Privacy protections in Australia are generally based in legislation and focus on personal information privacy. This means ensuring that individuals have enough control, choice, access to and understanding of how governments and businesses handle their personal information. The common law does not generally recognise a right to privacy, although it does provide some incidental privacy protection, for example through defamation and trespass laws (see: Chapters 24*2 Defamation, and 10*2 Neighbours and Noise). Some protection or relief may also be gained through obligations arising from the duty of confidence (see: Chapter 19*1 Health Law).

Some cases in Australia have expressly recognised a common law right of action for a breach of an individual's right to privacy (see: Grosse v Purvis [2003] QDC 151 and Jane Doe v Australian Broadcasting Corporation [2007] VCC 281, noting that other judicial commentary leans in the opposite direction; see: Kalaba v Commonwealth of Australia [2004] FCAFC 326 and Giller v Procopets [2004] VSC 113). Courts in the UK and elsewhere often look to duties of confidence when considering privacy issues; see: Wainwright v Home Office [2003] UKHL 53; and Hosking v Runting [2005] 1 NZLR 1. However, see also Mosley v News Group Newspapers Limited [2008] EWHC 1777 (QB), which recognised privacy rights in the UK under the European Convention on Human Rights and Fundamental Freedoms.

Note that the general right to personal privacy is not guaranteed by legislation, with very limited exceptions; for example the Human Rights (Sexual Conduct) Act 1994 (Cth). (Also see: Charter of Human Rights and Responsibilities Act 2006 (Vic) and the Human Rights Act 2004 (ACT)). In 2009, the NSW Law Reform Commission released a report entitled Invasion of Privacy. It recommended that the Civil Liability Act 2002 (NSW) be amended to provide a statutory cause of action for invasion of privacy. This report is available at www.lawlink.nsw.gov.au/lrc. In 2008, the Australian Law Reform Commission (ALRC) also recommended a statutory cause of action be developed for serious invasions of privacy (see: "Privacy law reform", below).

The most comprehensive information privacy legislation in Australia is the Privacy Act 1988 (Cth) ("PA 1988"). This sets minimum standards for the handling of "personal information" (in brief, information or an opinion about an individual whose identity is apparent, or can reasonably be determined, from the information or opinion: see definition in s.6 of the PA 1988). The first set of standards apply to Australian and ACT Government agencies (see: "Information Privacy Principles (IPPs)", below). Similar but separate standards apply to many private sector organisations (see: "National Privacy Principles (NPPs)", below).

Since 21 December 2001, the coverage of the PA 1988 has extended to the private sector following the Privacy Amendment (Private Sector) Act 2000 (Cth). The amended PA 1988 established a co-regulatory regime based on the 10 National Privacy Principles that many private sector "organisations" must comply with. This regime also allows the development of privacy codes that the Australian Information Commissioner can approve (formerly approved by the Privacy Commissioner). While only a handful of codes are in place, an approved privacy code operates in place of the National Privacy Principles and is legally binding on the organisations that have agreed to apply it.

From 1 November 2010 the Australian Information Commissioner also has responsibility for administering other privacy-related protections that were formerly performed by the Privacy Commissioner (as head of the OPC). These limit the collection, use and disclosure of information relating to old criminal convictions under the Crimes Act 1914 (Cth) ("Crimes Act (Cth)"), tax file numbers and some Medicare and pharmaceutical claims data under the National Health Act 1953 (Cth).