Australia — Scope & Applicability

The Privacy Act 1988 (Cth) is Australia's principal federal data-protection statute. It regulates the handling of personal information about individuals by two classes of entity: Australian Government and Australian Capital Territory agencies, and private-sector organisations meeting a turnover or activity threshold. Collectively these regulated entities are called APP entities — meaning any agency or organisation as defined in s 6(1).

The Act is enforced by the Office of the Australian Information Commissioner (OAIC), which investigates complaints, conducts audits, issues binding determinations, and can seek civil penalties in court. The OAIC is headed by the Australian Information Commissioner and includes two statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.

Agencies include Commonwealth Ministers, Departments, bodies or tribunals established for a public purpose by or under Commonwealth enactment (with certain corporate exceptions), and bodies appointed by the Governor-General or a Minister outside statute. ACT Government agencies are bound by a parallel regime (the ACT Information Privacy Act 2014, which adopts Territory Privacy Principles closely aligned with the APPs), and the Australian Information Commissioner exercises some ACT privacy functions under an inter-governmental arrangement. State and Territory government agencies are not covered by the federal Privacy Act; each jurisdiction has its own privacy legislation or common-law framework.

Organisations are defined in s 6C as individuals, bodies corporate, partnerships, unincorporated associations, and trusts that are not small business operators, registered political parties, agencies, State or Territory authorities, or prescribed instrumentalities of a State. The concept turns on the small business operator carve-out: s 6D defines a small business operator as an organisation with an annual turnover of A$3 million or less. Annual turnover is calculated under s 6DA by reference to the total of all consideration received (or to be received) in an income year in the course of carrying on a business, minus GST and amounts paid to a related body corporate.

Exceptions to the small business carve-out bring certain low-turnover entities into scope as organisations (and therefore APP entities):

• Health service providers, including private hospitals, day surgeries, general practitioners, allied health professionals, pharmacists, and complementary therapists (naturopaths, chiropractors), regardless of turnover (s 6D(4)(c)).
• Trading in personal information: a business that provides a benefit or service in exchange for personal information, or that discloses personal information for a benefit, is treated as an organisation even if under the $3 million threshold (s 6D(4)(b)).
• Credit reporting participants: bodies that hold accreditation under the Consumer Data Right system or are recognised under the Privacy Act's Part IIIA credit-reporting provisions.
• Employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009.
• Operators subject to Anti-Money Laundering and Counter-Terrorism Financing Act 2006 obligations in their capacity as reporting entities or authorised agents (s 6D(4)(g)).

A small business operator may also opt in to be treated as an organisation under s 6EA by notifying the Commissioner in writing; this election is irrevocable while the entity continues to carry on business.

Territorial scope: the Privacy Act and the 13 Australian Privacy Principles (APPs) set out in Schedule 1 to the Act extend extraterritorially. Under s 5B(1), the Act applies to acts or practices outside Australia by an agency or organisation. Under s 5B(1A), it applies to acts or practices outside Australia by an organisation or small business operator that has an Australian link. Section 5B(2) defines an Australian link for an organisation or small business operator as: an Australian citizen; a person whose continued presence in Australia is not subject to a time limitation imposed by law; a partnership formed in Australia or an external Territory; a trust created in Australia or an external Territory; a body corporate incorporated in Australia or an external Territory; or an unincorporated association formed in Australia or an external Territory (s 5B(3)). This means an Australian-incorporated company processing personal data wholly offshore is still bound; a foreign-incorporated company with no Australian link is not bound unless it is carrying on business in Australia as an organisation.

The OAIC's Chapter B guidance confirms that "carrying on business in Australia" focuses on whether the entity undertakes activity in Australia as part of its business, not whether it serves Australian customers from abroad. The distinction matters for overseas platforms: a foreign entity with no local presence but Australian users may fall outside the Act unless the Commissioner can establish it is "carrying on business" within Australia or has an Australian link. That question turns on common-law Tasmanian Wilderness Society / Gould v. Mount Oxide Mines principles (incorporation, place of central management and control, location of activities) not defined in the statute itself.

Exemptions from the APPs: Even where an entity is an APP entity, specific acts or practices may be exempt. Material exemptions include:

• Employee records held by an organisation in relation to a current or former employment relationship (s 7B(3)).
• Acts or practices of Federal courts and tribunals, except for administrative matters (s 7(1)(a) and (b)).
• Political acts and practices: registered political parties, political representatives, and related contractors acting in the course of political activity (s 7C).
• Small business operators (unless excepted by the carve-ins above).
• Journalism: a media organisation acting in the course of journalism, if it is publicly committed to observing published privacy standards, is not bound by the APPs (though it remains subject to other privacy tort or regulatory frameworks).

The Privacy Act underwent major structural reform on 12 March 2014, when the Australian Privacy Principles (13 principles in Schedule 1) replaced the former Information Privacy Principles (for agencies) and National Privacy Principles (for organisations). Penalties were substantially increased in December 2022 following the government's response to data-breach incidents: the maximum civil penalty for a serious or repeated interference with privacy is now the greater of A$50 million, three times the value of any benefit obtained through the misuse of information, or 30% of the entity's adjusted turnover in the relevant period (s 13G as amended by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, No. 59, 2022). The Notifiable Data Breaches scheme commenced on 22 February 2018 under Part IIIC.

A Privacy Act Review commenced in 2020 and the government released its response on 28 September 2023, committing to further modernisation. The Privacy and Other Legislation Amendment Act 2024 (No. 128, 2024) introduced a power for the Minister to direct the Commissioner to develop binding APP codes and mandated development of a Children's Online Privacy Code.

Source: Privacy Act 1988 (Cth), Australian Privacy Principles Guidelines — Chapter B (Key concepts), The Privacy Act (OAIC overview)

The Privacy Act 1988 regulates the handling of personal information. Whether data falls within the Act's scope turns entirely on whether it meets the statutory definition in section 6(1). Personal information is defined as:

> information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.

This definition establishes four elements: (1) information or an opinion, (2) about an individual, (3) who is identified or reasonably identifiable, and (4) regardless of truth or recording format.

"Information or an opinion" — The definition captures both factual data and subjective assessments. A credit assessment, a performance review, an actuarial inference about behaviour, or a prediction about future conduct can all be personal information if the other elements are met. The OAIC's Chapter B guidance confirms that by explicitly including "opinion," the definition captures inferred information — data an entity derives or predicts about an individual, even if that individual never provided it directly. This matters for profiling, algorithmic scoring, and machine-learning outputs: if the output is about an identified or reasonably identifiable person, it is personal information.

"About an individual" — The information must be about the individual, not merely mentioning them or associated with them in passing. The OAIC guidance notes that information can have multiple subjects: for example, information that a deceased person had an inheritable genetic condition may be personal information about the deceased person's living descendants if they are identifiable, because it reveals an increased health risk for them. Metadata — IP addresses, device identifiers, location pings — remains a contested edge case. Whether metadata constitutes personal information depends on whether it is about the individual (not just generated by their device) and whether the individual is reasonably identifiable from it, either from the data itself or in combination with other information the entity holds or has access to.

"Identified or reasonably identifiable" — An individual is identified when their identity is apparent from the information (for example, their name appears). An individual is reasonably identifiable when their identity can be ascertained through reasonable means, considering the context and available information. The OAIC's guidance explains that "reasonably identifiable" requires two conditions: (1) it is technically possible for re-identification to occur (from the information itself or in combination with other information in the data-access environment), and (2) there is a reasonable likelihood of re-identification occurring. This is an objective test assessed from the perspective of the entity holding the information and, if the information is publicly released, a reasonable member of the public who accesses it. The test considers: the nature and amount of information; whether other information that could be linked to identify the individual is held by the entity or is publicly available; and the practicality of identification, including the cost, difficulty, and technology required. A single data point in isolation (a birth date, a postcode) is generally not personal information, but combined data points (birth date + suburb + gender) may render the individual reasonably identifiable. The OAIC encourages entities to err on the side of caution: where identifiability is uncertain, treat the information as personal information.

