The following law(s) specifically govern personal data / information:
Australia’s privacy regime consists of both Federal (Australia-wide) and individual State-based laws and regulations.
As a starting position, Australia’s Federal Privacy Act 1988 (Cth) (Privacy Act) generally applies to all businesses with a turnover of at least AUD$3 million, as well as all private sector “health service providers” located anywhere in Australia (regardless of AUD turnover).
These Federal laws do not apply to State and Territory public sector health service providers, such as public hospitals.
In certain States / Territories, private sector health service providers must also comply with the individual State- and Territory-based privacy laws when handling health information, as well as government-imposed regulation (in the public hospital setting).
In addition to these core Federal and State-based laws, many businesses must also broadly comply with:
- the Spam Act 2003 (Cth) – regulating the sending of “commercial messages”;
- the Privacy (Credit Reporting) Code - regulating the sharing of consumer credit information;
- the Notifiable Data Breaches scheme – requiring certain mandatory actions upon eligible data breach incidents occurring; and
- the Consumer Data Right - for limited data sharing arrangements currently in relation to the banking sector, but to be expanded to further sectors in future (eg, utilities).
Given the multi-layered approach to the Australian privacy regime, the information provided on this webpage address the general requirements for businesses in the private sector, for standard or common types of personal information. It is strongly recommended that readers bear in mind the additional legislative regimes which are not set out in full on this webpage, and seek specific advice as to their specific business type, data collection types and data handling practices.
The key data protection principles in this jurisdiction are:
The thirteen Australian Privacy Principles (APPs) are the key principles that apply to data protection for the private sector in Australia.
They are contained in the Privacy Act, and pertain to:
- APP 1 - Open and transparent management of personal information
- APP 2 - Anonymity and pseudonymity
- APP 3 - Collection of solicited personal information
- APP 4 - Dealing with unsolicited personal information
- APP 5 - Notification of the collection of personal information
- APP 6 - Use or disclosure of personal information
- APP 7 - Direct marketing
- APP 8 - Cross-border disclosure of personal information
- APP 9 - Adoption, use or disclosure of government related identifiers
- APP 10 - Quality of personal information
- APP 11 - Security of personal information
- APP 12 - Access to personal information
- APP 13 - Correction of personal information
In addition to the APPs, there are various State- based privacy principles under specific State-based legislative regimes.
For example, in the State of Victoria, there are:
- the Information Privacy Principles which set out the minimum standard for how Victorian public sector bodies should manage personal information in Victoria; and
- the Health Privacy Principles that apply to health information collected and handled in Victoria by the Victorian public sector and private sector health service providers (note that the definition of “health service provider” is broad).
The supervisory authority / regulator in charge of data protection is:
The Office of the Australian Information Commissioner (OAIC) (https://www.oaic.gov.au/) is primarily responsible for enforcing the Privacy Act and the APPs.
- the Health Services Commissioners in the various States and Territories of Australia are the regulatory authority for the management of Health Information;
- there are Government regulators in the various States and Territories, such as the Office of the Victorian Information Commissioner;
- the Australian Competition & Consumer Commission for the regulation of the Consumer Data Right; and
- the Australian Communications and Media Authority for the regulation of commercial messages and “spam”.
Is there a requirement to register with a supervisory authority / regulator?
There is no requirement for registration with the OAIC or the various State and Territory regulators.
Is it possible to register with / notify the supervisory authority / regulator online?
No – generally there is no requirement to notify the supervisory authority / regulator.
However, as examples:
- under the Federal privacy regime, an APP entity must take reasonable steps to notify the individual about certain matters (APP 5); and
- under the Victorian health information privacy regime, the health service provider must also make certain mandatory disclosures (IPP 1.3).
The above examples are not exhaustive.
Is there a requirement to notify the supervisory authority / regulator?
The key data subject rights under the data protection laws of this jurisdiction are:
Under the APPs, data subjects have the right to:
- Remain anonymous or pseudonymous, unless an exception applies (APP 2);
- Have their personal data protected from misuse, interference and loss, and unauthorised access/modification/disclosure (APP 11);
- Access the personal information held about them (APP 12); and
- Request a correction of the personal information held about them (APP 13).
Some similar rights are also replicated under the various State-based regimes.
The Privacy Act also provides for a consumer data right, which is a data-portability right giving consumers greater control over their own data and access to better services. They can direct the sharing of their data with accredited third parties (eg. from one bank to another), which encourages competition.
