Last modified 11 March 2026

Data Protection in Australia

Security in Australia

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Australia

Australia regulates data privacy and protection through a mix of Federal, State and Territory laws. The federal Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs") contained in the Privacy Act apply to private sector entities (including body corporates, partnerships, trusts and unincorporated associations) with an annual turnover of at least AUD $3 million, and all Commonwealth Government and Australian Capital Territory Government agencies.

Under the Privacy Act, the Information Commissioner, who leads the Office of the Australian Information Commissioner ("OAIC"), has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek civil penalties for breaches of the APPs where an entity has failed to implement remedial efforts.

The Privacy and Other Legislation Amendment Act 2024 (Cth) (the "Privacy Act Amendment Act"), which amends the Privacy Act, was passed in late 2024. The majority of the amendments to the Privacy Act introduced by the Privacy Act Amendment Act commenced in 2025, except the requirement to set out details regarding "substantially automated decision making" in privacy policies, which commences 10 December 2026. Key amendments in the Privacy Act Amendment Act are discussed under the relevant topics in this Guide.

Additional key amendments include the introduction of:

a statutory tort for serious invasions of privacy, applicable (amongst other criteria) where the conduct in question was intentional or reckless;
a framework for a Children's Online Privacy Code to be developed by the Information Commissioner; an
a criminal offence for doxing.

The Privacy Act Amendment Act was passed after the Attorney General’s Department released the Privacy Act Review Report 2022, setting out 116 proposed amendments to the Privacy Act. In the Government Response to the Privacy Act Review Report released in 2023, the Australian Government “agreed” to 38 of the 116 recommended changes, “agreed in principle” to another 68 and rejected 10. Notwithstanding the passing of the Privacy Act Amendment Act, many of the "agreed in principle" changes are still outstanding and the Australian Government has indicated that is likely that this further reform will be undertaken occur during 2026. These additional revisions are expected to result in more prescriptive and onerous requirements being imposed on organisations handling personal information of Australian residents.

The Privacy Commissioner and Freedom of Information Commissioner were each appointed in 2024. These roles were all previously performed by the Information Commissioner and the Information Commissioner retains overall responsibility for all matters within the OAIC's remit, notwithstanding these appointments.

Most States and Territories in Australia (except South Australia) have their own data protection legislation applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory government agencies.

These Acts include:

Information Privacy Act 2014 (Australian Capital Territory);
Information Act 2002 (Northern Territory);
Privacy and Personal Information Protection Act 1998 (New South Wales);
Information Privacy Act 2009 (Queensland);
Personal Information Protection Act 2004 (Tasmania);
Privacy and Data Protection Act 2014 (Victoria); and
Privacy and Responsible Information Sharing Act 2024 (Western Australia).

Additionally, there are other parts of State, Territory and federal legislation that relate to data protection. For example, the following all impact privacy and data protection for specific types of data or activities: the Telecommunications Act 1997 (Cth), the Criminal Code Act 1995 (Cth), the National Health Act 1953 (Cth), the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic) and the Workplace Surveillance Act 2005 (NSW).

Specific regulators have also expressed an expectation that regulated entities should have specified data protection practices in place. For example, the Australian Prudential and Regulatory Authority ("APRA"), which regulates financial services institutions requires regulated entities to comply with Prudential Standards, including Prudential Standard CPS 230 Operational Risk Management ("CPS 230") and Prudential Standard CPS 234 Information Security ("CPS 234"), and the Australian Securities and Investment Commission regulates corporations more generally.

Other important privacy and data protection laws

Assistance and Access Act

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) ("AA Act") provides law enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on "Designated Communications Providers". However, the AA Act may inadvertently have a much broader remit with limited judicial oversight, and has been the subject of much criticism from local and global technology firms which have stated the legislation has the potential to significantly impact security / encryption solutions in Australia.

The AA Act allows various agencies to do any of the following:

Issue a "technical assistance notice", which requires a communications provider to give assistance that is reasonable, proportionate, practicable and technically feasible;
Issue a "technical capability notice", which requires a communications provider to build new capabilities to assist the agency. The Attorney-General must consult with the communications provider prior to issuing the notice, and must be satisfied that the notice is reasonable, proportionate, practicable and technically feasible; and
Make "technical assistance requests", to give foreign and domestic communications providers and device manufacturers a legal basis to provide voluntary assistance to various Australian intelligence organisations and interception agencies relating to issues of national interest, national security and law enforcement.

