First published on Wednesday, June 11, 2025
Last updated on Wednesday, June 11, 2025
Jump to section
- Who does the Privacy Act apply to?
- What are the key requirements of the Privacy Act?
- What are the 13 Australian Privacy Principles?
- What are the consequences of non-compliance?
- How the Privacy Act impacts Australian businesses
- State-by-state Privacy in Australia
- How can BrightHR help you stay on top of employment law
The Privacy Act 1988 is a critical piece of legislation for Australian business. It was introduced to promote and protect the privacy of individuals, and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, handle personal information.
The Act took effect in 1989 and has undergone several amendments since its creation to remain relevant to the modern digital landscape.
Compliance is essential to protect employees' privacy and avoid potential penalties.
Who does the Privacy Act apply to?
Some of the businesses covered by the Privacy Act include:
Any business that has an annual turnover of more than $3 million
Contractors that provide services under a Commonwealth contract
Any operator of a residential tenancy database
Any business that collects or discloses the personal information of individuals to a third party for a benefit, service or advantage. (A business is not trading in personal information if they collect or disclose personal information when they explicitly have the consent of the individuals or are required to collect the data by law).
What are the key requirements of the Privacy Act?
The Act requires employers to handle personal information responsibly, including collecting, storing, using, and disclosing it in accordance with the 13 Australian Privacy Principles (APPs).
The APPs govern standards, rights and obligations around:
the collection, use and disclosure of personal information
an organisation or agency’s governance and accountability
integrity and correction of personal information
the rights of individuals to access their personal information
What are the 13 Australian Privacy Principles?
While the Privacy Act is the primary legislation, the Australian Privacy Principles (APPs) make up the foundations of the Act itself. These 13 principles set the standard for how organisations need to handle and protect personal information and data. The APPs also act as a guide for individuals, helping the general public understand what their privacy rights are.
Here’s a complete list of all 13 APPs:
Open and transparent management of personal information
Anonymity and pseudonymity
Collection of solicited personal information
Dealing with unsolicited personal information
Notification of the collection of personal information
Use or disclosure of personal information
Direct marketing
Cross-border disclosure of personal information
Adoptions, use, or disclosure of government-related identifiers
Quality of personal information
Security of personal information
Access to personal information
Correction of personal information
The Australian Privacy Principles are principles-based law. This gives an organisation or agency flexibility to tailor their personal information handling practices to their business models and the diverse needs of individuals. They are also technology neutral, which allows them to adapt to changing technologies.
What are the consequences of non-compliance?
A breach of an Australian Privacy Principle is an ‘interference with the privacy of an individual’ and can lead to regulatory action and penalties.
Organisations must notify individuals and the Office of the Australian Information Commissioner (OAIC) about all eligible data breaches as soon as possible.
Eligible data breaches include:
Unauthorised access to, disclosure of, or loss of personal information that is held by an APP entity.
Anything a reasonable person would believe might cause serious harm to any individual whose data was compromised.
Penalties for violating the Australia Privacy Act 1988 can be severe. They can reach between $2.5 million for individuals and up to $50 million for companies, or 30% of the total sales accumulated while violating the law. Repeat offenses lead to higher fines, as do severe violations involving large amounts of data. The first significant fine the OAIC filed was a penalty of AUD 1.9 million ($1.22 million) against Facebook (owned by Meta) for violating aspects of the Privacy Act. The case is still ongoing but represents the extraterritorial scope of the law.
How the Privacy Act impacts Australian businesses
Data Protection Obligations
Businesses must protect personal information from theft, misuse, interference, loss, unauthorised access, modification, and disclosure.
Transparency and Consent
Businesses need to be open and transparent about how they handle personal information, including how it will be collected, used, and disclosed. They must also obtain informed consent from individuals before collecting or using their information for purposes beyond the original purpose.
Data Security
Businesses must implement reasonable security measures to prevent unauthorised access to personal information.
Access and Correction
Individuals have the right to access their personal information held by a business and request correction if it is inaccurate.
Notifiable Data Breaches
Businesses must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of any data breach that is likely to cause serious harm.
Civil Penalties
Serious or repeated breaches of the Privacy Act can result in substantial civil penalties, including fines of up to $50 million for bodies corporate.
Trading in Personal Information
Businesses that buy or sell personal information are subject to the Act, and they need to obtain consent from individuals before doing so.
Statutory Tort
Individuals may be able to sue businesses for damages if their privacy rights are violated, even if the business's annual turnover is below $3 million.
State-by-state Privacy in Australia
While the Privacy Act 1988 applies federally, each state has their own legislation relating to surveillance, monitoring, and recording:
NSW: Surveillance Devices Act 2007
VIC: Surveillance Devices Act 1999
QLD: Invasion of Privacy Act 1971
WA: Surveillance Devices Act 1988
SA: Surveillance Devices Act 2016
ACT: Workplace Privacy Act 2011
TAS: Listening Devices Act 1991
NT: Surveillance Devices Act 2007
How can BrightHR help you stay on top of employment law
Keeping up with evolving laws takes time and resources. For small and medium-sized businesses, this time and effort can be hard to come by. That's where BrightHR's end-to-end employment relations support system can help.
Our HR software stores your documentation securely with a library of expertly written HR documents, including employment contracts and employee handbooks.
However, legal obligations go beyond accurate documentation. That's why BrightHR also offers you a confidential 24/7 employment relations phone line.
Book a free product demo today.
