Privacy Act 1988
Privacy Act 1988 (incorporating the Australian Privacy Principles)
The Privacy Act 1988 regulates how personal information is handled across the Australian economy through 13 Australian Privacy Principles (APPs). It is administered by the OAIC and includes the Notifiable Data Breaches scheme requiring reporting of eligible breaches.
Who it applies to
Australian Government agencies and private-sector organizations with annual turnover of at least 3 million Australian dollars, plus certain other entities such as health service providers and credit reporting bodies regardless of turnover.
Identity requirements
- Handle personal information in line with the 13 Australian Privacy Principles covering collection, use, disclosure and quality
- Take reasonable steps to protect personal information from misuse, interference, loss and unauthorized access (APP 11)
- Notify the OAIC and affected individuals of eligible data breaches under the Notifiable Data Breaches scheme
- Give individuals rights to access and correct their personal information (APP 12 and APP 13)
- Apply stricter handling rules to sensitive information, including identity-related and biometric data
- Manage cross-border disclosure of personal information with accountability for overseas recipients (APP 8)
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | The APPs govern how identity and personal information are collected, used and disclosed across customer systems. |
| Breach notification | Eligible data breaches must be reported to the OAIC and affected individuals under the Notifiable Data Breaches scheme. |
| Data residency & cross-border transfer | APP 8 holds entities accountable for personal information disclosed to overseas recipients. |
| Audit, logging & accountability | Entities must take reasonable, risk-calibrated steps to secure data and demonstrate APP compliance. |
Penalties
Serious or repeated interferences with privacy can attract substantial civil penalties for body corporates, with the maximum significantly increased in 2022 to the greater of 50 million Australian dollars, three times the benefit obtained, or 30 percent of adjusted turnover.
Privacy Act 1988: frequently asked questions
- What are the Australian Privacy Principles?
- They are the 13 principles at the core of the Privacy Act 1988 that govern how organizations and agencies collect, use, disclose and secure personal information and how individuals can access and correct it.
- Which organizations are covered by the Privacy Act?
- Australian Government agencies and private-sector organizations with annual turnover of at least 3 million Australian dollars, plus certain others such as health providers and credit reporting bodies regardless of size.
- Is breach notification required in Australia?
- Yes. Under the Notifiable Data Breaches scheme, entities must notify the OAIC and affected individuals of eligible data breaches likely to result in serious harm.