Organisations to which the AA Act applies will need to ensure customer terms and conditions and any commitments made to customers generally are consistent with the AA Act.

Security of Critical Infrastructure Act

The Security of Critical Infrastructure Act 2018 (Cth) ("SOCI Act") applies to organisations that own or operate (or hold a direct interest in) assets in a range of sectors including communications, energy, defence, financial services, transport, data processing or storage, supermarket / grocery supply chains, health and medical, education and space.

Amongst other obligations, organisations to which the SOCI Act applies must:

Provide “operational” and ownership information to the Cyber Infrastructure Security Centre for inclusion on the Register of Critical Infrastructure Assets, in accordance with the requirements in Part 2 of the SOCI Act;
Notify the Australian Signals Directorate of actual or imminent cyber security incidents with an actual or likely relevant impact within 72 hours of the organisation becoming aware, in accordance with the requirements set out in Part 2B of the SOCI Act; and
Implement and comply with a "risk management program", in accordance with the requirements in Part 2A of the SOCI Act and the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023.

Generally, organisations to whom the SOCI Act applies or those that provide services to relevant organisations should ensure that any terms and conditions deal with compliance with the obligations under the SOCI Act.

Consumer Data Right

The Commonwealth Government implemented the Consumer Data Right ("CDR") in 2019 via an amendment to the Competition and Consumer Act 2010 (Cth).

The CDR allows consumers to obtain certain data held about them by a third party, and to require data to be given to accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products they have on offer, the intent of the CDR regime was to improve consumers' ability to compare and switch between products and services, in order to drive better prices for customers and more innovative products and services. In this way, the CDR provides a mechanism for accessing a broader range of information within designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers but also to business consumers and related products.

The CDR rules have been implemented in respect of the banking and energy sector in Australia. The non-bank lending sector is to be added to the CDR from 2026, with the energy and telecoms sectors to follow. Other sectors across the economy will be added to the CDR over time.

As the CDR regime addresses competition, consumer, privacy and confidentiality issues it is regulated by the Australian Competition and Consumer Commission as well as the OAIC.

Cyber Security Act

The Cyber Security Act 2024 (Cth) ("Cyber Security Act") establishes:

a mandatory reporting requirement for ransomware payments – see Breach Notification;
a framework for the introduction of mandatory security standards for smart devices;
a Cyber Review Board, which will conduct no-fault, post incident reviews of significant cyber security incidents; and
a limited use exception, which prevents information which is voluntarily provided to certain Government departments from being used for enforcement purposes, and is designed to encourage enhanced cooperation between industry and Government during cyber incidents.

Related resources

Definitions

Definitions in Australia

Definition of personal data

Personal data (referred to as "personal information" in Australia) means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in material form or not.

The Privacy Act currently contains an exemption for “employee records”, such that certain records containing personal information which an employer makes in connection with a current or former employment relationship are exempt from the Privacy Act. However there are some further carve outs to this (for example, the exemption does not apply to contractors or unsuccessful applicants), and it is widely anticipated that the employee records exemption will be removed from the Privacy Act as a result of the ongoing review of the Privacy Act.

Definition of sensitive personal data

Sensitive personal data (referred to as "sensitive information" in Australia) means information or an opinion about:

Racial or ethnic origin;
Political opinions;
Membership of a political association;
Religious beliefs or affiliations;
Philosophical beliefs;
Membership of a professional or trade association;
Membership of a trade union;
Sexual orientation or practices;
Criminal record that is also personal information;
Health information about an individual;
Genetic information about an individual that is not otherwise health information;
Biometric information that is to be used for the purpose of automated biometric identification or verification; and / or
Biometric templates.

Related resources

Authority

National data protection authority in Australia

The Privacy Commissioner, under the OAIC, is the national data protection regulator responsible for Privacy Act oversight.

175 Pitt Street
Sydney NSW 2000
GPO Box 5288
Sydney NSW 2001

T 1300 363 992
F +61 2 9284 9666

Related resources

Registration

Registration in Australia

There is no registration requirement in Australia for data controllers or data processing activities. Under the Privacy Act, organisations are not required to notify the Information Commissioner of any processing of personal information.

Related resources

Data protection officers

Data protection officers in Australia

Organisations are not required to appoint a data protection officer. However, the OAIC has issued guidance recommending that organisations appoint a data protection officer as good practice.