True or not; recorded or not — The definition applies to false information and unrecorded opinions. An incorrect address in a database, a mistaken belief about an individual's qualifications, and even a verbal opinion formed but not yet documented all qualify, provided the individual is identified or reasonably identifiable. This breadth ensures the APPs govern accuracy (APP 10) and correction (APP 13) regardless of recording medium.

De-identified information — Information ceases to be personal information when it is de-identified. Section 6(1) defines "de-identified" as information that "is no longer about an identifiable individual or an individual who is reasonably identifiable." De-identification requires removing or altering personal identifiers (name, address, date of birth) and applying additional techniques to obscure, aggregate, or protect the data so that individuals cannot be reasonably identified. The OAIC's de-identification guidance emphasises that context matters: entities must assess re-identification risk not only from the data itself but also from the environment into which the data will be released. Effective de-identification mitigates the risk until it is very low; it need not remove the risk entirely. Once information is genuinely de-identified, it is no longer governed by the APPs (though APP 11.2 requires entities to take reasonable steps to de-identify or destroy personal information they no longer need for any permitted purpose).

Individuals, not legal persons — "Individual" is defined in s 6(1) as "a natural person." The Privacy Act does not protect information about companies, trusts, partnerships, or other non-natural legal entities. Information about a sole trader or small-business owner may be personal information if the individual is identified or reasonably identifiable from it — business contact details, ABN records, and trading history can reveal the identity of the natural person behind the business. The OAIC guidance confirms that personal information is not limited to private or family life; it extends to information about an individual's work activities and business dealings.

Deceased persons — The ordinary meaning of "natural person" does not include deceased persons. Information about a deceased individual is not personal information about that deceased person. However, it may be personal information about living individuals if they are identifiable from it — for example, information about a deceased person's inheritable medical condition is personal information about the deceased's living descendants if they are identifiable.

Sensitive information and health information — The Privacy Act defines two subsets of personal information that attract heightened protection. Sensitive information (s 6(1)) includes information or opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information, genetic information, and biometric information or biometric templates. Health information (s 6FA) includes information or opinion about the health or a disability of an individual; an individual's expressed wishes about the future provision of health services; and a health service provided or to be provided to an individual. These subsets remain personal information but are subject to stricter collection, use, and disclosure rules under the APPs (notably APP 3.3–3.4 for collection of sensitive information).

Credit information — Credit-related personal information is also personal information but is regulated separately under Part IIIA of the Privacy Act, which establishes a parallel credit-reporting regime with its own definitions and privacy principles for credit reporting bodies and credit providers. An entity handling credit information must comply with both the general APPs (for non-credit personal information) and the Part IIIA regime (for credit information).

The 2020 Privacy Act Review and the government's September 2023 response proposed reforms to the definition of personal information, including express inclusion of inferred information and technical identifiers, replacement of "de-identified" with "anonymised" to align with international practice (GDPR), and new protections for anonymised data (extended APP 11, prohibition on re-identification). The Privacy and Other Legislation Amendment Act 2024 (No. 128, 2024) did not enact these definitional changes; they remain under consideration for future legislation.

Source: Privacy Act 1988 s 6(1) — definitions, OAIC — What is personal information?, OAIC — Australian Privacy Principles Guidelines, Chapter B (Key concepts)

The Privacy Act 1988 (Cth) applies extraterritorially to acts and practices done or engaged in outside Australia by agencies and organisations meeting the Australian-link threshold. This ensures that Australian-incorporated entities remain bound when processing personal information offshore, and that foreign entities with sufficient connection to Australia are also subject to the APPs.

Section 5B(1) provides that the Act, registered APP codes, and the registered CR code extend to acts or practices outside Australia and the external Territories by an agency or organisation. Australian Government and ACT agencies are therefore bound wherever they act in the world. For organisations and small business operators, the position is more nuanced: under s 5B(1A), the Act extends to acts or practices outside Australia if the organisation or small business operator has an Australian link. This threshold determines whether a foreign entity falls within the Commissioner's jurisdiction.

Automatic Australian link — s 5B(2). An organisation or small business operator has an Australian link if it is:

• an Australian citizen;
• a person whose continued presence in Australia is not subject to a time limitation imposed by law (a permanent resident or other lawful non-citizen not under a temporary visa);
• a partnership formed in Australia or an external Territory;
• a trust created in Australia or an external Territory;
• a body corporate incorporated in Australia or an external Territory; or
• an unincorporated association that has its central management and control in Australia or an external Territory (s 5B(2) read with s 6C(1)(c)).

An Australian-incorporated company therefore has an Australian link and is bound by the Privacy Act for all its data-handling worldwide, even if its operations, servers, and personnel are entirely offshore. The statute applies to the act or practice itself, not to the location of the data subject — an Australian entity processing personal information about EU residents in the EU must comply with the APPs (though s 13D provides a defence where an applicable foreign law requires the act or practice).

Carrying on business in Australia — s 5B(3). An organisation or small business operator that does not fall within s 5B(2) will nevertheless have an Australian link if it carries on business in Australia or an external Territory (s 5B(3)(b)). Before December 2022, s 5B(3) also required that the personal information was collected or held in Australia; the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (No. 83, 2022) repealed that element. Since 13 December 2022, the sole question is whether the foreign entity carries on business in Australia.

The phrase "carries on business in Australia" is not defined in the Privacy Act. The OAIC's Chapter B guidance draws on judicial consideration of the phrase in corporations law, consumer law, and taxation law. Two elements must be satisfied: (1) the entity carries on business (repetition of commercial acts on a systematic or continuing basis, with a profit motive for commercial entities or regularity for non-profits), and (2) the business is carried on in Australia (activity undertaken in Australia as part of the entity's business). Both are questions of fact assessed having regard to all relevant circumstances.

Common-law principles establish that there is "a need for some physical activity in Australia through human instrumentalities, being activity that itself forms part of the course of conducting business" (quoted in Chapter B para B.17, citing Hope v Council of the City of Bathurst (1980) 144 CLR 1 at 8). However, an entity may carry on business in Australia even if "the bulk of its business is conducted elsewhere and it maintains no office in Australia", provided there are acts within Australia which are part of the company's business (Bray v F Hoffman-La Roche Ltd (2002) 118 FCR 1 at [62], quoted in Chapter B para B.17). This means a single employee or agent acting on behalf of the foreign entity from Australia may be sufficient, if their activity forms part of the entity's business (for example, assessing purchase orders, uploading web content, or providing customer support).

Multi-factor assessment — the OAIC's guidance (Chapter B para B.19). In the context of the Privacy Act's operation in an online environment, the OAIC identifies non-exhaustive factors that may indicate an entity carries on business in Australia:

• People who undertake business acts for the entity are located in Australia (for example, an agent acting on the entity's behalf from a fixed place in Australia);
• the entity has a website that offers goods or services to countries including Australia;
• Australia is one of the countries on the drop-down menu appearing on the entity's website;
• web content that forms part of carrying on the business was uploaded by or on behalf of the entity, in Australia;
• business or purchase orders are assessed or acted upon in Australia;
• the entity is the registered proprietor of trademarks in Australia.

