Data & Privacy - Australia

The Privacy Act 1988 contains 13 Australian Privacy Principles covering the open and transparent handling, collection, use, disclosure, security, access and correction of personal information. They apply to most Australian Government agencies and to private-sector 'APP entities' with annual turnover of AU$3 million or more.

The Office of the Australian Information Commissioner (OAIC) regulates and enforces the Act. Its powers include investigating breaches of the APPs and credit reporting provisions, accepting enforceable undertakings, and seeking civil penalties for serious or repeated interferences with privacy.

The Notifiable Data Breaches (NDB) scheme, in force since February 2018, requires regulated entities to notify affected individuals and the OAIC of an 'eligible data breach' — unauthorised access, disclosure or loss of personal information likely to result in serious harm.

The Privacy and Other Legislation Amendment Act 2024 (No. 128, 2024) received Royal Assent on 10 December 2024, progressing 23 agreed proposals from the Privacy Act Review. It grants the OAIC new infringement- and compliance-notice powers and provides for a Children's Online Privacy Code.

Effective 10 June 2025, individuals have a direct right to sue for serious invasions of privacy — either intrusion upon seclusion or misuse of information. Remedies include damages (non-economic loss capped at the greater of ~AU$478,550 or the defamation cap), injunctions and apologies, with defences and exemptions (e.g. journalism, law enforcement).

Individuals can access and seek correction of their personal information and lodge complaints with the OAIC. Entities must take reasonable steps to secure personal information, handle it for permitted purposes, and meet additional rules for sensitive information, direct marketing and cross-border disclosures.