Related resources

Collection and processing

Collection and processing in Australia

Organisations may not collect personal information unless the information is reasonably necessary for one or more of its business functions or activities.

Under the Privacy Act, organisations must take reasonable steps to ensure that personal information collected is accurate, up-to-date, complete and relevant.

At or before the time organisations collect personal information, or as soon as practicable afterwards, they must take reasonable steps to provide individuals with notice of:

The organisation’s identity and contact information;
Why it is collecting (or how it will use the) information about the individual;
The entities or types of entities to which it might give the personal information;
Any law requiring the collection of personal information;
The main consequences (if any) for the individual if all or part of the information is not provided;
The fact that the organisation’s privacy policy contains information about how the individual may access and seek correction of their personal information, how they may make a complaint about a breach of the APPs and how the organisation will deal with such complaint; and
Whether the organisation is likely to disclose their personal information to overseas recipients and, if so, the countries in which such recipients are likely to be located (if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them).

Organisations should comply with these notification requirements by preparing a “collection statement” or “privacy notice” for each significant collection of personal information, and providing this to individuals prior to collecting their personal information.

This notification requirement applies in addition to the requirement for organisations to maintain a broader privacy policy, which details the general personal information handling processes of the organisation. APP 1 lists the information which is required to be included in a privacy policy.

In practice, a major Privacy Act compliance issue often arises because organisations fail to recognise that the mandatory notice requirements outlined above also apply to any personal information collected from a third party. Organisations must provide individuals with required notice on receipt of personal information from a third party, even though they did not collect personal information directly from the individual. Unlike Europe, Australian privacy law does not distinguish between "data processors" and "data controllers".

Organisations must not use or disclose personal information about an individual unless an appropriate legal basis applies, which includes where:

The personal information was collected for that purpose (the primary purpose) or a different (secondary) purpose which is related to (and, in the case of sensitive information, directly related to) the primary purpose of collection, and the individual would reasonably expect the organisation to use or disclose the information for that secondary purpose;
The individual consents;
A "permitted general situation" or "permitted health situation" exists; for example, the entity has reason to suspect that unlawful activity relating to the entity's functions has been engaged in, or there is a serious threat to the health and safety of an individual or the public; or
It is required or authorised by law or on behalf of an enforcement agency.

In the case of use and disclosure for the purpose of direct marketing, organisations are required to ensure that:

The information used is not sensitive information;
Either the individual has consented or would reasonably expect the organisation to use or disclose the information for direct marketing, or it is impracticable to seek the individual’s consent, and (among other things) the individual is told that they can opt out of receiving marketing from the organisation;
Each direct marketing communication includes a simple means by which the individual can opt out; and
The individual has not previously requested to opt out of receiving direct marketing communications.

The above direct marketing requirements apply to direct marketing other than electronic marketing (which includes marketing content delivered via email and SMS). The requirements for commercial electronic messaging are outlined in Electronic Marketing.

If an organisation plans to use personal information in wholly or substantially automated decision making that could reasonably be expected to significantly affect the rights or interests of an individual, from 10 December 2026 onwards, the organisation must include details of the use of automated decision making in its privacy policy.

The Privacy Act affords additional protections when processing involves sensitive information. Organisations are prohibited from collecting sensitive information from an individual unless certain limited requirements are met, including one or more of the following:

The individual has consented to the collection, and the collection of the sensitive information is reasonably necessary for one or more of the entity's functions or activities;
Collection is required or authorised by Australian law or a court / tribunal order;
A "permitted general situation" or "permitted health situation" exists; for example, the entity has reason to suspect that unlawful activity relating to the entity's functions has been engaged in, or there is a serious threat to the health and safety of an individual or the public;
The entity is an enforcement body and the collection is reasonably necessary for that entity's functions or activities; and
The entity is a nonprofit organisation and the information relates to the activities of the organisation and solely to the members of the organisation (or to individuals who have regular contact with the organisation relating to its activities).

Organisations must provide individuals with access to their personal information held by the organisation upon an individual’s request. Additionally, individuals have a right to correct inaccurate, out-of-date, and irrelevant personal information held by an organisation.

Organisations may refuse to comply with access or correction request from individuals in certain prescribed circumstances, which differ depending upon the type of request in question.

Further, organisations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with the organisation, unless it is impractical to do so or the organisation is required or authorised by law to deal with identified individuals.

