Australia’s data protection laws are a complex mix of federal, State and Territory statutes.

The principal data protection enactment is the Privacy Act which, with some exceptions, regulates the handling of personal information in the private sector and the Commonwealth public sector.

Due to constitutional limitations on the ability of the federal government to regulate non-Commonwealth public sector agencies, State and Territory privacy legislation regulates the handling of personal information by State and Territorial public sector bodies. This legislation takes the form of the Privacy and Data Protection Act 2014 (Vic), the Privacy and Personal Information Protection Act 1998 (NSW), the Information Privacy Act 2009 (Qld), the Personal Information Protection Act 2004 (Tas), the Information Privacy Act 2014 (ACT) and the Information Act 2002 (NT).

South Australia does not impose public sector data protection by statute, but rather by means of an administrative instruction issued by the Department of the Premier and Cabinet, PCO12 – Information Privacy Principles Instruction. Western Australia does not have data protection legislation.

At Commonwealth level, data protection is supplemented to some degree by the Spam Act 2003 (Cth) (“Spam Act”). The Spam Act prevails over the Privacy Act in relation to electronic marketing involving the use of personal information: APP 7.8.

In some jurisdictions, separate legislation, as follows, regulates the handling of health information: the Healthcare Identifiers Act 2010 (Cth) and the My Health Records Act 2012 (Cth); the Health Records Act 2001 (Vic); the Health Records and Information Privacy Act 2002 (NSW); and the Health Records (Privacy and Access) Act 1997 (ACT).

Freedom of information legislation exists in all Australian jurisdictions and regulates the access to information, including personal information, held by public sector agencies. The relevant legislation is: the Freedom of Information Act 1982 (Cth), the Freedom of Information Act 1982 (Vic), the Freedom of Information Act 1989 (NSW), the Right to Information Act 2009 (Qld), the Freedom of Information Act (Tas), the Freedom of Information Act 1991 (SA), the Freedom of Information Act 1992 (WA), the Right to Information Act 2009 (Tas), and the Freedom of Information Act 2016 (ACT).

In the Northern Territory, the Information Act 2002 regulates freedom of information as well as data protection.

The collection of personal information may also be affected by various federal, State and Territory laws relating to covert surveillance; these laws exist in all jurisdictions. Workplace surveillance is specifically regulated by the Workplace Surveillance Act 2005 (NSW) and the Workplace Privacy Act 2011 (ACT), and was the subject of amendments to the Surveillance Devices Act 1999 (Vic) introduced by the Surveillance Devices (Workplace Privacy) Act 2006 (Vic).

Finally, the State of Victoria has the Charter of Human Rights and Responsibilities Act 2006 (Vic), which requires all statutory provisions to be interpreted in a way that is compatible with human rights. It has been held that the Information Privacy Principles contained in the Privacy and Data Protection Act 2014 (Vic) constitute “human rights legislation”, and are subject to the Charter: Jurecek v. Director, Transport Safety Victoria (2016) 260 IR 327; [2016] VSC 285.

The above is an indication of the extent and diversity of applicable and potentially applicable legislation governing the collection and use of personal information. The remainder of this chapter will focus principally on the Privacy Act.

The Privacy Act does not adopt the familiar European and United Kingdom concepts of “controllers” and “processors”. Instead, it regulates “acts or practices” involving the “handling” of “personal information” by “APP entities”, subject to certain exceptions. 

An “APP entity” is, essentially, a Commonwealth government agency (but with “political acts and practices” exempted) and/or a private sector organisation (which essentially can be a corporation or an individual, but with exemptions applying to small businesses with an annual turnover of less than AUD 3 million and registered political parties).

The Privacy Act regulates acts or practices engaged in within Australia. It only regulates acts or practices outside Australia in the case of an organisation with an “Australian link”, meaning in effect an act or practice engaged in by an Australian citizen or business, or by a foreign entity which carries on business in Australia: section 5B.

An act or practice constitutes an “interference with the privacy of an individual” if it breaches an APP: section 13.

The 13 APPs are set out in Schedule 1 to the Privacy Act. They are divided into five Parts, embracing the management, collection and disclosure of personal information, the quality and security of personal information, and requests for access and correction of personal information.

“Personal information” is defined in section 6 of the Privacy Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not: section 6(1).

Personal information may include anonymous or pseudonymous personal information (APP 2), and the term specifically embraces unsolicited personal information (APP 3).

