Australian Privacy Act 1988

Australian Privacy Act 1988

If you plan on selling goods or services to Australians, you must abide by the terms of the Australian Privacy Act 1988, follow the principles set out in this Act and apply to them any business you conduct online.

To help you comply with your responsibilities, here's a summary of how the Privacy Act works and a look at the steps you can take to ensure compliance.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

Introduction to the Australian Privacy Act 1988

The Privacy Act aims to give Australians some control over their personal data. Under the Act, "personal information" is defined in Part II, Division I as any data you can use to identify or form an opinion about a certain individual:

Australian Government Federal Register of Legislation: Privacy Act 1988 - Definition of personal information

Since the Privacy Act is broad in scope, there's a huge amount of data that could potentially count as personal information. If there's any chance you could identify someone from a piece of data, it's best to assume it's personal information and handle it accordingly.

We'll cover the details below, but in short:

  • The Privacy Act gives Australians various rights, including the right to prevent companies from using their data for marketing reasons.
  • There are 13 privacy "principles" you must abide by if the Privacy Act applies to your business.
  • You must comply with certain breach reporting requirements if there's a data breach in your company.

Now, let's consider which companies must comply with the Act.

Who Must Comply With the Privacy Act

The Privacy Act applies to any organization with an annual turnover of at least AUD $3M. However, small businesses with less turnover must also comply if they:

  • Operate in healthcare
  • Buy or sell personal data
  • Serve as a contracted service provider to the Australian Government
  • Are accredited by the Consumer Data Right System

Seek legal advice if you're unsure whether the Privacy Act applies to your business.

The 13 Principles of the Australian Privacy Act

The 13 Principles of the Australian Privacy Act

Complying with the Australian Privacy Act means understanding the Act's 13 privacy principles. Let's consider them in turn.

1. Open and Transparent Management of Personal Information

Under the Privacy Act, every Australian has the right to know:

  • What personal data you collect
  • Why you collect this data
  • How you use the information

You must inform people of their data privacy rights and, where appropriate, help them to exercise these rights.

The easiest way to comply with this principle is to draft a Privacy Policy and display it clearly on your website.

A Privacy Policy simply sets out the different ways your organization collects, uses, shares, and processes personal information. It explains what rights people have regarding their personal data, and your company's policies for helping them exercise these rights.

When you open Billabong's Privacy Policy, for example, it clearly sets out the purpose of the document and notes how the company complies with the Privacy Act:

Billabong AU Privacy Policy with Privacy Act 1988 section highlighted

It then sets out in some detail the different ways it collects, processes and stores information to help people understand their rights.

A comprehensive Privacy Policy complies with Privacy Principle 1 of the Privacy Act.

2. Anonymity and Pseudonymity

According to Schedule 1, Part 1 of the Privacy Act, Australians have the right to stay anonymous or use a pseudonym. The right doesn't apply if:

  • It's impractical for your business to allow this option e.g. you're a healthcare provider and you can't help someone who remains anonymous, or
  • You're obliged by law to only deal with individuals who provide their full name

Australian Government Federal Register of Legislation: Privacy Act 1988 - Principle 2 - Anonymity and Pseudonymity section

So, for example, if you run a social media or leisure app aimed at Australians, you may need to give users the option to stay anonymous, if they so wish.

3. Collection of Solicited Personal Information

You should only collect as much information as you need to complete your reasonable business activities. Unless you can justify why you need a piece of data, you shouldn't collect it.

What's more, you shouldn't collect any sensitive information unless:

  • The individual gives express consent, and
  • You need the information to perform a core activity or function

Sensitive information includes data such as religion or sexual orientation., an Australian dental care provider, sets out the information it needs and why it collects this data. So, in other words, there's clear justification for why certain information is collected:

Smile AU Privacy Policy: Personal Information clause

4. Dealing With Unsolicited Personal Information

If you receive information from a person which you did not collect intentionally, then it's considered "unsolicited" information. Although you didn't ask for it, you must treat this data responsibly.

First, you must consider if you could have collected this data by soliciting it from the person. In other words, consider whether it's appropriate for you to have the information even if you didn't collect it from them.

  • If it's "appropriate" for you to have this data, you can probably keep it.
  • If you shouldn't have any access to this data, you should destroy it or anonymize the information so the person can't be identified.

It might be appropriate for you to hold data you could've found in public records e.g. census information. However, delete data if you're in any doubt as to whether you should have it.

5. Notification of Collection of Personal Information

If you collect personal data, notify individuals either:

  • At the point of data collection, or
  • As soon as reasonably possible after collection

Make it easy for people to contact you regarding your privacy rules by placing your company name and contact details in your Privacy Policy.

Here's an example from Wesfarmers:

Wesfarmers Privacy Policy: Contact clause

Finally, if your data collection policies change, highlight this by sending email updates or using pop-up banners on your website.

6. Use of or Disclosure of Personal Information

If you have someone's personal data for one purpose (e.g. processing an order) you can't use it for another purpose (e.g. sending marketing emails) unless you have the person's consent.

This rule doesn't apply if there's a reasonable expectation that you would share their data in this way, or if you're legally required to share it with another organization.

To comply with this Privacy Principle, explain in your Privacy Policy how you use personal data. Explain why you disclose personal data, and who you share it with.