Related resources

Transfer of personal data

Transfer of personal data in Australia

Unless certain limited exemptions under the Privacy Act apply, personal information may only be disclosed to an organisation outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the personal information. The disclosing / transferring entity will generally remain liable for any act(s) done or omissions by that overseas recipient that would, if done by the disclosing organisation in Australia, constitute a breach of the APPs. However, this provision will not apply where any of the following apply:

The organisation reasonably believes that the recipient of the information is subject to a law or binding scheme which effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to mechanisms by the individual to take action to enforce the protections of that law or binding scheme;
The individual consents to the transfer. However, under the Privacy Act the organisation must, prior to receiving consent, expressly inform the individual that if he or she consents to the overseas disclosure of the information the organisation will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs;
A "permitted general situation" applies;
The disclosure is required or authorised by Australian law or a court / tribunal order; or
A declaration of equivalency has been made by the Governor-General permitting the overseas transfer of personal information to a recipient in a country which has laws substantially similar to the Privacy Act. No declarations of equivalency have been made as yet by the Governor-General.

Related resources

Security

Security in Australia

An organisation must have appropriate security measures in place (i.e. take reasonable steps) to protect any personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. The reasonable steps required to be taken include both technical and organisational measures.

The OAIC has issued detailed guidance on what it considers to be reasonable steps in the context of security of personal information, which we recommend are reviewed and implemented. Depending on the organisation, and how and by which government agency it is regulated, additional information security requirements or expectations may also apply, as noted above, and with which organisations should be familiar.

Subject to any legal obligations to retain personal information, an organisation must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for the purpose(s) for which it was collected.

Related resources

Breach notification

Breach notification in Australia

Eligible data breaches

Entities that are subject to the Privacy Act must comply with the mandatory data breach notification regime under the Privacy Act.

The mandatory data breach notification regime includes data breaches that relate to:

Personal information;
Credit reporting information;
Credit eligibility information; and
Tax file numbers.

In summary, the regime requires organisations to notify the OAIC and affected individuals of "eligible data breaches" (in accordance with the required contents of a notice). Where it is not practicable to notify the affected individuals individually, an organisation that has suffered an eligible data breach must make a public statement on its website containing certain information as required under the Privacy Act, and take reasonable steps to publicise the contents of the statement.

An "eligible data breach" occurs when all of the following conditions are satisfied in relation to personal information, credit reporting information, credit eligibility information or tax file information:

There is unauthorised access to, or unauthorised disclosure of, or loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur;
A reasonable person would conclude that the access or disclosure, or loss would be likely to result in serious harm to any of the individuals to which the information relates; and
Prevention of the risk of serious harm through remedial action has not been successful.

While "serious" harm is not defined in the Privacy Act, the legislation does identify key criteria which must be considered. These include the kinds of information, its sensitivity, any security measures protecting the information, the nature of the harm (i.e. physical, psychological, emotional, financial or reputational harm) and the kind(s) of person(s) who may obtain the information. The OAIC has also released guidance on how serious harm should be interpreted and assessed by organisations.

The regime also imposes obligations on organisations to assess, within 30 calendar days, whether an eligible data breach has occurred where the organisation suspects (on reasonable grounds) that an eligible data breach has occurred, but that suspicion does not amount to reasonable grounds to believe that an eligible data breach has occurred.

There are various exceptions to the requirement to notify affected individuals and / or the OAIC of an eligible data breach, including in instances where law enforcement related activities are being carried out or where there is a written declaration by the Information Commissioner.

In the event of an eligible data breach, the Australian Attorney-General may make an eligible data breach declaration to allow the sharing of personal information following a notifiable data breach for the purpose of preventing or reducing the risk of harm to individuals. This would allow, for example, details of individuals impacted by an eligible data breach to be shared with banks so that the necessary protective measures could be applied to their accounts.

Other notification obligations

Further, organisations may have additional obligations to notify other regulators of data breaches in certain circumstances. This includes under APRA's Prudential Standard CPS 234 Information Security ("CPS 234") which aims to strengthen APRA-regulated entities' resilience against information security incidents (including cyberattacks), and their ability to respond swiftly and effectively in the event of a breach. CPS 234 applies to all APRA-regulated entities who, among other things, are required to notify APRA within 72 hours after becoming aware of an information security incident, and within no later than 10 business days after becoming aware of "a material information security control weakness which the entity expects it will not be able to remediate in a timely manner".