No single factor is determinative. The presence or absence of one factor does not conclusively establish whether the entity carries on business in Australia (Chapter B para B.20). The question is whether, assessed holistically, the entity is undertaking activity in Australia as part of its business. A foreign platform with no Australian employees, no Australian office, and no Australian presence — serving Australian users entirely from offshore servers — will generally not carry on business in Australia unless it can be shown that some business activity (beyond the passive availability of a website to Australian users) occurs in Australia. The distinction matters for enforcement: the Commissioner can investigate and issue determinations against foreign entities with an Australian link, but not against purely offshore entities with no Australian connection.

The 2022 reform and current scope. The December 2022 removal of the "collected or held in Australia" limb in s 5B(3) was a response to data-breach incidents involving foreign entities. The OAIC had recommended the change in its 2020 Privacy Act Review submission, noting that collection or holding of information in Australia should be considered an indicator of carrying on business in Australia, rather than a separate statutory requirement. The amendment means the Commissioner needs only establish that a foreign entity carries on business in Australia — the location where the personal information was collected or is held is now irrelevant to jurisdiction, though it remains probative of whether the entity is undertaking business activity in Australia.

Foreign entities assessing whether they have an Australian link should consider: incorporation (s 5B(2)(e) is a bright-line rule); the location of personnel undertaking business acts; whether they actively offer goods or services to the Australian market (not merely permitting Australians to access an offshore site); whether they target Australian customers through advertising, country selectors, or local pricing; and whether any business decisions, content moderation, or support functions are performed in Australia. Where an Australian link exists, the entity is an APP entity for all acts and practices to which the Act extends, and must comply with the 13 APPs, the Notifiable Data Breaches scheme (Part IIIC), and all other Privacy Act obligations.

Source: Privacy Act 1988 (Cth) s 5B (Extra-territorial operation of Act), Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) No. 83, 2022, OAIC — Australian Privacy Principles Guidelines, Chapter B (Key concepts), paras B.11–B.20

Section 7B(3) of the Privacy Act 1988 (Cth) exempts private sector organisations from the Australian Privacy Principles (APPs) when handling employee records about current or former employees. This exemption removes the largest category of personal information from the Privacy Act's ordinary protections — but only where two cumulative conditions are met: the act or practice must be directly related to a current or former employment relationship between the employer (the organisation) and the individual, and must involve an employee record held by the organisation and relating to the individual.

The exemption applies exclusively to organisations (defined in s 6C as private-sector entities meeting the thresholds in the main scope-and-applicability section). It does not apply to agencies (Commonwealth and ACT government entities). Employee records held by Australian Government departments, Norfolk Island administration agencies, and Commonwealth statutory bodies remain subject to all 13 APPs, including access and correction rights under APPs 12 and 13. The exemption is therefore a private-sector-only carve-out.

"Employee record" — s 6(1) definition. An employee record is defined as "a record of personal information relating to the employment of the employee." The OAIC's guidance lists non-exhaustive examples: information about the engagement, training, disciplining, resignation, or termination of employment; terms and conditions of employment; the employee's personal and emergency contact details, performance or conduct, hours of employment, salary or wages; membership of a professional or trade association or trade union; recreation, long service, sick, maternity, paternity, or other leave; and the employee's taxation, banking, or superannuation affairs. Health information about an employee (fitness for work, workers' compensation claims, sick leave) also falls within the definition if it relates to the employment.

Not all information an employer holds about an individual employee is automatically an employee record. The OAIC cautions that "employers may not be able to assume that all the information they hold that relates to an individual employee would be an employee record." Information collected or used for purposes outside the employment relationship — for example, personal information shared with a third party for marketing purposes, or employee data used in commercial research — does not qualify as an employee record for exemption purposes, even if it originally formed part of the individual's employment file. The exemption is limited to acts and practices that are directly related to the employment relationship itself.

"Directly related" — narrow construction. The phrase "directly related" in s 7B(3) is interpreted narrowly by the OAIC and the courts. In ALI Group Australia Pty Ltd v AIC (Federal Court enforcement of an OAIC determination), an employer that disseminated medical details about an employee's health status to 101 head-office employees was found to have breached APP 6.1 because the disclosure was not directly related to the employment relationship with the affected employee. The OAIC held that "directly related" requires an absolute or exact connection — an indirect, consequential, or remote effect on the relationship is insufficient to enliven the exemption. The employer's stated workplace-health-and-safety justification did not bring the mass disclosure within the exemption; consent or an exception under APP 6 (such as the serious-threat exception) would have been required instead.

In contrast, in Madzikanda v Australian Information Commissioner [2023] FCA 1445, the Federal Court upheld an OAIC delegate's finding that an employer's monitoring of work emails on a work-issued laptop was exempt under s 7B(3), even though the specific emails monitored did not themselves relate to the employee's work. The Court accepted that the employer's monitoring activity — undertaken to manage the employer-employee relationship and enforce workplace policies — was directly related to the employment relationship. The distinction between ALI and Madzikanda turns on whether the challenged act or practice served an employment-management purpose: monitoring for compliance and workplace conduct is exempt; disclosing health information beyond what is necessary for managing the employment relationship is not.

Current or former employment relationships only. The exemption applies to a current or former employment relationship. It does not cover future or prospective employment relationships. The OAIC's guidance confirms that the exemption does not apply to the collection of personal information about job applicants who are subsequently not employed by the organisation (unsuccessful candidates). Once an employment relationship is formed, however, the records the employer holds relating to that individual's pre-employment checks (reference checks, qualification verifications, background screenings conducted during recruitment) become exempt, because those records now relate to a current employment relationship and are held as part of the employee record.

This temporal limitation means an organisation handling job-applicant data must comply with all APPs during the recruitment phase. Once the applicant becomes an employee, the exemption applies to the handling of the newly formed employee record going forward, including the pre-employment material already collected.

Who is an "employee"? The exemption is limited to individuals in an employment relationship with the organisation. It does not cover contractors, subcontractors, volunteers, or independent workers. The OAIC guidance states that "an organisation and a volunteer are not considered to have an employee relationship for the purposes of the employee record exemption in s 7B(3)." Similarly, a contractor engaged to provide services under a services agreement is generally not in an employment relationship (though the line between employee and contractor may turn on common-law tests for employment status, which are not defined in the Privacy Act).

Third-party service providers not covered. The exemption does not extend to third-party organisations that handle employee records on behalf of an employer. For example, organisations that provide recruitment, human resource management, payroll, medical, training, or superannuation services under contract to an employer are not exempt, even though the information they handle is employee-record information. When an organisation that is a contractor or subcontractor collects employee records about an individual from an employer, it must comply with the APPs in handling that information, including the notice requirements in APP 5. The OAIC guidance also clarifies that workers' compensation insurers that are not themselves the employer of the individual are not covered by the exemption.

This distinction matters for cloud HR platforms, payroll processors, and other enterprise SaaS providers: they are APP entities (if they meet the turnover or activity thresholds) and must comply with all APPs, including cross-border disclosure requirements under APP 8, when handling employee data received from client employers. The employer itself may be exempt when using and disclosing the employee record to the service provider (if directly related to managing the employment relationship), but the service provider is not exempt in its subsequent handling.

Tax file number information not exempt. Section 7 of the Privacy Act lists specific acts and practices that are exempt. Section 7B(3) operates as an exemption "for the purposes of paragraph 7(1)(ee)," meaning that if the conditions of s 7B(3) are met, the organisation's handling of the employee record is exempt. However, tax file number (TFN) information is subject to a separate statutory regime under Part IIIA of the Privacy Act and is not exempt under s 7B(3). Employers handling TFN information must comply with Part IIIA's TFN rules regardless of the employee records exemption.