Personal information falling within the definition of “sensitive information” is subject to a higher standard of protection. This specifically embraces information relating to an individual’s:

• racial or ethnic origin;
• political opinions; 
• membership of a political association;
• religious beliefs or affiliations;
• philosophical beliefs;
• membership of a professional or trade association;
• membership of a trade union;
• sexual orientation or practices;
• criminal record;
• health;
• genetics; or
• biometrics. 

Unlike other forms of personal information, sensitive information may (with certain exceptions) only be collected with the consent of the individual (APP 3.3), may only be used for secondary purposes that are “directly” related to the primary purpose of collection (APP 6.2) and may only be used in connection with direct marketing with the consent of the individual (APP 7.4).

The Privacy Act does not refer to the “processing” of personal information, referring instead to the “handling” of such information.

An entity must comply with the APPs when handling personal data (see Question 4, above). The principal obligations relate to collection (APP 3) and use and disclosure (APP 6).
Personal information may only be collected if it is reasonably necessary for the entity’s functions or activities: APP 3.1, 3.2. In the case of sensitive information, personal information may only be collected with the consent of the individual: APP 3.3 (see Question 6, above).  

Personal information may only be used in connection with the primary purpose of collection (APP 6.1) or a reasonably related secondary purpose (APP 6.2).

Consent is required for the collection of sensitive information or for the use of personal information for a purpose unconnected with the primary or secondary purpose of collection, unless:

• the collection is required or authorised by an Australian law (APP 3.4(a)); or
• the collection is necessary for:
  • lessening or preventing a serious threat to health or safety;
  • law enforcement;
  • locating a missing person;
  • defending a legal claim; 
  • various other diplomatic, humanitarian, peacekeeping or defence purposes (section 16A); or
  • certain “permitted health situations” (section 16B).

Special conditions attach to medical research in certain circumstances, including circumstances where it is not necessary to obtain an individual’s consent. Section 95A of the Privacy Act allows the Commissioner to approve, for the purposes of the APPs, guidelines that are issued by the National Health and Medical Research Council (NHMRC) relating to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety. Section 95AA allows the Commissioner to approve, for the purposes of the APPs, guidelines issued by the NHMRC relating to the use and disclosure of genetic information for the purposes of lessening or preventing a serious threat to life, health or safety of an individual, who is a genetic relative of the individual to whom the genetic information relates.

The Privacy Act does not articulate what constitutes valid consent. Nevertheless, the Information Commissioner has issued guidelines which set out an expectation that valid consent requires four elements:

• the individual is adequately informed before giving consent;
• the individual gives consent voluntarily;
• the consent is current and specific; and
• the individual has the capacity to understand and communicate their consent.

The principal obligations relevant to the processing of personal data are contained in the APPs. These include the following:

• a private sector organisation must not adopt a government related identifier of an individual as its own identifier – APP 9;
• an entity must take reasonable steps to ensure that personal information it collects remains accurate, up-to-date and complete – APP 10; and
• an entity must take reasonable steps (whether “technical” or “organisational”) to protect information from misuse, interference, loss, unauthorised access, modification or disclosure, and when no longer required it must be destroyed or de-identified – APP 11.

A mandatory data breach reporting obligation arises pursuant to Part IIIC of the Privacy Act in the event of an “eligible data breach”. An “eligible data breach” occurs if there is unauthorised access to, disclosure of or loss of personal information held by an entity and this access, disclosure or loss is likely to result in “serious harm” to an individual to whom the information relates. The breach must be reported to the Privacy Commissioner and to the data subject. Pursuant to the 2024 Amendments, the Minister may in limited circumstances make a declaration authorising the sharing between specified entities of information about a significant data breach.

Part VIII of the Privacy Act extends the equitable obligation of confidence in certain circumstances. Specifically, section 92 provides that a person is subject to an obligation of confidence if he or she acquires information from a third party who the first-mentioned person knows, or ought to reasonably know, holds that information subject to an obligation of confidence. The effect is that whereas in equity a person is generally not required to maintain the confidentiality of information that has come into their possession other than in the circumstances where the disclosure has been made in confidence, under section 92 the recipient will be obliged to maintain the confidentiality of information received in such circumstances. Section 91 ensures that the operation of other principles or rules of the common law or equity relevant to the obligation of confidence are not affected or restricted by Part VIII. Accordingly, the defence of innocent receipt remains unchanged.

