applies to ‘APP entities’, such as government agencies and also organizations with more than $3 million annual turnovers, and small businesses which are health care providers, handle personal information, opted in for the Act, or are controlled by an APP entity.

What is in the Privacy Act?

The Australia Privacy Act mainly has guidelines and exceptions for organizations on when and how to handle personal information. It also covers the rights the individuals have over their personal information and the processing related to it. These guidelines are mainly covered by ‘Australian Privacy Principles.’

What are the rights under the Privacy Act?

Following are the user rights under the Act:

  • Right to know about personal information
  • Right to not identify themselves, or to use a pseudonym
  • Right to access to your personal information
  • Right to correct personal information
  • Right to complaint about an organization or agency if they mishandle personal information