Privacy

The Privacy Act 1988 is the main piece of Australian legislation that protects the handling of personal information about individuals. This includes how personal information is collected, used, stored and disclosed in the federal public sector and in the private sector.

Other statutory provisions also affect privacy. Separate privacy regimes apply to state and territory public sectors. We help the Attorney-General administer the Privacy Act.

Find out more about the history of the Privacy Act on the Office of the Australian Information Commissioner website.

Privacy reforms

On 29 November 2024, Parliament passed the Privacy and Other Legislation Amendment Act 2024. This Act progresses 23 proposals from the Government Response to the Privacy Act Review Report. This includes:

  • a framework for developing a Children’s Online Privacy Code
  • a new statutory tort for serious invasions of privacy.

These amendments are a significant development in privacy law reform, taking us closer to a modern, fit-for-purpose privacy framework that protects the interests of all Australians.

The Attorney-General has committed to continue advancing proposals that the government agreed in principle to progress in its Response to the Privacy Act Review.

In the coming months, we will be working to develop draft provisions and engaging on the detail. This will inform the government’s decisions on next steps.

On 28 September 2023 the Australian Government released its response to the Privacy Act Review Report.

Find out more about the Review of the Privacy Act and consultation to inform the government response to the Privacy Act Review Report.

The Privacy Act Review commenced in 2020 following recommendations by the Australian Competition and Consumer Commission in its 2019 Digital Platforms Inquiry – Final Report.

While the Privacy Act Review was underway, the Privacy Act was amended in December 2022 as part of the Australian Government’s urgent reforms in response to data breaches. These amendments increased maximum penalties under the Privacy Act and provide the Office of the Australian Information Commissioner with enhanced enforcement and information sharing powers.

Notifiable Data Breaches scheme

The Notifiable Data Breaches scheme commenced as part of the Privacy Act on 22 February 2018.

Entities covered by the Privacy Act have obligations under the scheme. If they experience a data breach of personal information that is likely to result in serious harm to affected individuals, they must notify those individuals and the Office of the Australian Information Commissioner (OAIC).

For more information about the scheme, visit the Office of the Australian Information Commissioner website.

Australian Privacy Principles

The Privacy Act contains 13 Australian Privacy Principles (APPs). The APPs apply to government agencies and private sector organisations with an annual turnover of $3 million or more. The APPs are principles-based - protecting privacy while not burdening agencies and organisations with inflexible prescriptive rules. The APPs:

  • deal with all stages of the processing of personal information, setting out standards for the collection, use, disclosure, quality and security of personal information
  • provide obligations on agencies and organisations subject to the Privacy Act concerning access to, and correction of, an individual's own personal information.

The OAIC is responsible for investigating breaches of the APPs and credit reporting provisions. The OAIC's powers include:

  • accepting enforceable undertakings
  • seeking civil penalties in the case of serious or repeated breaches of privacy
  • conducting assessments of privacy performances for both Australian Government agencies and businesses.

For more information on privacy, visit the Office of the Australian Information Commissioner website. Individuals, businesses and agencies can also find out more about privacy by contacting the OAIC enquiries line.

The Privacy Act is supported by the Privacy Regulations 2025 and the Privacy (Credit Reporting) Code 2025. The Privacy Regulations 2025 replace the Privacy Regulation 2013, which were due to sunset 1 April 2026. They include minor, stylistic and technical amendments to ensure the regulations are up to date.

Related links

ALRC Report: Serious Invasions of Privacy in the Digital Era (ALRC 123)
ALRC Report: For Your Information: Australian Privacy Law and Practice (ALRC 10…
Serious data breach notification consultation
Review of the Privacy Act 1988
Consultation to inform the government response to the Privacy Act Review Report
Privacy (Credit Reporting) Code 2025

Legislation

Privacy Act 1988
Privacy Regulations 2025

Related websites

Office of the Australian Information Commissioner