What is the Privacy Act?

A general overview of the Privacy Act

What is the Privacy Act in Australia?

The Privacy Act 1988 (Cth) is Australia’s primary legislation governing how personal information is collected, stored, used and disclosed. It applies to Australian Government agencies and many private sector organisations, and is enforced by the Office of the Australian Information Commissioner (OAIC).

Originally introduced more than 30 years ago, the Privacy Act has evolved significantly to meet the challenges of digital technologies, cyber risk, and global data flows. It is currently undergoing one of its most significant reform periods.

Key Underpinnings of the Privacy Act

The Privacy Act sets out obligations through the 13 Australian Privacy Principles (APPs), which establish standards for:

  • Transparency in privacy policies

  • Lawful collection and use of information

  • Security safeguards, including protection against unauthorised access

  • Access and correction rights for individuals

These principles apply broadly and are intended to be technology-neutral, so they remain relevant as new technologies and data practices emerge.

(Source: OAIC – The Privacy Act)

Recent and Proposed Reforms

In 2024–25, the Government introduced a Bill to update the Privacy Act. According to the Attorney-General’s Department and OAIC releases, the reforms include:

 

  • New penalties for mid-tier breaches of the Privacy Act (up to $330,000 for corporate entities).

  • Expanded powers for the OAIC, including the ability to issue infringement notices and pursue less serious breaches.

  • Criminal offence of doxxing (the malicious sharing of personal information).

  • New statutory tort of serious invasion of privacy, creating a pathway for individuals to seek remedies.

  • Restrictions on automated decision-making, aimed at addressing risks linked to AI.

  • Amendments to APP 11, specifying technical and administrative data security measures such as encryption and staff training.

  • No change to the small business exemption, meaning most businesses with turnover under $3m remain outside the Act’s scope.

(Source: Attorney-General’s Department – Privacy Act Review, OAIC – Media Release)

Why the Privacy Act Matters

For organisations, the Privacy Act is more than compliance — it’s about trust. Breaches of privacy obligations can result in:

  • Regulatory investigation and penalties

  • Court-ordered remedies such as fines, apologies, or mandated changes to business practices

  • Reputational damage and erosion of stakeholder confidence

The most recent reforms, once enacted, will give the OAIC more tools to enforce the law, signalling that businesses of all sizes should take privacy governance seriously.

The Privacy Act 1988 is Australia’s cornerstone privacy law. It sets the standards for how personal information must be handled, enforced by the OAIC, and is now being strengthened with new powers, penalties and protections that reflect today’s digital and data-driven environment.

Disclaimer: The information provided is general in nature and subject to change. It does not constitute legal advice. You should seek independent legal advice before acting on any of the information published.