The federal Privacy Act


A recent report on privacy law led to changes in the privacy legislation from 2014. Thirteen legally binding Australian Privacy Principles apply to personal information held by Australian government agencies and most Australian companies. There are further credit provider provisions apart from small business, with some exemptions including journalism and politics. Breaches attract heavy penalties. Privacy codes can be approved and registered.


The Privacy Act 1988 (Cth) (“PA 1988”) sets minimum standards for how personal information (see definition in “Personal information”) can be collected, used, held and disclosed. It gives individuals certain rights in respect of their personal information, including the right to access the information an entity holds about them, and the right to seek the correction of this information.


Major changes to the PA 1988 commenced on 12 March 2014. These changes, introduced by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), gave effect to more than half the recommendations in the Australian Law Reform Commission’s report on Australia’s privacy law, For your information: Australian privacy law and practice (ALRC report 108/2008).

Two key features of the PA 1988 are:

The 13 Australian Privacy Principles (APPs)

These legally binding principles apply to the handling of personal information by the Australian Government (generally only federal agencies) and most Australian businesses and not-for-profit organisations (although most small businesses are exempt; seeExemptions from the Privacy Act”).

Obligations on credit providers and credit reporting bodies

Credit providers and credit reporting bodies engaged in a credit reporting business (as defined in ss 6G, 6P PA 1988) must comply with the credit reporting provisions in part IIIA of the PA 1988 and with the legally binding Privacy (Credit Reporting) Code 2014 (Version 1.2) registered under the PA 1988 by the Australian Information Commissioner (“Information Commissioner”).

Both the APPs and the obligations on credit providers and credit reporting bodies are products of the March 2014 changes. The APPs replaced the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs). Previous obligations on credit providers and credit reporting bodies were replaced with a new credit reporting regime (see below).

The APP guidelines, which are advisory guidelines that outline the requirements of the APPs and provide advice on how best to comply with them, are available at

Personal information

Under the PA 1988, “personal information” is defined as information, or an opinion, about an identified individual, or an individual who is reasonably identifiable:

whether the information or opinion is true or not; and

whether the information or opinion is in material form or not.

This definition extends to a wide range of information. For example, the APP guidelines state that a vocational reference that comments on an individual’s career or performance is information “about” the individual. The opinions expressed in the reference may also be information about the author of the reference. Whether an individual is “reasonably identifiable” depends on the circumstances, including the nature of the information and any other facts that are available.

The definition of “personal information” was considered in the case of Telstra Corporation Ltd v Privacy Commissioner [2015] AATA 991 by the Deputy President of the Administrative Appeals Tribunal (AAT). The case concerned whether mobile network data, including metadata, was personal information for the purposes of the PA 1988. Mr Ben Grubb had asked Telstra for all the metadata held by the company regarding his mobile telephone. Telstra gave him access to some information but refused access to his mobile network data. The Privacy Commissioner ruled that the mobile network data was personal information as defined by the PA 1988 and therefore Telstra was in breach of the access provisions (previously, National Privacy Principle 6.1 now APP 12). On appeal, the AAT found that mobile network data was not information “about” an individual but about the way Telstra delivered the call or product for which Mr Grubb paid. It should be noted that the case was brought before amendments to the Telecommunications (Interception and Access) Act 1979 (Cth), which came into force on 13 October 2015 and expressly deemed certain information, including retained mobile data, to be subject to the PA 1988. The Deputy President expressly stated she had not considered whether she would have reached a different conclusion had the legislation applied. The Information Commissioner has appealed the decision.

Entities to which the Privacy Act applies

The PA 1988 applies to federal government agencies and to some private sector organisations, including:

individuals who collect, use or disclose personal information in the course of running a business;

bodies corporate; and

partnerships, unincorporated associations and trusts.

Some of the APPs apply differently to Australian Government agencies and private sector organisations. The term “APP entity” is used where the APPs apply to both private sector organisations and government agencies.

