Australian Privacy Act, 1988 - An Analysis
Updated: Mar 16

The handling of personal information in Australia is governed by legislation at both a federal and state/territory level.
At a federal level, the Privacy Act 1988 (Cth) (Privacy Act) governs the way in which business entities and federal government agencies must handle personal information, largely through the 13 Australian Privacy Principles (APPs) set out within the Privacy Act.
‘Personal information’ is defined by the Privacy Act as:
information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory government agencies. These Acts include:
Information Privacy Act 2014 (Australian Capital Territory)
Information Act 2002 (Northern Territory)
Privacy and Personal Information Protection Act 1998 (New South Wales)
Information Privacy Act 2009 (Queensland)
Personal Information Protection Act 2004 (Tasmania), and
Privacy and Data Protection Act 2014 (Victoria)
Additionally, there are other parts of State, Territory and federal legislation that relate to data protection. For example, the following all impact privacy and data protection for specific types of data or activities: the Telecommunications Act 1997 (Cth), the Criminal Code Act 1995 (Cth), the National Health Act 1953 (Cth), the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic) and the Workplace Surveillance Act 2005 (NSW).
Who must comply with the Privacy Act?
The Privacy Act imposes obligations on ‘APP entities’.
An APP entity is, generally speaking:
an agency (which largely refers to a federal government entity and/or office holder) or
an organisation (which includes an individual, body corporate, partnership, unincorporated association, or trust).
An APP entity does not include:
a ‘small business operator’ (subject to the exceptions below), which is an operator of a business with an annual turnover of less than $3 million
a registered political party or
a state or territory authority.
However, a small business operator will be deemed to be an APP entity, and therefore required to comply with the Privacy Act if they:
operate another business with a turnover of $3 million or more
provide a health service or otherwise hold health information (other than in an employee record)
disclose, or collect, personal information about another individual for a benefit, service or advantage
are a contracted service provider for a Commonwealth contract or
are a credit reporting body.
Obligations under the Privacy Act
The key features of the Privacy Act include:
the 13 APPs which are the principles that govern the way in which personal information is to be collected, used, disclosed and stored. We have included a summary of the APPs in section 4 below. The full text of the APPs can be viewed on the Australian Information Commissioner’s website.
the credit reporting provisions of the Privacy Act (further explained in section 10 below), which govern the way in which credit-related personal information is to be collected, used, disclosed and stored. These provisions will be particularly relevant to entities that are credit providers (or agents of credit providers), credit reporting bodies, or that otherwise handle or deal in credit-related personal information and
the obligation to comply with an ‘APP code’, which is a written code of practice usually specific to a particular entity or industry. In particular, there is a Credit Reporting Code (CR Code) which imposes on entities handing credit information additional obligations to those set out in the credit reporting provisions of the Privacy Act.
Accordingly, APP entities must be aware of the full scope of the obligations imposed upon them according to the nature of their business activities.
The Australian Privacy Principles
Open and transparent management of personal information
Anonymity and pseudonymity
Collection of solicited personal information
Dealing with unsolicited personal information
Notification of the collection of personal information
Use or disclosure of personal information
No Direct marketing without consent
Cross-border disclosure of personal information
Adoption, use or disclosure of government related identifiers
Quality of personal information
Security of personal information
Access to personal information
Correction of personal information
Sensitive information
The Privacy Act generally affords a higher level of protection to ‘sensitive information’ given the mishandling of it can generally have a more detrimental impact on the relevant individual.