Notifiable Data Breaches scheme — exemption applies. The employee records exemption extends to the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act. A private-sector employer experiencing a data breach involving employee records (for example, unauthorised access to payroll data, HR files, or leave records) is not required to notify the OAIC or affected employees under Part IIIC if the breach involves information covered by the s 7B(3) exemption. This creates a significant gap: employees whose sensitive health information, salary details, or disciplinary records are compromised in a breach have no statutory notification right if the employer's handling of that information is exempt. The employer may still have notification obligations under other frameworks (workplace health and safety laws, contractual duties, common-law negligence), but the Privacy Act NDB scheme does not apply.

The 2020 Privacy Act Review and proposed abolition. The Attorney-General's Department conducted a comprehensive review of the Privacy Act from 2020 to 2022. The government's response, released on 28 September 2023, committed in principle to removing the employee records exemption. The OAIC had recommended abolition in its submission to the review, arguing that the exemption creates regulatory uncertainty, leaves a large category of personal information unprotected, and is out of step with international practice (no comparable exemption exists in the GDPR, UK GDPR, or other major privacy regimes). The Fair Work Commission's 2019 decision in Lee v Superior Wood ([2019] FWCFB 2946) — holding that the exemption applies only to employee records already held, not to the collection of new information — had further exposed the complexity and narrow construction of the exemption, creating compliance uncertainty for employers.

If the exemption is removed by future legislation, private-sector employers will need to comply with all 13 APPs for employee data, including:

• APP 3 consent requirements for collecting sensitive information (health information, union membership, biometric data), unless an exception applies;
• APP 5 notification to employees about collection, use, and disclosure of their personal information;
• APP 6 limitations on use and disclosure for secondary purposes;
• APP 11 security safeguards and destruction/de-identification when no longer needed;
• APP 12 access rights (employees able to request access to their records);
• APP 13 correction rights (employees able to request correction of inaccurate information);
• Part IIIC Notifiable Data Breaches obligations for employee-record breaches.

The Privacy and Other Legislation Amendment Act 2024 (No. 128, 2024) did not remove or amend the employee records exemption; the change remains under consideration for future reform. Until legislation is enacted, s 7B(3) continues to exempt private-sector employers' handling of employee records directly related to current or former employment relationships.

Current practice and compliance posture. Prudent employers treat the exemption narrowly: limit reliance to core HR and payroll functions directly related to managing the employment relationship; apply the APPs voluntarily to employee data where the "directly related" nexus is unclear; ensure employee records are not used for purposes outside the employment relationship (marketing, research, third-party disclosure for non-employment purposes); and implement robust security and access controls even where exempt, given the sensitivity of employee information and the regulatory direction toward abolition. The exemption is a procedural safe harbour, not a license to mishandle employee information.

Source: Privacy Act 1988 (Cth) s 7B(3), Privacy Act 1988 (Cth) s 6(1) definition of "employee record", OAIC — Employee records exemption (guidance)

The Privacy Act 1988 (Cth) does not bind State or Territory government agencies. Each Australian State and Territory has enacted separate privacy legislation governing the collection, use, and disclosure of personal information by public-sector agencies within that jurisdiction. These regimes mirror the federal model in structure but operate independently, creating a federal-state split: private-sector entities and Commonwealth agencies are governed by the Privacy Act and the Australian Privacy Principles (APPs), while State and Territory agencies are governed by local statutes and local privacy principles.

A cross-border business or national employer must therefore comply with multiple regimes simultaneously: the federal Privacy Act for private-sector operations, and the relevant State or Territory legislation when handling personal information for or on behalf of a State or Territory public-sector agency (for example, as a contracted service provider to a State health department or local council).

## Victoria — Privacy and Data Protection Act 2014

The Privacy and Data Protection Act 2014 (Vic) (PDP Act) regulates Victorian public sector organisations and contracted service providers (CSPs) handling personal information on behalf of those organisations. The PDP Act applies to Victorian Government departments, Ministers, local councils, statutory offices, government schools, universities, and TAFEs. It also binds private-sector and not-for-profit organisations when they handle personal information on behalf of a Victorian public-sector body under a service contract. Such contractors become CSPs and must comply with the 10 Information Privacy Principles (IPPs) set out in Schedule 1 to the PDP Act.

The PDP Act is administered by the Office of the Victorian Information Commissioner (OVIC). The IPPs were adapted from the former National Privacy Principles under the federal Privacy Act and cover collection, use, disclosure, data quality, security, openness, access, correction, unique identifiers, and anonymity. Victoria also has a separate Health Records Act 2001 (Vic), which protects health information in both public and private sectors and is administered by the Health Complaints Commissioner.

The PDP Act does not apply to the private sector outside of government contracts. A Victorian business handling customer data is regulated by the federal Privacy Act (if it meets the APP entity thresholds), not by the PDP Act.

## New South Wales — Privacy and Personal Information Protection Act 1998

The Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) regulates NSW public sector agencies, including State Government agencies, statutory authorities, universities, NSW local councils, State-owned corporations, and other bodies whose accounts are subject to the NSW Auditor-General. The PPIP Act sets out 12 Information Protection Principles (IPPs) governing collection, storage, use, disclosure, access, and amendment of personal information.

The PPIP Act is overseen by the NSW Information and Privacy Commission (IPC NSW). The Commissioner has complaint-handling, mediation, audit, and policy-development functions. The PPIP Act includes a mandatory Notifiable Data Breach (NDB) scheme for public-sector agencies (introduced in 2022); agencies must notify the IPC and affected individuals of eligible data breaches that are likely to result in serious harm.

Health information in NSW is governed by the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act), which applies to both public and private health service providers and establishes 15 Health Privacy Principles (HPPs). The HRIP Act is also administered by the IPC NSW.

The PPIP Act does not apply to private-sector businesses (other than when acting under contract to a NSW public-sector agency for certain purposes). Private entities in NSW handling personal information fall under the federal Privacy Act if they meet the APP entity criteria.

## Queensland — Information Privacy Act 2009

The Information Privacy Act 2009 (Qld) (IP Act) regulates how Queensland public sector agencies manage personal information. The IP Act applies to Queensland Government departments, Ministers, statutory bodies, local governments, and other public authorities. It also extends to contracted service providers engaged by Queensland agencies to handle personal information under a service arrangement. The IP Act establishes 11 Queensland Privacy Principles (QPPs), which govern collection, storage, use, disclosure, data quality, security, access, and amendment. Health agencies (public hospitals, health services) are subject to separate National Privacy Principles (NPPs) under the IP Act, adapted from the former federal regime, rather than the QPPs.

The IP Act is administered by the Office of the Information Commissioner Queensland (OIC Queensland), which also oversees right-to-information (freedom of information) matters. The OIC Queensland mediates privacy complaints, monitors compliance, and issues guidance. Queensland introduced a Mandatory Notification of Data Breach (MNDB) scheme in 2020 (commenced 1 October 2020); agencies must notify the Information Commissioner and affected individuals of data breaches meeting the statutory threshold.

Private-sector entities in Queensland are governed by the federal Privacy Act, not the IP Act, unless they are contracted service providers to a Queensland agency and handle personal information under that contract.

## Other jurisdictions — limited or no standalone privacy legislation

• Australian Capital Territory (ACT): The ACT is unique in that ACT Government agencies are bound by the federal Privacy Act 1988 under s 6(1), as though they were Commonwealth agencies. The Australian Information Commissioner (OAIC) exercises certain ACT privacy functions under an intergovernmental agreement. The ACT also has the Health Records (Privacy and Access) Act 1997 (ACT) for health information.

• South Australia, Western Australia, Tasmania, Northern Territory: These jurisdictions do not have comprehensive public-sector privacy legislation equivalent to Victoria, NSW, or Queensland. Public-sector information-handling in these jurisdictions is governed by administrative directions, codes of practice, or specific sectoral legislation (for example, health records statutes in SA and WA, freedom-of-information acts). Private entities in these jurisdictions are subject to the federal Privacy Act if they meet the APP entity thresholds. Cross-border businesses should confirm with the relevant State or Territory authority whether administrative directions or codes apply to their contracted activities.