Additional confidentiality obligations arise in certain circumstances pursuant to the Telecommunications (Interception and Access) Act 1979 (Cth), the Competition and Consumer Act 2010 (Cth) (in relation to the Consumer Data Right, being a form of data portability in certain industry sectors) and State and Territory health records legislation.

Pursuant to APP 12, an individual has a right to access their personal information held by an entity, subject to specified exceptions.

Pursuant to APP 13, if an individual requests correction of information and the entity is reasonably satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading, the entity must take reasonable steps to correct the information, again subject to certain qualifications.

Access can be refused by a private sector entity in a range of circumstances, including where the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, giving access would have an unreasonable impact on the privacy of the other individual, or the request for access is frivolous or vexatious. A public sector entity can refuse access if entitled to do so under any Commonwealth law.

If access is refused, the entity must provide the individual with a written explanation and must, at the request of the individual, attach a statement to the information which sets out the basis of the individual’s objections.

The Privacy Act does not contain an express right of erasure or right of objection. The Privacy Commissioner has expressed the view, however, that such rights are indirectly exercisable through the interpretation and application of the APPs.  The December 2024 Amendments foreshadowed the introduction of automated decision regulation in 24 months, that is, in December 2026, although again the Privacy Commissioner considers that automated decision making is adequately regulated by the existing APPs.

The Privacy Act does not contain a right of data portability. Nevertheless, the Competition and Consumer Act 2010 (Cth) gives effect to a Consumer Data Right (CDR), being a mechanism for enabling individual and business consumers to access information about themselves and about their service providers’ products, and to direct their existing service providers to share that information with other service providers. The right, which extends beyond personal information, is confined to designated industry sectors, currently banking and energy.

The use of personal information for direct marketing purposes is governed by APP 7. The key elements are as follows:

• Personal information may not be used for direct marketing (APP 7.1) unless one of the exceptions set out in APP 7.2, 7.3 or 7.4 applies.
• APP 7.2 permits the use of personal information (other than sensitive information) for direct marketing if the information was collected direct from the individual and the individual “would reasonably expect the organisation to use or disclose the information for that purpose”. A simple opt-out mechanism must be provided by the organisation.
• Regardless of the restriction in APP 7.2, APP 7.3 permits the use of that information for direct marketing if the individual has provided consent or if it is “impracticable” to obtain that consent.
• By virtue of APP 7.8, the Spam Act and the Do Not Call Register Act 2006 (Cth) displace the APPs where personal information is used for the purposes of electronic or telephonic direct marketing. Faxes are excluded, and remain subject to the APPs and the Do Not Call Register Act.

The Spam Act regulates “unsolicited commercial electronic messages”, that is, unsolicited commercial emails or text messages. Its scope is not limited to personal information, and it is regulated by the Australian Communications and Media Authority (ACMA) rather than the Office of the Australian Information Commissioner.

Under the Spam Act, the three basic rules for commercial electronic messages with an Australian link are:

• unsolicited commercial electronic messages must not be sent (unless the recipient consents): section 16;
• all commercial electronic messages must include accurate sender information: section 17; and
• all commercial electronic messages must contain a functional unsubscribe facility: section 18.

Schedule 2 elaborates on the meaning of “consent”. Consent can be given expressly, or it can be reasonably inferred from the conduct, business and other relationships of the recipient of the message. 

Telemarketing is addressed by the Do Not Call Register Act. This act, which is also administered by ACMA, prohibits making unsolicited telemarketing calls or sending unsolicited marketing faxes to numbers on the Do Not Call Register.

Cross-border disclosure of personal information is permitted under APP 8.1 so long as the disclosing entity has taken reasonable steps in the circumstances to ensure that the overseas recipient does not breach the APPs when handling the information. The legislation does not stipulate what constitutes “reasonable steps” in these circumstances but a suitably comprehensive contractual commitment by the recipient is capable of meeting this requirement.

When personal information is disclosed overseas in reliance upon APP 8.1, and does not fall within APP 8.2, then the disclosing entity will remain liable by virtue of section 16C of the Privacy Act in the event that the overseas recipient fails to handle information in accordance with the APPs. 

