The Australian Privacy Act (Privacy Act) is the principle law governing the handling of personal information about individuals.
First passed in 1988, the law initially covered only how Australian government agencies handled the data of their citizens during regular operations. From 2001, it began to cover private organizations as well, and has evolved in the past 20 years to add new controls and coverage throughout Australia. With RecordPoint, organizations can be confident in their compliance with this critical law.
The Australian Privacy Act was initially passed in 1988 to fulfill Australia's agreement to implement the Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as meet its obligations under Article 17 of the International Covenant on Civil and Political Rights.
The Privacy Act was passed to put in guardrails around how government agencies and certain private sector companies should manage the personal data of Australia and Norfolk Island citizens. The Act is the principal piece of Australian legislation protecting the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information in the federal public sector and in the private sector.
All Australian government agencies need to comply with the act. In terms of businesses, they need to comply with the Privacy Act in general if they have more than A$3 million in annual turnover. Healthcare providers, credit reporting agencies, or companies who trade in personal information need to comply with the Act regardless of annual turnover.
The Act has been revised several times over the years, with the most recent amendments made in November 2024. The Privacy and Other Legislation Amendment Act 2024 revised the Privacy Act in accordance with the review of the Privacy Report completed in 2023.
These reforms are meant to improve the control Australians have over their personal data, and also include a new criminal offense related to doxxing. This new criminal charge makes the penalties stronger for maliciously releasing personal information online.
The most significant action that business can take to comply with the Privacy Act is to follow the 13 Australian Privacy Principles. These principles, introduced in 2014, outline how the Australian government or covered organization should protect the privacy of Australian citizens. These privacy principles include:
RecordPoint is designed with key features designed to assist with Australian Privacy Act compliance. These features include:
Proactively dispose of data you don’t need with custom retention policies that make minimization effortless.
Use AI to classify data instantly, so you know exactly where sensitive data lives and how to protect it.
Discover where all your data lives to get a comprehensive picture of your data estate, so you can better understand and protect it.
For serious or repeated privacy breaches under the Australian Privacy Act, individuals can face penalties of up to $2.5 million AUD, while companies can be fined up to $50 million AUD, three times the benefit obtained from the breach, or 30% of their adjusted turnover, whichever is greater.
Have another question? Looking for more details? Reach out to our friendly team who will be happy to help.
The Australian Privacy Act covers all personal data, including:
All businesses who have annual turnover of more than $3 million AUD within Australia must comply with the Australian Privacy Act. There are some organizations, such as healthcare providers and credit reporting agencies, that must comply with Australian Privacy Principles regardless of annual turnover.