## Practical compliance for cross-border operations

A business or organisation operating nationally must assess:

1. Private-sector activity: Does the entity meet the federal Privacy Act's APP entity test (annual turnover over A$3 million, health service provider, trading in personal information, etc.)? If yes, comply with the 13 APPs and the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

1. State/Territory government contracts: Is the entity a contracted service provider to a Victorian, NSW, or Queensland public-sector body, handling personal information on behalf of that body? If yes, comply with the relevant State IPPs/QPPs in addition to the federal Privacy Act (if also an APP entity). The State legislation often binds the contractor even if the contractor would otherwise be a small business operator exempt from the federal Act.

1. Multi-jurisdictional projects: A service provider engaged by multiple State agencies (for example, a cloud HR platform serving Victorian, NSW, and Queensland councils) must comply with each jurisdiction's principles separately for the data it handles under each contract. The IPPs/QPPs are broadly aligned but not identical; specific notice, consent, cross-border disclosure, and breach-notification obligations differ.

1. ACT agencies: Treat ACT Government contracts as though contracting with a Commonwealth agency — the federal Privacy Act and APPs apply.

The lack of a uniform national regime for State and Territory agencies means no single privacy policy or data-governance framework will satisfy all Australian jurisdictions. Prudent practice is to design policies that meet the highest common standard across the federal APPs and the State/Territory IPPs/QPPs, and to maintain jurisdiction-specific addenda for contracted government work.

Source: Privacy and Data Protection Act 2014 (Vic), Privacy and Personal Information Protection Act 1998 (NSW), Information Privacy Act 2009 (Qld), Privacy Act 1988 (Cth) s 6(1)

Sensitive information is a statutory subset of personal information that attracts heightened privacy protections under the Privacy Act 1988 (Cth). The definition in section 6(1) creates a closed list of eleven enumerated categories; information qualifies as sensitive only if it falls within one of these categories. The classification matters because Australian Privacy Principle 3 (APP 3) imposes stricter consent and necessity thresholds for collection of sensitive information than for ordinary personal information, and several other APPs include specific carve-outs or heightened obligations for sensitive information (notably APP 6 secondary-use restrictions, APP 8 cross-border disclosure, and APP 11 security safeguards).

Section 6(1) defines "sensitive information" to mean information or an opinion about an individual's:

• racial or ethnic origin;
• political opinions;
• membership of a political association;
• religious beliefs or affiliations;
• philosophical beliefs;
• membership of a professional or trade association;
• membership of a trade union;
• sexual orientation or practices;
• criminal record;
• health information (within the meaning of s 6FA);
• genetic information about the individual that is not otherwise health information;
• biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
• biometric templates.

The definition is exhaustive. Information about other sensitive topics — immigration status, financial distress, family relationships, domestic violence history — is personal information but not sensitive information for Privacy Act purposes unless it also reveals one of the thirteen enumerated categories (for example, domestic violence counselling records may constitute health information if they relate to a health service, triggering the sensitive-information rules).

"Health information" — the largest sensitive-information category. Section 6FA defines health information to include: (a) information or an opinion about the health or a disability (at any time) of an individual; (b) information or an opinion about an individual's expressed wishes about the future provision of health services to them; or (c) a health service provided, or to be provided, to an individual. The definition extends beyond medical diagnoses to encompass health-adjacent data: fitness-for-work assessments, workers' compensation claims, disability accommodation requests, vaccination status, sick leave records (when they reveal health conditions), employee assistance program participation, gym membership health screening, DNA ancestry results (when they disclose genetic health risks), mental health support, and counselling notes. Information is health information if it is about the individual's health, disability, health wishes, or health services received, regardless of who holds it. A payroll record noting "sick leave taken" is generally not health information (it is absence data); a payroll record noting "sick leave — influenza" is health information because it discloses the health condition.

The OAIC's Chapter B guidance confirms that health information is a subset of sensitive information: all health information (as defined in s 6FA) automatically qualifies as sensitive information under s 6(1). This means an entity collecting health information must comply with APP 3.3's heightened collection rule (consent or statutory authorisation required, with narrow exceptions) even if the information seems routine.

"Biometric information" and "biometric templates" — the 2014 APP reforms added these categories to address automated identity verification and surveillance technologies. Biometric information is information about an individual's physical, physiological, or behavioural characteristics that is to be used for the purpose of automated biometric verification (one-to-one matching, such as unlocking a phone with a fingerprint) or automated biometric identification (one-to-many matching, such as facial recognition to identify an unknown person in a crowd). The definition is purpose-limited: a photograph is not sensitive information merely because it depicts a face; it becomes sensitive information (biometric information) if and when it is to be processed for automated facial-recognition matching. Similarly, a recording of an individual's voice is not inherently sensitive; it becomes biometric information if it is to be used for automated voiceprint identification. This purpose-based trigger means the same data may be ordinary personal information in one context and sensitive information in another.

Biometric templates — mathematical representations of biometric features (for example, a numerical encoding of fingerprint minutiae, an iris hash, a faceprint vector) — are always sensitive information, regardless of whether they are currently being used for automated matching. The distinction reflects the permanence and uniqueness risk: templates cannot be reset if compromised.

"Genetic information" — section 6(1) defines this as information about the individual's genetic characteristics that is not otherwise health information. In practice, most genetic information is health information under s 6FA (DNA test results revealing disease predisposition, ancestry DNA results disclosing genetic health markers, genetic screening for inheritable conditions). Genetic information that is not health information — for example, raw genomic data held by a research laboratory that has not yet been analysed for health implications — remains sensitive information under the standalone genetic-information category.

"Criminal record" — information about an individual's criminal convictions, charges, or related criminal history. The OAIC guidance confirms this includes spent convictions (under Commonwealth, State, or Territory spent-convictions legislation) and criminal charges that did not result in conviction. The category does not extend to suspicion, allegations, or investigative interest absent a formal charge. Traffic infringements and civil penalties are generally not part of an individual's criminal record unless they constitute a criminal offence under the relevant jurisdiction's traffic laws.

"Political opinions," "membership of a political association," "religious beliefs or affiliations," "philosophical beliefs" — the OAIC's Chapter B guidance notes that these terms are not defined in the Privacy Act and take their ordinary meaning, interpreted broadly. The categories capture both formal affiliation (party membership, registered-voter records indicating a party preference, union membership in a politically active union) and opinion or belief (responses to a political survey, religious-practice requests in the workplace, conscientious-objection declarations). The phrase "information or an opinion about" means the data need not be self-reported: an employer's inference that an employee holds particular political views (based on the employee's social-media activity) is sensitive information if the inference relates to political opinions.

"Membership of a professional or trade association" and "membership of a trade union" — these categories protect information about collective affiliation in employment and professional contexts. Membership of a professional body (Law Society, medical college, engineering association) and trade-union membership are both sensitive. The categories do not extend to membership of recreational clubs, community groups, or social organisations unless those organisations also qualify as a professional, trade, or political association.

"Sexual orientation or practices" — interpreted broadly to include information about an individual's sexual identity, sexual behaviour, romantic partnerships, and gender identity (though "gender identity" is not expressly listed, the OAIC's practice guidance treats it as falling within this category or, where relevant, as health information if the individual is receiving gender-affirming health services).