The effect of APP 8.2 is that in some circumstances the disclosing entity in Australia will be relieved from liability to the individual if the information is mishandled by the overseas recipient. Specifically:

• If the laws of an overseas jurisdiction have “the effect of protecting the information in a way that, overall, is at least substantially similar in the way in which the Australian Privacy Principles protect the information”, then APP 8.2(a) permits the transfer of that information, and the transferring entity will not be liable in the event of an overseas breach. Pursuant to the December 2024 Amendments, a new “whitelist” of jurisdictions approved for the purposes of APP 8.2(a) may be published by the Minister.
• APP 8.2(b) authorises overseas disclosure if the disclosing entity has expressly informed the individual not only of the fact that the information may be disclosed overseas, but also of the fact that in the event of a breach by the overseas recipient, the disclosing entity will not be liable.

The APPs do not adopt formal transfer mechanisms – such as data transfer agreements or biding corporate rules – to legitimate an overseas transfer, nor is there any requirement for approval by the regulator.

The Office of the Australian Information Commissioner (OAIC) has a range of investigatory powers, set out in Part V, Division 1 of the Privacy Act.

The Commissioner may, pursuant to section 40(1), investigate an alleged privacy breach in the event of a complaint about an act or practice.

The Commissioner also has the power to conduct an investigation on his or her own initiative pursuant to section 40(2). 

Under the December 2024 Amendments, the Commissioner’s powers were expanded in accordance with the Regulatory Powers (Standard Provisions) Act 2014 (Cth) with respect to obtaining information regarding eligible data breaches, assessing compliance with the notifiable data breaches scheme and the investigation of alleged breaches. 

An interested party may request that, prior to the Commissioner making a determination arising out of an investigation, the Commissioner hold a hearing: section 43A(1). The Commissioner has the power to compel the production of documents relevant to an investigation and to require the attendance of any individual at a time and place specified in written notice from the Commissioner to answer questions relevant to the investigation: section 44.

The complainant, respondent and any other person of relevance may be required by the Commissioner to attend a compulsory conference presided over by the Commissioner: section 46(1).

Where the Commissioner has investigated a complaint pursuant to Part V, Division 1, and the complaint is not dismissed by the Commissioner, the Commissioner may make one of a number of declarations as set out in section 52(1) and 52(1A). The options open to the Commissioner include a declaration, a direction that the respondent take specified remedial steps, or a requirement for the respondent to publish a statement about their conduct.

The Commissioner can also determine that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered.

A determination by the Commissioner under section 52(1) or (1A) is not, however, binding or conclusive between the parties: section 52(1B). For the determination to be enforced, it is necessary for the Commissioner to commence proceedings in the Federal Court or the Federal Circuit and Family Court (Federal Circuit Court) for an appropriate order: section 55A. 

The Commissioner has the power to apply to the Federal Court or Federal Circuit Court for an injunction restraining a person from engaging in actual or proposed conduct which constitutes or would constitute a contravention of the Act: section 98(1).

In addition, the Commissioner has the power to apply to the Federal Court or Federal Circuit Court for a civil penalty order for the payment to the Commonwealth of a pecuniary penalty where it is considered that a civil penalty provision has been breached.

The Commissioner may determine under section 52(1)(b)(iii) of the Privacy Act that a complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint.

This power to award compensation for loss or damage specifically extends to compensation relevant to “injury to the feelings of the complainant or individual” and “humiliation suffered by the complainant or individual”: section 52(1AB).

The power to award damages under section 52 includes the power to award aggravated damages in addition to general damages.

The amount of the penalty must not exceed, in the case of a body corporate, five times the amount of the pecuniary penalty specified for the civil penalty provision or, in the case of an individual, the amount of the pecuniary penalty specified for the civil penalty provision: section 80W.

Civil penalty provisions in the Privacy Act include a “serious” interference with privacy under section 13G, infringement of compliance notices and a range of provisions set out in Part IIIA dealing with credit reporting. On 28 November 2022, the maximum penalty for serious privacy breaches pursuant to section 13G was increased to whatever is the greater of: AUD 50 million; three-times the value of any benefit obtained through the misuse of information; or 30 per cent of a company’s adjusted turnover in the relevant period.  The December 2024 Amendments further introduced a graded civil penalty system into section 13, with a distinction being drawn between “serious” and non-serious privacy interferences.

The Privacy Act also creates a limited number of criminal offences. Use or disclosure of false or misleading credit reporting information, credit information or credit eligibility information is an offence which attracts a maximum penalty of AUD 62,600, whilst a corporation which engages in a “system of conduct” or a “pattern of behaviour” resulting in two or more failures or refusals to provide information, answer questions or produce documents or records required under the Act is subject to a penalty of AUD 3,900.