SecurePrivacy Logo

Australian Privacy Act

View Law Text
Maximum Fine
AUD $2.22M
Scope
National
Regulator
OAIC
Principles
13 APPs

Need Help with Australian Privacy Act Compliance?

Get expert guidance on implementing Australian Privacy Principles and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Privacy Act 1988 regulates how personal information is handled by Australian Government agencies and businesses. It includes the Australian Privacy Principles (APPs), which set out standards for the collection, use, disclosure and management of personal information.

Key Facts

  • Enacted in 1988, major reforms in 2014 and 2018
  • Enforced by Office of the Australian Information Commissioner
  • Includes Notifiable Data Breaches scheme

Privacy Principles

Collection of Personal Information

Organizations must only collect personal information that is reasonably necessary for their functions.

Requirements

  • Collect only necessary information
  • Use lawful and fair means
  • Notify individuals of collection
  • Obtain consent where required
  • Ensure collection transparency

Examples

  • Privacy collection notices
  • Consent mechanisms
  • Collection procedures
  • Purpose documentation

Use and Disclosure

Personal information must only be used or disclosed for the primary purpose of collection or related secondary purposes.

Requirements

  • Define primary purpose
  • Document secondary purposes
  • Obtain consent for other uses
  • Maintain disclosure records
  • Regular purpose reviews

Examples

  • Purpose statements
  • Disclosure logs
  • Consent records
  • Use registers

Data Quality and Security

Organizations must take reasonable steps to ensure personal information is accurate, up-to-date, and secure.

Requirements

  • Implement security measures
  • Regular accuracy checks
  • Update procedures
  • Access controls
  • Security assessments

Examples

  • Security policies
  • Update procedures
  • Access logs
  • Security reviews

Compliance Requirements

Privacy Policy Requirements

Organizations must maintain a clear and up-to-date privacy policy that meets APP requirements.

Implementation Steps

  • Develop comprehensive privacy policy
  • Include all required disclosures
  • Make easily accessible
  • Regular review and updates
  • Staff training on policy

Required Documentation

  • Privacy policy document
  • Update logs
  • Training records
  • Review schedule
  • Distribution records

Data Breach Response

Mandatory data breach notification requirements under the Notifiable Data Breaches scheme.

Implementation Steps

  • Establish breach response plan
  • Assess breach severity
  • Notify affected individuals
  • Report to OAIC if required
  • Document incident response

Required Documentation

  • Breach response plan
  • Assessment records
  • Notification templates
  • OAIC submissions
  • Incident logs

Overseas Disclosure

Requirements for sending personal information outside Australia.

Implementation Steps

  • Assess recipient privacy standards
  • Implement contractual safeguards
  • Obtain consent where required
  • Document transfer arrangements
  • Monitor compliance

Required Documentation

  • Transfer agreements
  • Consent records
  • Assessment reports
  • Compliance logs
  • Monitoring records

Enforcement & Penalties

Civil Penalties

The Office of the Australian Information Commissioner can seek civil penalties for serious or repeated privacy breaches.

Penalty Categories

Serious Breaches
Up to AUD $2.22M
For corporations per breach
Individual Penalties
Up to AUD $444,000
For individuals per breach
Enforceable Undertakings
Varies
Legally binding commitment to specific actions

Example Cases

Clearview AI
AUD $2.1M
2022 - Breaches related to facial recognition data collection
HealthEngine
AUD $2.9M
2020 - Disclosure of patient information to insurance brokers

Regulatory Powers

The OAIC has various regulatory powers to address privacy violations.

Penalty Categories

Determinations
Compensation Orders
Requiring compensation to affected individuals
Investigations
Mandatory Compliance
Powers to investigate and require changes
Assessments
Regulatory Action
Privacy practice assessments and recommendations

Example Cases

7-Eleven
Investigation
2021 - Use of facial recognition without consent
Facebook
Court Action
2020 - Cambridge Analytica data breach