Data Protection Overview

The Privacy Act covers both public and private sectors. The Australian Privacy Principles, which are part of the Privacy Act, apply to businesses with an annual turnover of more than $Aus 3,000,000 in a financial year. The Act does not apply to small businesses, with an annual turnover of less than $3,000,000 provided they do not trade in personal information or sensitive information such as health information. The Act aims, inter alia, to promote the protection of the privacy of individuals, the responsible and transparent handling of personal information by entities, and the facilitation of the free flow of information across national borders while ensuring that the privacy of individuals is respected.


The Privacy Amendment (Enhancing Privacy Protection) Act 2012 came into effect on 12 March 2014, introducing the significant changes in respect of a number of areas including direct marketing, privacy collection statements and privacy policies, collection of unsolicited personal information, disclosure of personal information outside Australia and credit reporting. Substantial penalties can now be imposed for “serious” or “repeated” interferences with the privacy of individuals. The Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect on 22 February 2018.


A number of Australian States and Territories have also enacted privacy legislation. In particular, New South Wales, the Australian Capital Territory, the Northern Territory, Queensland, Tasmania and Victoria all have specific privacy laws. In addition, the Australian States and Territories have enacted a range of other legislation which provides privacy rights. This  legislation addresses issues such as surveillance, use of criminal record information and use of health information.