The Australian Privacy Act (Privacy Act) is the principle law governing the handling of personal information about individuals.
First passed in 1988, the law initially covered only how Australian government agencies handled the data of their citizens during regular operations. From 2001, it began to cover private organizations as well, and has evolved in the past 20 years to add new controls and coverage throughout Australia. With RecordPoint, organizations can be confident in their compliance with this critical law.
.png)
The Australian Privacy Act was initially passed in 1988 to fulfill Australia's agreement to implement the Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as meet its obligations under Article 17 of the International Covenant on Civil and Political Rights.
The Privacy Act was passed to put in guardrails around how government agencies and certain private sector companies should manage the personal data of Australia and Norfolk Island citizens. The Act is the principal piece of Australian legislation protecting the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information in the federal public sector and in the private sector.
All Australian government agencies need to comply with the act. In terms of businesses, they need to comply with the Privacy Act in general if they have more than A$3 million in annual turnover. Healthcare providers, credit reporting agencies, or companies who trade in personal information need to comply with the Act regardless of annual turnover.
The Act has been revised several times over the years, with the most recent amendments made in November 2024. The Privacy and Other Legislation Amendment Act 2024 revised the Privacy Act in accordance with the review of the Privacy Report completed in 2023.
These reforms are meant to improve the control Australians have over their personal data, and also include a new criminal offense related to doxxing. This new criminal charge makes the penalties stronger for maliciously releasing personal information online.
The most significant action that business can take to comply with the Privacy Act is to follow the 13 Australian Privacy Principles. These principles, introduced in 2014, outline how the Australian government or covered organization should protect the privacy of Australian citizens. These privacy principles include:
Ensure organizations manage personal information in an open and transparent way, and includes creating a privacy policy. When collecting personal information, you need to be clear with how you're managing and using it.
Ensure individuals have the ability to be anonymous and not identify themselves when working with your organization, or they have the ability to use a pseudonym. There are exceptions under this principle.
This principle outlines when an organization can collect personal information, with higher standards applied to sensitive information such as criminal records or health data.
This principle describes how to deal with personal information that a covered entity did not ask for. Unsolicited personal data can sometimes be retained if it would have been collected under APP 3.
Describes when a covered entity has to inform individuals about the collection of personal information and the purpose of the collection. Reasonable steps must be taken to communicate at or before the time of collection.
Compliance with this principle means ensuring you disclose how you intend to use collected personal information. According to the Privacy Act, companies are only able to use personal data for one primary purpose. Ensure that this remains the case.
In general, personal information can't be used for direct marketing, except where there's a reasonable expectation that this is the intended purpose. Organizations also need to provide a way to opt out of receiving marketing communications.
Prior to sending personal information overseas, the covered entity needs to take reasonable steps to protect it. This includes ensuring that the overseas recipient doesn't violate the Australian Privacy Principles.
This principle restricts the adoption, use, and disclosure of government related identifiers by organizations. Ensure that any data collected doesn't use government identifiers unless it's approved to do so.
.png)
Covered entities need to take reasonable steps to ensure that the personal information it uses and discloses is accurate, up to date, and complete. It also needs to be relevant data to the intended purpose.
To comply with this principle, you need to take reasonable steps to ensure that personal information is kept secure. This includes adding data protection, implementing role-based access controls, and generally defending personal data against compromise, misuse, and unauthorized access.
Individuals need to be provided access to their personal information on request. This can include offering up the ability to know what data the organization has on an Australian citizen via a web request or email form.
Individuals need to be provided access to their personal information on request. This can include offering up the ability to know what data the organization has on an Australian citizen via a web request or email form.
Organizations need to ensure there is a process in place to correct any out-of-date personal information. Part of the inherent rule is that all collected personal data needs to be kept up to date. This principle governs the development of those processes.
RecordPoint is designed with key features designed to assist with Australian Privacy Act compliance. These features include:
Proactively dispose of data you don’t need with custom retention policies that make minimization effortless.
Use AI to classify data instantly, so you know exactly where sensitive data lives and how to protect it.
Discover where all your data lives to get a comprehensive picture of your data estate, so you can better understand and protect it.
For serious or repeated privacy breaches under the Australian Privacy Act, individuals can face penalties of up to $2.5 million AUD, while companies can be fined up to $50 million AUD, three times the benefit obtained from the breach, or 30% of their adjusted turnover, whichever is greater.
Have another question? Looking for more details? Reach out to our friendly team who will be happy to help.