The APPs replace the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs), which prior to 12 March 2014, provided separate obligations for government and private sector organisations. The APPs broadly cover the same areas as the IPPs and NPPs, although the standards required by the APPs are higher in some respects.

Exemptions from the Privacy Act

Individuals acting in a non-business capacity

The PA 1988 does not apply to personal information that individuals collect, hold, use or disclose for the purposes of their personal, family or household affairs. In other words, the PA 1988 does not apply to an individual’s handling of personal information unless it is done in the course of running a business.

Small business exemption

Most small business operators are exempt from complying with the PA 1988. A small business is an organisation with an annual turnover of $3 million or less.

Some small businesses are not exempt from the PA 1988, including those that:

provide a health service and hold any health information;

trade in personal information, either:

disclosing personal information for a benefit, service or advantage, or

providing a benefit, service or advantage to collect an individual’s personal information from anyone else (unless the individual consents, or the disclosure or collection is required or authorised by law);

are service providers contracted by the Commonwealth Government; or

are a “reporting entity” under the Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth);

have opted in to the PA 1988.

Employee records exemption

Acts and practices that are directly related to:

a current or former employment relationship; and

an employee record,

are exempt from the PA 1988. An “employee record” is a register of personal information relating to the employment of a person, such as information about the employee’s:


engagement, training, disciplining or resignation;

terms and conditions of employment;

personal and emergency contact details;

performance or conduct;

taxation, banking or superannuation affairs.

Note that the exemption does not apply to information about people who are applying for employment.

Journalism exemption

Journalistic activities and practices of media organisations are exempt from the PA 1988. A “media organisation” is an organisation whose activities consist of the collection, preparation and dissemination of news, current affairs, information or documentaries. The media organisation must be publicly committed to observing published industry standards that deal with privacy. Examples of such published industry standards include industry codes regulated by the Australian Communications and Media Authority and the Australian Press Council.

Political exemption

The political activities of registered political parties, members of parliament, and local government councillors are exempt from the PA 1988. For the purposes of the exemption, the political activities must have some connection with an election under electoral law, a referendum or some other aspect of the political process. The political activities of contractors and volunteers of registered political parties are also exempt.

Enforcing the Privacy Act

Where an entity breaches an Australian Privacy Principle (APP), this is “an interference with the privacy of an individual” under section 13(1) of the PA 1988. Part V of the PA 1988 gives the Information Commissioner the power to investigate possible interferences with privacy, on the commissioner’s own initiative or in response to a complaint.

The commissioner can seek certain remedies for breaches of the APPs, including enforceable undertakings, injunctions and civil penalty orders.

If an entity engages in serious or repeated breaches of the APPs or a registered Privacy Code, the commissioner may apply to the Federal Court or the Federal Circuit Court for an order that the entity pay a civil penalty of up to $1.7 million (for corporations) or up to $340,000 (for individuals).

Privacy Codes

The Information Commissioner has the power to approve and register enforceable codes to cover certain entities (e.g. entities in a particular industry). The commissioner has issued guidelines for developing privacy codes (available at The Privacy (Credit Reporting) Code 2014 (Version 1.2) was registered on 24 April 2014) (seePrivacy and credit reporting”). The Privacy (Market and Social Research) Code 2014 was registered on 28 November 2014.

The Office of the Australian Information Commissioner

The Office of the Australian Information Commissioner (OAIC) is the independent statutory agency that was created by the Australian Information Commissioner Act 2010 (Cth) (“AICA 2010”) to administer the PA 1988 and the Freedom of Information Act 1982 (Cth).

The AICA 2010 (s 6) created three information officers: the Information Commissioner, the Freedom of Information Commissioner and the Privacy Commissioner.

The Information Commissioner can delegate all his or her functions under the PA 1988, apart from the power to issue rules under section 17 and making a determination for the purposes of section 52 (s 25 AICA 2010).

At the time of writing (30 June 2016), the positions of Privacy Commissioner and Freedom of Information Commissioner are vacant.