What is the Australian Privacy Act?
The Australian Privacy Act 1988 (Cth), commonly referred to as the Privacy Act, is the primary legislation governing the protection of personal information in Australia. It establishes how government agencies and private sector organizations collect, use, store, and disclose personal information, and grants individuals the right to access and correct their data.
The Privacy Act applies to Australian Government agencies, private sector organizations with an annual turnover of AUD 3 million or more, and certain smaller entities such as health service providers, credit reporting bodies, and contracted service providers to government agencies. It is administered and enforced by the Office of the Australian Information Commissioner (OAIC).
At the core of the Act are the 13 Australian Privacy Principles (APPs), which together form a comprehensive privacy framework covering governance, transparency, collection, use and disclosure, data security, access, correction, and cross-border data transfers.
Over time, the Act has been expanded to address technological change and evolving privacy risks. Key developments include:
Notifiable Data Breaches (NDB) Scheme (2018), which requires organizations to notify the OAIC and affected individuals of data breaches likely to result in serious harm.
Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which significantly increased maximum penalties for serious or repeated privacy breaches to the greater of AUD 50 million, three times the value of the benefit obtained, or 30 percent of adjusted turnover.
Ongoing Privacy Act Review (2024), a comprehensive reform initiative proposing enhanced consent standards, increased individual rights including a direct right of action, and the introduction of a Children’s Privacy Code for online services.
The Privacy Act also operates alongside related legislation, including the My Health Records Act 2012, the Telecommunications Act 1997, the Consumer Data Right (CDR) framework, and offences under the Criminal Code Act 1995. Together, these instruments form Australia’s national privacy and data protection regime, broadly aligned with international frameworks such as the EU GDPR and OECD Privacy Guidelines.
What are the requirements for the Australian Privacy Act?
Compliance with the Privacy Act is principle-based rather than certification-based. There is no formal application or approval process. Instead, organizations must be able to demonstrate that they take reasonable steps to comply with the Australian Privacy Principles and related statutory obligations.
Core requirements include:
- Governance and accountability, including appointing a Privacy Officer or equivalent role and implementing a Privacy Management Plan.
- Transparency, through a clearly expressed and up-to-date Privacy Policy describing how personal information is handled (APP 1).
- Collection and consent controls, ensuring that only information reasonably necessary for business functions is collected, and that sensitive information is handled with consent or lawful authority (APP 3).
- Use and disclosure limitations, restricting processing to the original purpose or a permitted secondary purpose (APP 6 and APP 7).
- Overseas disclosures, where reasonable steps must be taken to ensure overseas recipients do not breach the APPs, or informed consent must be obtained (APP 8).
- Data quality and security, including accuracy, currency, and protection against misuse, loss, and unauthorized access (APP 10 and APP 11).
- Individual rights, ensuring access to and correction of personal information (APP 12 and APP 13).
- Notifiable Data Breaches compliance, including breach assessment, notification, and record keeping under Part IIIC of the Act.
Common supporting evidence includes:
- Privacy Management Plan
- Public Privacy Policy
- Privacy Impact Assessments for high-risk projects
- Data Breach Response Plan and breach register
- Privacy training records
- Complaint handling logs
- Vendor privacy assessments and contractual clauses
The Office of the Australian Information Commissioner (OAIC) is the regulator responsible for oversight and enforcement. The OAIC may investigate complaints, conduct own-motion investigations, issue determinations, accept enforceable undertakings, and seek civil penalties for serious or repeated breaches.
Why should you be Australian Privacy Act compliant?
Compliance with the Australian Privacy Act is both a legal obligation and a critical governance requirement for organizations that handle personal information.
Benefits of compliance include:
- Reduced regulatory and enforcement risk
- Stronger trust with customers, employees, and partners
- Improved data governance and breach preparedness
- Greater readiness for audits, due diligence, and procurement requirements
- Alignment with international privacy expectations and standards
Risks of non-compliance include:
- Significant civil penalties, including fines of up to AUD 50 million for serious or repeated breaches
- Regulatory investigations and enforceable undertakings
- Mandatory remediation programs and ongoing oversight
- Reputational damage following public breach notifications
- Loss of business opportunities where privacy compliance is a prerequisite
Maintaining compliance with the Australian Privacy Act 1988 enables organizations to demonstrate accountability, protect individuals’ rights, and manage privacy risk effectively in an increasingly data-driven environment.
How to achieve compliance?
Compliance with the Australian Privacy Act requires organizations to demonstrate accountability, transparency, and effective handling of personal information across its lifecycle. Centraleyes helps organizations translate these legal requirements into structured, manageable, and ongoing compliance activities.
With Centraleyes, organizations can assess their alignment with the Australian Privacy Principles through guided questionnaires mapped directly to the Privacy Act. The platform helps identify gaps, clarify responsibilities, and track remediation actions in one centralized environment.
Key privacy artifacts such as privacy policies, breach response plans, training records, PIAs, and complaint logs can be linked directly to relevant controls, creating a clear and auditable compliance record. Automated workflows support task assignment, evidence tracking, and progress monitoring, reducing manual effort and improving consistency.
By centralizing assessments, documentation, and remediation, Centraleyes enables organizations to establish a Privacy Act compliance baseline quickly and maintain it over time as requirements evolve, strengthening their privacy posture through continuous monitoring and improvement.
