*The information in this article about Australia's Privacy Act 1988 (Privacy Act) is not and should not be considered legal advice. Please consult your legal counsel to determine its affect on your company, your data privacy and security policies, and your email program.
Australia's Privacy Act was approved by Australia's Parliament in 1988 and the effective date for enforcement was in 1989.
- Privacy Act text:
- Date the law was originally enforced:
- Penalties for non-compliance:
- Maximum penalties for repeated privacy breaches:
- $2.5 million AUD for an individual
- $50 million AUD for a business
- 3 times the value of any benefit obtained through the misuse of information
- 30% of a company's adjusted turnover in the relevant period
- Maximum penalties for repeated privacy breaches:
- Changes to the Privacy Act:
- The Privacy Act was last amended in December, 2022 to increase enforcement power and penalties for non-compliance.
- Amendments to the Privacy Act may occur. Be sure to consult your legal counsel for details about any amendments to the law.
What is the Privacy Act?
The Privacy Act is a law intended to ensure protection of individual privacy and balance those protections with the interests of companies carrying out normal business functions and activities. It is governed by a set of privacy principles summarized below.
Consideration of personal information privacy
- Open and transparent management of personal information: Manage personal information in an open and transparent way.
- Anonymity and pseudonymity: Individuals have the option of being anonymous or use an alias when dealing with your company unless required by law or if it is impossible to carry out an activity with identification.
Collection of personal information
- Collection of solicited personal information: Must not collect personal information unless necessary and directly related to a function or activity and an individual gives consent for the information to be collected.
- Dealing with unsolicited personal information: Destroy or de-identify unsolicited personal information.
- Notification of the collection of personal information: Notify an individual that personal information was collected from another entity or if an individual was unaware personal information was collected.
Dealing with personal information
- Use or disclosure of personal information: Only use the personal information for its intended purpose and not another purpose without the individual's consent.
- Direct marketing: Sensitive personal information cannot be used in direct marketing. Non-sensitive personal information can be used with consent.
- Cross-border disclosure of personal information: Australian companies must ensure that disclosing personal information to any overseas entities does not breach the Privacy Principles.
- Adoption, use or disclosure of government related identifiers: Australian companies must not use government identifiers as their own identifier unless required or authorized by law.
Integrity of personal information
- Quality of personal information: Ensure the personal information collected is accurate, up-to-date, and complete.
- Security of personal information: Ensure personal information is secure from unauthorized access and use.
Access to, and correction of, personal information
- Access to personal information: Give an individual access to their personal information upon request.
- Correction of personal information: Correct personal information upon an individual's request or if the data is known to be inaccurate or incomplete.
How does it affect me?
The Privacy Act may apply to you if you are a business within Australia with annual revenue over $3 million AUD. Some small businesses with less than annual revenue of $3 million AUD may have to comply with the law. For additional detail about what kind of businesses must comply, please read:
The Privacy Act may apply to foreign organizations if they have customers in Australia or otherwise have an "Australian Link" as outlined in the law. Should you or your company meet the requirement for compliance, you must take action.
You may be required to:
- Record an individual's consent to collect personal information.
- Collect personal information only by lawful and fair means and collect it directly from the individual.
- Implement a function and activity to deal with unsolicited personal information.
- Obtain consent from an individual if using their personal information for other purposes outside of the original intent.
- Identify and understand what is defined as sensitive personal information (e.g. health information) as outlined in the law.
- Ensure any overseas recipient of personal information does not breach the Privacy Principles.
- Ensure personal identifiers are not government identifiers unless authorized or required by law.
- Implement functions and activities to handle inquiries and complaints from individuals.
- Implement functions and activities to allow the access and correction of an individual's personal information.
- Implement security protocols and protections to ensure personal information is safe from unauthorized access and use.
- Implement a process to notify the Australian government of an eligible data breach.
There are exceptions to some of the requirements depending on special circumstances such as those required or authorized under Australian law. Please review the Privacy Act to see if your company qualifies for any exceptions.
While the Privacy Act is the primary law to govern data privacy in Australia, there may be other state and territorial laws related to privacy and consumer protections that may affect you, especially for businesses residing in Australia.