Collection threshold — APP 3.3 consent or statutory authorisation. Australian Privacy Principle 3.3 provides that an APP entity must not collect sensitive information about an individual unless: (a) the individual consents to the collection and (i) if the entity is an agency, the information is reasonably necessary for one or more of the entity's functions or activities, or (ii) if the entity is an organisation, the collection is reasonably necessary for one or more of the entity's functions or activities; or (b) the collection is required or authorised by or under an Australian law or a court/tribunal order; or (c) a permitted general situation exists in relation to the collection (APP 3.4 lists these: necessary to lessen or prevent a serious threat to life, health, or safety; necessary for the establishment, exercise, or defence of a legal claim; reasonably necessary for a confidential alternative dispute resolution process; necessary for a diplomatic or consular function; reasonably necessary for a law-enforcement-related activity by an enforcement body); or (d) (for agencies only) the collection is reasonably necessary for the agency's functions or activities; or (e) (for organisations and health information only) a permitted health situation exists (s 16B lists eight health-specific exceptions, including: necessary to provide a health service and the individual would reasonably expect collection in the circumstances; necessary for research or compilation of statistics in the public interest if certain safeguards are met; necessary to locate a missing person; necessary for responsible management of genetic information by genetic-relatives notification).

The consent threshold in APP 3.3(a) is more demanding than the consent option for ordinary personal information. For sensitive information, consent must be express — the OAIC's guidance makes clear that silence, pre-ticked boxes, or inactivity do not constitute consent for sensitive-information collection. The consent must be voluntary, informed, specific, and current. The entity must also show that the collection is reasonably necessary for its functions or activities; consent alone is not sufficient if the collection is unnecessary.

No "reasonably necessary for a function or activity" carve-out for organisations collecting non-health sensitive information. Under APP 3.3, an organisation (private sector) can collect health information under a permitted health situation (APP 3.3(e) + s 16B) or ordinary personal information where collection is reasonably necessary for a function or activity (APP 3.5). But for non-health sensitive information (political opinions, religious beliefs, sexual orientation, biometric data, union membership, criminal record), an organisation has no general reasonably-necessary exception — it must obtain consent, or rely on statutory authorisation (APP 3.3(b)), a permitted general situation (APP 3.3(c)), or, in limited cases, a permitted health situation if the information also qualifies as health information. This asymmetry means organisations face a higher bar for collecting sensitive information than agencies do. An agency can collect sensitive information without consent if reasonably necessary for its functions (APP 3.3(d)); an organisation generally cannot.

Interaction with APP 3.4 — solicited vs unsolicited collection. APP 3.3 governs solicited collection (the entity requests or invites the information). If an APP entity receives sensitive information it did not solicit — for example, an applicant volunteers their disability status in a cover letter when the employer did not ask — APP 3.4 applies. The entity must determine within a reasonable period whether it could have collected the information under APP 3 (including APP 3.3 for sensitive information). If not, and retention is not required or authorised by law, the entity must destroy or de-identify the information as soon as practicable. This creates a compliance trap: an organisation that passively accepts unsolicited sensitive information (and retains it) must retrospectively establish that it could have collected the information under APP 3.3 — meaning consent, statutory authorisation, or a permitted situation would have existed had the entity solicited the information. Many organisations cannot meet this test and must destroy or de-identify the unsolicited sensitive information.

Employee context — interplay with employee records exemption. The employee records exemption (s 7B(3), discussed in a separate section of this guide) removes private-sector employers' handling of employee records relating to a current or former employment relationship from the APPs. If the exemption applies, the employer is not bound by APP 3.3's sensitive-information consent rule. This means a private-sector employer exempt under s 7B(3) can collect health information (fitness-for-work assessments, workers' compensation claims, sick leave), union membership, criminal records (background checks), and other sensitive information about employees without consent, provided the collection is directly related to the employment relationship and forms part of an employee record. Commonwealth and ACT government agencies (which are not exempt under s 7B(3)) must comply with APP 3.3 when collecting sensitive information about employees unless another exception applies (for example, APP 3.3(d) reasonably necessary for the agency's functions, or APP 3.3(b) required by law such as police vetting for security clearances).

Cross-border disclosure — APP 8 "reasonable steps" standard elevated for sensitive information. APP 8.1 permits cross-border disclosure of personal information if certain conditions are met; the OAIC's guidance confirms that the standard of "reasonable steps" to ensure the overseas recipient complies with the APPs is higher when the disclosed information is sensitive information. Entities should apply stricter contractual safeguards, conduct more rigorous due diligence, and limit cross-border flows of sensitive information unless robust protections are in place.

Security — APP 11 obligation intensity scales with sensitivity. APP 11.1 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. "Reasonable steps" is a scalable standard — the OAIC's guidance expressly states that more rigorous security is required as the sensitivity of the information increases. Entities holding sensitive information (health records, biometric templates, criminal history, union membership) must implement stronger technical and organisational safeguards — encryption at rest and in transit, access controls, audit logging, staff training, incident-response capability — than would be reasonable for ordinary contact details or transactional data. A security posture that is "reasonable" for ordinary personal information may constitute a breach of APP 11 if applied to sensitive information.

Reform trajectory — proposed expansion and express inclusion of inferred sensitive information. The Attorney-General's Privacy Act Review Report (2022) and the government's September 2023 response proposed expanding the sensitive-information definition to include inferred information: information an entity derives or infers about an individual that falls within a sensitive category, even if the individual never provided it. This reform would codify the OAIC's existing guidance (which treats inferred opinion as captured by the "information or an opinion about" language) and address algorithmic profiling and predictive analytics. The Privacy and Other Legislation Amendment Act 2024 (No. 128, 2024) did not enact this expansion; it remains under consideration for future legislation. If implemented, entities using machine learning to infer health conditions, political views, sexual orientation, or other sensitive attributes from behavioural data would face APP 3.3's consent threshold for the collection (or generation) of those inferences, not merely for the collection of the input data.

Current compliance practice. Entities should: classify data holdings by sensitivity at the point of collection; apply APP 3.3's consent + reasonable-necessity test to all sensitive-information collection (with particular care for biometric enrolment, health data, and employee sensitive information if the employer is not exempt); implement heightened security for sensitive-information repositories; limit secondary use and cross-border disclosure unless an APP 6 or APP 8 exception applies; train staff to recognise sensitive information (especially inferred or derived sensitive attributes); and audit consent mechanisms to ensure they meet the express, informed, voluntary standard. The OAIC's enforcement priorities since the December 2022 penalty increase have included health information breaches and biometric data collection without valid consent — sensitivity drives both harm assessment and regulatory attention.

Source: Privacy Act 1988 (Cth) s 6(1) — definition of "sensitive information", Privacy Act 1988 (Cth) s 6FA — definition of "health information", OAIC — Australian Privacy Principles Guidelines, Chapter B (Key concepts) — Sensitive information, OAIC — Appendix A: Key terms (data breach guidance) — Sensitive information

Once an entity is an APP entity within the scope of the Privacy Act 1988 (Cth), it must comply with the 13 Australian Privacy Principles (APPs) set out in Schedule 1 to the Act. The APPs replaced the former Information Privacy Principles (IPPs for agencies) and National Privacy Principles (NPPs for organisations) on 12 March 2014, creating a unified privacy framework that applies to both Commonwealth and ACT government agencies and to private-sector organisations meeting the statutory thresholds. Section 15 of the Privacy Act states the core obligation: "An APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle." A breach of an APP is an interference with the privacy of an individual under s 13 and may result in a binding determination, civil penalties, or enforceable undertakings imposed by the Australian Information Commissioner.

The APPs are principles-based rather than prescriptive rules. This gives entities flexibility to tailor their compliance measures to their size, business model, and the sensitivity of the information they handle, but it also means compliance requires contextual, risk-based judgment. The OAIC's Australian Privacy Principles Guidelines (APP Guidelines, first published February 2014, updated periodically) provide the Commissioner's authoritative interpretation of each principle, binding guidance on what constitutes reasonable steps, and worked examples. Courts and tribunals accord significant weight to the APP Guidelines when determining whether an entity has breached the Privacy Act.

