The Privacy Act 1988 (Privacy Act) is the principal piece of Australian legislation protecting the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information in the federal public sector and in the private sector.
Other statutory provisions also affect privacy and separate privacy regimes apply to state and territory public sectors. This department assists the Attorney-General to administer the Privacy Act.
The Privacy Act was significantly amended in 2014 and 2017 to enhance the protection of privacy in Australia.
More information about the history of the Privacy Act is available on the Office of the Australian Information Commissioner website.
Privacy Act Review
On 12 December 2019, the Attorney-General announced that the Australian Government would conduct a review of the Privacy Act 1988 to ensure privacy settings empower consumers, protect their data and best serve the Australian economy. The review was announced as part of the government's response to the Australian Competition and Consumer Commission's Digital Platforms Inquiry.
We invite submissions on the Privacy Act Review Discussion Paper by 10 January 2022. The submissions and feedback we receive will inform the review’s Final Report.
Find out more about the Review of the Privacy Act 1988.
Online Privacy Bill
The Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (the Online Privacy Bill) will give effect to the Australian Government’s commitment to strengthen the Privacy Act 1988. It enables the introduction of a binding Online Privacy code for social media and certain other online platforms, and increases penalties and enforcement measures.
We invite submissions on the exposure draft of the Online Privacy Bill and consultation Regulation Impact Statement by 6 December 2021.
We will use the submissions and feedback received to shape the development of the Online Privacy Bill before it is introduced in Parliament.
Find out more about the Online Privacy Bill.
COVID-19 and the Privacy Act
To assist entities during this period, the Office of the Australian Information Commissioner has published a guide, Coronavirus (COVID-19): Understanding your privacy obligations to your staff.
Notifiable Data Breaches scheme
The Notifiable Data Breaches scheme commenced as part of the Privacy Act on 22 February 2018.
The scheme requires notification to affected individuals and the Office of the Australian Information Commissioner (OAIC) where an entity subject to the Privacy Act experiences a data breach of personal information which poses a likely risk of serious harm to affected individuals.
For more information about the scheme, visit the Office of the Australian Information Commissioner website.
Australian Privacy Principles
The Privacy Act provides 13 Australian Privacy Principles (APPs). The APPs apply to government agencies and private sector organisations with an annual turnover of $3 million or more. The APPs are principles-based—protecting privacy while not burdening agencies and organisations with inflexible prescriptive rules. The APPs:
- deal with all stages of the processing of personal information, setting out standards for the collection, use, disclosure, quality and security of personal information
- provide obligations on agencies and organisations subject to the Privacy Act concerning access to, and correction of, an individual's own personal information.
The OAIC is responsible for investigating breaches of the APPs and credit reporting provisions. The OAIC's powers include:
- accepting enforceable undertakings
- seeking civil penalties in the case of serious or repeated breaches of privacy
- conducting assessments of privacy performances for both Australian Government agencies and businesses.
The OAIC provides information on privacy to individuals, businesses and agencies through their enquiries line. More information is available on the Office of the Australian Information Commissioner website.