Here's an example of how Goodlife Health Clubs uses member information:

Good Life Health Clubs Privacy Policy: Using and Disclosing Your Personal Information clause

7. Direct Marketing

Under the Privacy Act, you can't use someone's data for direct marketing purposes unless you:

  • Get their informed and express consent, and
  • Give them the chance to opt out

You can describe your opt-out procedure in your Privacy Policy.

Billabong, for example, sets out its opt-out procedure in the "How Do We Use the Information Collected" section of its Privacy Policy:

Billabong AU Privacy Policy: Marketing and loyalty program clause

8. Cross-border Disclosure of Personal Information

If you're disclosing Australian personal data overseas, you must still comply with the Australian Privacy Act, even if other laws, like the GDPR, apply.

  • If you plan on sharing data overseas, disclose this in your Privacy Policy.
  • You must take reasonable steps to ensure your chosen partner company won't breach the Australian Privacy Principles.

Australian Government Federal Register of Legislation: Privacy Act 1988 - Principle 8 - Cross-border disclosure of personal information section

9. Adoption, Use or Disclosure of Government Identifiers

You can't use or disclose someone's Australian Government identifiers e.g. any usernames assigned to someone by a state authority.

It's highly unlikely you'll ever come across this issue in practice, but you should be aware of the Privacy Principle anyway.

10. Quality of Personal Information

The personal data you have on file should be accurate, so far as possible.

  • It's generally the individual's responsibility to notify you of any changes.
  • If someone notifies you regarding out-of-date information, you're obliged to update your records.

Inform users they can update their personal information by inserting a clause into your Privacy Policy.

Here's an example from Atlassian:

Atlassian Privacy Policy: Access and update your information clause

If someone submits changes to their personal data and you fail to update it and continue using outdated, inaccurate information, you may be found liable for damages caused by failing to update your records, and be violating the Privacy Act.

11. Security of Personal Information

It's your duty to take steps to keep the data provided to you safe from cyberattacks or data breaches.

The exact processes you use vary depending on the size and complexity of your business and the sensitivity of the data entrusted to you. However, steps you might take include:

  • Multi-factor authentication
  • Data encryption
  • Secure cloud storage
  • Physically restricted access

You must also have secure procedures for destroying data you no longer need.

12. Access to Personal Information

Under this principle, you must give people access to their personal data if they request it:

Australian Government Federal Register of Legislation: Privacy Act 1988 - Principle 12 - Access to personal information section

The only exception is if you're legally entitled to withhold the information e.g. it might cause the individual distress, or it could compromise legal proceedings between you and the individual.

In most cases, the exceptions won't apply to small businesses, so assume you must provide access unless you're advised otherwise.

13. Correction of Personal Information

Finally, you must have a clear procedure for correcting or updating personal information if you're asked to do so by a person, or if you discover you're using inaccurate data.

  • Set out clearly on your website how users can inform you of inaccurate information.
  • Put together a clear in-house process for correcting information as quickly as possible.

For example, here's a simple but effective clause from Aje, an Australian clothing brand:

Aje Privacy Policy: How to access or update information clause

In addition to the 13 principles, there are a few other key pieces of information you need to know regarding the Privacy Act.

How to Handle Data Breaches

How to Handle Data Breaches

If there's a data breach and it's likely to cause serious harm to the individuals affected, then you must:

  • Inform the OAIC, and
  • Tell affected users about the breach, and what steps they can take to minimize the damage

This is the rule under the Notifiable Data Breaches (NDB) scheme, and it applies to any business bound to comply with the Australian Privacy Act.

Confusingly, there's no clear definition as to what constitutes "serious harm", but it does include physical, financial, emotional, or reputational harm.

You might consider, for example:

  • Who stole the data (this could determine how likely they are to misuse the data or cause harm to affected persons)
  • The type of information stolen e.g. credit card details, email addresses, account details, or medical records
  • Whether the data is protected by other security features e.g. if the files are encrypted, hackers may be unable to read them even if they steal them

You should consider if, from your perspective, it's reasonable to assume that someone could be seriously harmed due to this data breach. Seek legal advice if you're unsure, and always report the data breach if:

  • You have identified a data breach,
  • Objectively, it's likely that people could be seriously harmed by the breach, and
  • You couldn't remedy the breach quickly enough to prevent this harm from taking place

You can report a data breach directly to the OAIC here.

Penalties for Breaching the Australian Privacy Act

Penalties for Breaching the Australian Privacy Act

If you don't comply with the Australian Privacy Act, affected individuals might be able to seek compensation from you for any damage caused. You may also face reputation damage, business losses, and financial penalties, depending on how badly you breached the Act and how many people were affected.

The financial penalties are set out in Section 4AA of the Crimes Act 1944. For now, you could be fined up to $2.1 million AUD for serious or repeat offenses, although this amount is set to rise to $10 million AUD or 10% of your annual domestic turnover.


The Australian Privacy Act 1988 (APA) is Australia's most significant privacy law. It regulates how certain companies use personal data, and gives Australians more control over their personally identifiable information.

There's no Australian law specifically dedicated to the online collection or processing of personal data, so the Privacy Act applies whenever you want to collect someone's personal data online.

To comply with the Australian Privacy Act, you must satisfy the 13 Privacy Principles. In short, you must:

  • Be transparent about whether you collect personal data
  • Explain how you use personal information processed by your website
  • Allow people to reject the use of their data for direct marketing purposes
  • Correct incorrect information, if requested
  • Help people understand their privacy rights
  • Facilitate the exercise of these rights

Drafting a legally compliant Privacy Policy is a simple way to meet your responsibilities here and keep your customers' rights upheld.