## Structure — five functional parts

The 13 APPs are grouped into five functional parts corresponding to the privacy information lifecycle: (1) open and transparent management of personal information; (2) collection of personal information; (3) dealing with personal information (use, disclosure, and cross-border transfers); (4) integrity of personal information (data quality and security); and (5) access and correction. Each principle addresses a discrete stage or obligation, but the principles interact and complement one another. For example, when collecting personal information (Part 2), an entity must simultaneously consider the notification requirements in APP 5, the use-and-disclosure restrictions in APP 6, the security safeguards in APP 11, and the data-minimisation and quality requirements in APP 3 and APP 10.

## Part 1 — Open and transparent management (APP 1)

APP 1 requires an APP entity to manage personal information in an open and transparent way. This is the foundation for accountability. Under APP 1.2, the entity must take reasonable steps to implement practices, procedures, and systems that (a) ensure compliance with the APPs and any registered APP code binding the entity, and (b) enable the entity to deal with inquiries or complaints about compliance. This obligation is technology- and sector-neutral: what is reasonable depends on the entity's size, resources, the volume and sensitivity of personal information it handles, and the risk of harm from misuse or breach.

APP 1.3 and 1.4 mandate that the entity have a clearly expressed and up-to-date APP privacy policy covering how the entity manages personal information. The policy must set out, at a minimum: the kinds of personal information the entity collects and holds; how it collects and holds that information; the purposes for which it collects, holds, uses, and discloses personal information; how an individual may access and seek correction of their information; how an individual may complain about a breach of the APPs or a registered APP code and how the entity will handle such complaints; whether the entity is likely to disclose personal information to overseas recipients; and, if so, the countries in which such recipients are likely to be located (if practicable to specify). APP 1.5 requires the entity to take reasonable steps to make its APP privacy policy available free of charge, usually by publishing it on the entity's website; APP 1.6 requires the entity to provide a copy in a particular form upon request (for example, large print, accessible PDF).

Effective 10 December 2026, APP 1.7, 1.8, and 1.9 (inserted by the Privacy and Other Legislation Amendment Act 2024 (No. 128, 2024)) impose additional transparency obligations where the entity arranges for a computer program to use personal information to make a decision that could reasonably be expected to significantly affect the rights or interests of an individual. This targets automated decision-making (ADM), profiling, and algorithmic systems. The APP privacy policy must include: a statement that the entity engages in such ADM; an explanation in clear and plain language of the factors and categories of data used; contact details for a person or body whom the individual may contact to raise concerns about the decision; and other matters (if any) prescribed by regulation. These amendments align Australia with international practice (Art. 22 GDPR automated decision-making safeguards) and respond to the 2020 Privacy Act Review.

## Part 2 — Collection of personal information (APPs 3, 4, 5)

APP 3 governs what may be collected and how. APP 3.1 states that an entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity's functions or activities. For sensitive information (racial or ethnic origin, political opinions, union membership, religious or philosophical beliefs, sexual orientation, criminal record, health information, genetic or biometric data—defined in s 6(1)), APP 3.3 raises the bar: the entity must not collect sensitive information unless (a) the individual consents to the collection and (b) the information is reasonably necessary for one or more of the entity's functions or activities, or an exception applies. The APP 3.4 exceptions include: the collection is required or authorised by law; a permitted general situation exists (defined in s 16A, covering enforcement, legal claims, serious threats to life or health, and other statutory carve-outs); a permitted health situation exists (defined in s 16B, for health service providers); or the entity is a non-profit organisation and the sensitive information relates to the individual's membership or support for the organisation (APP 3.4(e)). Consent under APP 3 must be voluntary, informed, specific, and current (APP Guidelines Chapter 3 para 3.52); mere notification or an opt-out is generally insufficient for sensitive information.

APP 3.5 and 3.6 require that personal information be collected directly from the individual unless an exception applies, and that it be solicited (actively sought by the entity) rather than unsolicited. APP 4 addresses unsolicited personal information — information an entity receives but did not solicit. If the entity receives unsolicited information, it must determine whether it could have collected that information under APP 3 if it had solicited it. If not, the entity must destroy the information or ensure it is de-identified, provided it is lawful and reasonable to do so (APP 4.2). This prevents entities from circumventing the collection restrictions by accepting information thrust upon them.

APP 5 requires notification or disclosure of certain matters at or before collection, or as soon as practicable afterwards. The entity must take reasonable steps to notify the individual of: the entity's identity and contact details; the fact and circumstances of collection; whether collection is required or authorised by law; the purposes for which the information is collected; the consequences if the information is not collected; to whom the information is likely to be disclosed (including overseas recipients); the entity's APP privacy policy; and whether the entity is likely to disclose the information to overseas recipients. This transparency obligation ensures individuals understand why their information is being collected and what will happen to it.

## Part 3 — Dealing with personal information (APPs 6, 7, 8, 9)

APP 6 restricts use and disclosure of personal information to the primary purpose of collection, unless an exception applies. If an entity collected information for one purpose (the primary purpose), it must not use or disclose it for another purpose (a secondary purpose) unless: (a) the individual has consented to the secondary use or disclosure; (b) the individual would reasonably expect the secondary use or disclosure and it is directly related (for sensitive information) or related (for non-sensitive information) to the primary purpose; (c) the use or disclosure is required or authorised by or under an Australian law or a court/tribunal order; (d) a permitted general situation exists (s 16A); (e) for organisations, a permitted health situation exists (s 16B); (f) the entity reasonably believes the use or disclosure is reasonably necessary for an enforcement-related activity conducted by or on behalf of an enforcement body; or (g) for written-request enforcement disclosures under APP 6.3, the recipient is a Commonwealth, State, or Territory enforcement body and the entity reasonably believes the disclosure is reasonably necessary for enforcement-related activities.

APP 6 embodies the purpose limitation principle: data collected for one purpose cannot be repurposed without legal authority, consent, or an applicable exception. The OAIC has held that reasonable expectation is assessed objectively, considering the nature of the relationship, the entity's APP privacy policy and collection notices, and industry practice; wishful thinking by the entity is insufficient.

APP 7 governs direct marketing. An organisation must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies. For information collected directly from the individual, the organisation may use or disclose it for direct marketing if (a) the individual would reasonably expect it, (b) the organisation provides a simple opt-out, and (c) the individual has not opted out. For information collected from a third party or for sensitive information, the organisation must not use or disclose it for direct marketing unless the individual has consented (APP 7.3) or it is impracticable to obtain consent and certain additional safeguards are met (APP 7.4). Every direct marketing communication must include a prominent statement that the individual may request not to receive further direct marketing communications and a simple means to make such a request (APP 7.6). If the individual requests not to receive direct marketing or requests the source of their information, the organisation must comply (APP 7.7, 7.8).

APP 8 regulates cross-border disclosure of personal information to overseas recipients. Before disclosing personal information to an overseas recipient, an entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the information (APP 8.1). This extraterritorial accountability obligation means Australian entities cannot evade the Privacy Act by offshoring processing or storage. An entity is deemed accountable under s 16C: if the overseas recipient mishandles the information in a way that would breach the APPs if done by the entity in Australia, the entity itself is taken to have breached the APPs. APP 8.2 provides six exceptions to the reasonable-steps obligation: (a) the entity reasonably believes the overseas recipient is subject to a law or binding scheme that overall is at least substantially similar to the APPs and the individual can enforce those protections; (b) the individual consents after being expressly informed the entity will not be required to take reasonable steps and will not be accountable under s 16C; (c) the disclosure is required or authorised by law; (d) a permitted general situation exists; (e) a permitted health situation exists; or (f) the entity is an agency and the disclosure is to an agency in a foreign country under arrangements approved by the responsible Minister. The OAIC's Chapter 8 guidance emphasises that exception (a) requires a country-level or sector-level law substantially similar to the APPs; contractual data-protection clauses alone are insufficient unless paired with enforceable legal protections in the recipient country.