The Cyber Security Act introduces a mandatory reporting requirement where a ransomware payment (or other benefit) is paid to an extorting entity. The aim is to give the Australian Government greater visibility over the extent of the threat which ransomware poses to organisations.

Organisations which exceed the turnover threshold must report to the designated Commonwealth body within 72 hours if:

a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity; and
the reporting business entity or a related entity has provided a payment to the extorting entity that is directly related to a demand made by the extorting entity.

Related resources

Enforcement

Enforcement in Australia

The Information Commissioner is responsible for the enforcement of the Privacy Act and may investigate an act or practice which may be an interference with the privacy of an individual where a complaint has been made. Under the Australian Information Commissioner Act 2010 (Cth), all of the privacy functions under the Privacy Act, such as determining complaints and initiating investigations, may be performed by either the Information Commissioner or the Privacy Commissioner. Importantly, where the Information Commissioner undertakes an investigation of a complaint which is not settled, it is required to ensure that the results of that investigation are publicly available. Currently, this is undertaken by disclosure of the entire investigation report on the OAIC website.

The Information Commissioner may also investigate any "interferences with the privacy of an individual" (i.e. any breaches of the APPs) on its own initiative (i.e. where no complaint has been made) and the same remedies as below are available.

Historically, the Information Commissioner preferred mediated outcomes between complainants and relevant organisations over high-profile enforcement actions. However, following a number of large-scale data breaches in Australia and in light of the flexible enforcement powers introduced under the Privacy Act Amendment Act, the Information Commissioner appears to be adopting a more proactive approach to investigation and enforcement action.

After investigating a complaint, the Information Commissioner may dismiss the complaint or find the complaint substantiated and make declarations that the organisation rectify its conduct or that the organisation redress any loss or damage suffered by the complainant (which can include non-pecuniary loss such as awards for stress and / or humiliation). The maximum penalties that may be sought by the Information Commissioner and imposed by the Courts for serious interferences with the privacy of individuals are the greater of (i) AUD $50 million, (ii) three times the benefit of a contravention, or (iii) (where the benefit cannot be determined) 30% of domestic turnover. As a result of the Privacy Act Amendment Act, a lower civil penalty of up to AUD $3.3 million (using current penalty units) applies for "non-serious" interferences with privacy.

The Privacy Act Amendment Act also allows the Information Commissioner to issue infringement notices, which result in payment of civil penalties, for specific breaches of the APPs. These are breaches which are considers to be administrative in nature, and include non-compliant privacy policies, failure to provide appropriate opt-out mechanisms for direct marketing and failure to deal with correction requests.

Related resources

Electronic marketing

Electronic marketing in Australia

The sending of electronic marketing (referred to as "commercial electronic messages" in Australia) is regulated under the Spam Act 2003 (Cth) ("Spam Act") and enforced by the Australian Communications and Media Authority ("ACMA").

Under the Spam Act, a commercial electronic message (which includes emails and SMS's sent for marketing purposes) must not be sent without the prior opt-in consent of the recipient. In a Statement of Expectations released on 1 July 2024, ACMA recommends obtaining express consent based on clear terms and conditions which are accessible to recipients at the time of seeking consent, such as via filling in a form, ticking a box on a website, over the phone or face to face.

In addition, each electronic message (which the recipient has consented to receive) must identify the sender and contain a functional unsubscribe facility to enable the recipient to opt out of receiving all future electronic marketing. The facility should not require customers to log into accounts or charge customers a fee to unsubscribe. Requests to unsubscribe must be processed within 5 business days.

A failure to comply with the Spam Act (including unsubscribing a recipient that uses the unsubscribe facility) may have costly consequences, with repeat offenders facing penalties of up to AUD $3.3 million per day (using current penalty units).

Related resources

Online privacy

Online privacy in Australia

There are no laws or regulations in Australia specifically relating to online privacy, beyond the application of the Privacy Act, the Spam Act and State and Territory privacy laws, and other specific laws regarding the collection of location and traffic data. Specifically, the are no express legal requirements regarding the use of cookies (or any similar technologies). If the cookies or other similar technologies collect personal information of a user, the organisation must comply with the Privacy Act in respect of collection, use, disclosure and storage of such personal information. App developers must also ensure that the collection of customers' personal information complies with the Privacy Act and the Information Commissioner has released detailed guidance on this.