APP 9 addresses government-related identifiers. An organisation must not adopt a government-related identifier (such as a Medicare number, driver licence number, passport number, or tax file number) as its own identifier for an individual unless an exception applies (APP 9.1). This prevents the proliferation of universal identifiers across sectors. An organisation must not use or disclose a government-related identifier unless: the use or disclosure is reasonably necessary to verify the individual's identity for the organisation's functions or activities; the use or disclosure is reasonably necessary for the organisation to fulfill its obligations to a government agency or authority; the use or disclosure is required or authorised by law; a permitted general situation exists; or for health service organisations, a permitted health situation exists (APP 9.2). These restrictions limit the use of government identifiers to their intended purposes and reduce identity-fraud risk.

## Part 4 — Integrity of personal information (APPs 10, 11)

APP 10 mandates data quality. An entity must take reasonable steps to ensure that the personal information it collects is accurate, up-to-date, and complete (APP 10.1). An entity must take reasonable steps to ensure that personal information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete, and relevant (APP 10.2). The reasonableness standard considers the volume and sensitivity of the information, whether it is publicly available, the consequences of inaccuracy, the practicality of verification, and the individual's ability to update it. The OAIC's guidance emphasises that APP 10 is a positive obligation — entities must actively verify and update information, not merely correct errors when notified.

APP 11 requires security safeguards and retention limits. Under APP 11.1, an entity must take reasonable steps to protect personal information it holds from misuse, interference, and loss, and from unauthorised access, modification, or disclosure. What is reasonable depends on: the amount and sensitivity of the information; the possible adverse consequences for an individual if a security breach occurs; the current state of technology and security measures; the cost of implementing safeguards; whether a third party will handle the information; and whether the entity has previously experienced breaches (APP Guidelines Chapter 11 para 11.13–11.16). Technical measures (encryption at rest and in transit, access controls, intrusion detection, multi-factor authentication) and organisational measures (staff training, background checks, incident-response plans, vendor due diligence) are both relevant.

APP 11.2 requires that if an entity no longer needs personal information for any purpose permitted by the Privacy Act, the entity must take reasonable steps to destroy the information or ensure it is de-identified. This retention-limitation principle prevents indefinite data hoarding. The OAIC guidance notes that information is still needed if required by law, for enforcement, for a permitted general or health situation, or for a use or disclosure the entity is authorised to make. When assessing destruction obligations, entities should consider records-retention statutes, contractual obligations, and limitation periods for legal claims.

## Part 5 — Access and correction (APPs 12, 13)

APP 12 grants individuals a right of access to their personal information held by an entity. If an entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to that information (APP 12.1). The entity must respond to the request within a reasonable period and give access in the manner requested by the individual (if reasonable and practicable). The entity may charge a fee for access, but the fee must not be excessive and must not apply to the making of the request itself (APP 12.8). APP 12.3 sets out exceptions under which access may be refused or restricted: the access would pose a serious threat to life, health, or safety; the access would have an unreasonable impact on the privacy of others; the request is frivolous or vexatious; the information relates to enforcement-related activity or legal proceedings and disclosure would be unlawful or prejudice those activities; denying access is required or authorised by law; access would prejudice negotiations with the individual; access would be unlawful; or the entity suspects unlawful activity or misconduct and giving access would be likely to prejudice the investigation. If access is refused or restricted, the entity must give written notice of the reasons (unless unreasonable to do so) and the mechanisms available to complain (APP 12.10).

APP 13 grants a right to correction. If an entity holds personal information about an individual and the individual requests correction because the individual believes the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading, the entity must take reasonable steps to correct the information to ensure it is accurate, up-to-date, complete, relevant, and not misleading (APP 13.1). If the entity corrects personal information, and has previously disclosed the uncorrected information to another entity, the individual may request that the entity notify the recipient of the correction; the entity must take reasonable steps to give that notification unless it is impracticable or unlawful (APP 13.3).

If the entity refuses to correct the information as requested, the entity must give written reasons and inform the individual of the complaints mechanisms available (APP 13.4). The entity must also take reasonable steps to associate a statement with the information that the individual believes it is inaccurate, out-of-date, incomplete, irrelevant, or misleading, in such a way that the statement will be apparent to users of the information (APP 13.5). This ensures the individual's objection becomes part of the record. Corrections and responses must be made without charge to the individual (APP 13.6).

## Interplay with other Privacy Act regimes

The APPs are the core privacy obligations, but the Privacy Act also establishes parallel or supplementary regimes:

• Part IIIA — Credit reporting (separate privacy principles for credit reporting bodies and credit providers; credit-information definitions and rules operate alongside the APPs).
• Part IIIC — Notifiable Data Breaches (commenced 22 February 2018; imposes mandatory notification duties for eligible data breaches that are likely to result in serious harm, discussed in the breach-notification guide).
• Section 17 and Tax File Number Guidelines — TFN information subject to specific rules in addition to the APPs.
• Registered APP codes — Industry or sectoral codes registered under Part IIIB that provide binding APP variations or additional obligations (for example, the CR Code, the APP Code for private health insurers). Where a registered code binds an entity, the entity must comply with both the APPs and the code.

An act or practice is not an interference with privacy unless it breaches an APP, a registered APP code, a registered CR code, or a Part IIIA credit-reporting privacy obligation (s 13). Consequently, every enforcement action, determination, civil penalty, or enforceable undertaking under the Privacy Act ultimately turns on whether the entity breached one or more of the 13 APPs or the parallel regimes.

## Penalties and enforcement

Section 13G (as amended by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, No. 83, 2022, effective 13 December 2022) creates a civil penalty for a serious or repeated interference with privacy. The maximum civil penalty for a body corporate is the greater of: (a) A$50 million; (b) three times the value of any benefit obtained through the misuse of information (if the court can determine that value); or (c) 30% of the entity's adjusted turnover in the relevant period (if the court cannot determine the benefit value). For individuals, the maximum penalty is A$2.5 million. These substantially increased penalties reflect the government's response to the 2022 Optus and Medibank data breaches and align Australia with international practice (GDPR two-tier fines).

The OAIC enforces the APPs through complaint investigation (Part V of the Act), binding determinations (s 52), civil penalty proceedings in the Federal Court (s 80W, 80U), enforceable undertakings (s 33E), and public reporting. The Commissioner may also conduct own-motion investigations (s 40(2)) and issue formal guidance.

## Amendments and future reforms

The 2020 Privacy Act Review (the government released its response on 28 September 2023) committed to wide-ranging reforms, including strengthening consent, expanding the definition of personal information to expressly include inferred information, replacing "de-identified" with "anonymised," creating a fair and reasonable test for collection and use, strengthening children's privacy protections, and extending access and erasure rights. The Privacy and Other Legislation Amendment Act 2024 enacted the first tranche: automated-decision-making transparency (APP 1.7–1.9, effective 10 December 2026), a ministerial power to direct the Commissioner to develop binding APP codes, and a mandate to develop a Children's Online Privacy Code. Further legislative amendments are expected in 2026–2027 to implement the remaining Review commitments.

Source: Privacy Act 1988 (Cth) — Schedule 1, Australian Privacy Principles, OAIC — Australian Privacy Principles Guidelines, OAIC — Read the Australian Privacy Principles