There is also a current legislative proposal (which has not yet passed) to introduce a ‘right of deletion’ of personal data.
Is there a requirement to appoint a data protection officer (or equivalent)?
No, there is no specific requirement under Australia’s privacy regime to appoint a data protection officer) However, it is strongly recommended as good practice.
Do data protection impact assessments need to be carried out in certain circumstances?
The OAIC has published guidance on how businesses can undertake a privacy impact assessment(PIA).
A privacy impact assessment is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.
APP 1 requires entities to take “reasonable steps
” to implement practices, procedures and systems that support compliance with the APPs.
Conducting a PIA helps entities to ensure privacy compliance and identify better practice.
Not every project will need a PIA. Generally, if personal information is involved in the project, some form of PIA may be necessary.
Additionally, the OAIC can direct Australian government agencies to undertake a PIA.
Does this jurisdiction have any specific data breach notification requirements?
Yes - under the Notifiable Data Breaches scheme, any organisation or agency covered by the Privacy Act must follow the data breach notification requirements.
When to notify?
A mandatory notification is required when the data compromising incident (whether access to, loss of, or disclosure of the personal information) ‘would be likely… to result in serious harm to any of the individuals whom the information relates’.
Who to notify?
Under the Privacy Act, the entity in breach / likely breach must notify:
- all affected individual/s; and
- the OAIC.
How to notify?
- Notifying the individual/s – if the entity typically communicates with the individual using a particular method, the notification to the individual may use this method, so long as it includes a statement to the individual notifying them of the breach / likely breach and includes recommendations about the steps they should take in response to the data breach.
- Notifying the OAIC – when notifying the OAIC, notification is only required in relation to ‘notifiable data breach’. This can be done by using the OAIC’s ‘Notifiable Data Breach form’, available on the OAIC’s website.
The entity in breach / likely breach must also prepare a statement about the eligible data breach and give a copy to the OAIC and the individual/s.
The Federal privacy regime is the only privacy regime that mandates a reporting mechanism, however there are (for example) government guidelines that strongly encourage reporting.
The following restrictions apply to the international transfer of personal data / information:
Whether the cross-border disclosure of information is permitted will depend on whether it complies with the relevant Federal or State-based privacy regimes.
APP 8 Cross-Border Disclosure of Personal Information governs the disclosure of personal information by an Australian APP entity to an overseas recipient and requires that before an entity discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the overseas entity does not breach the APPs. If the overseas entity commits any breaches against the APPs in connection to the personal information, the Australian entity will be held accountable.
Australia is a member of the Organisation for Economic Co-Operation and Development (OECD). The OECD has Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The APPs reflect these guidelines.
Further, the Asia-Pacific Economic Cooperation (APEC) has a “Privacy Framework”, which aims at promoting electronic commerce throughout the Asia Pacific region, and is consistent with the OECD Guidelines. From our experience, this Framework is not widely relied upon in practice by Australian entities.
It imposes requirements that must be met (eg. actions taken by the overseas entity), for the disclosure to be compliant with Australia’s privacy laws.
However, there are no specific transfer tools/mechanisms provided by the OAIC, in order to make the transfer ‘lawful’.
The various State and Territory regimes also restrict the transfer of personal information outside of that State and Territory, with some exceptions applying to enable for such transfers to take place.
Often, obtaining the individual’s consent to the cross-border disclosure of their personal information will permit the cross-jurisdictional transfer to occur (with ‘consent’ required to be explicit and informed).
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes. The Privacy Act extends to acts done, or practices engaged in, outside of Australia by entities that have an “Australian link”. This includes where the entity:
- Carries on business in Australia; and
- Collects or holds personal information in Australia.
Each of these are questions of fact, however, the factors to be considered for establishing an “Australian link” include:
- Whether the entity has a place of business in Australia;
- Whether the entity has appointed an agent in Australia;
- Whether the entity’s website offers goods or services to Australians (including Australia being a country in a drop-down menu, or advertising AUD$ pricing); and
- Whether the entity has registered trade marks in Australia.
Personal information will be ‘collected’ in Australia if it is collected from an individual who is physically located in Australia, regardless of the geographical location of the collecting entity.
The following rules specifically deal with marketing:
At the Federal level, APP 7 provides that APP entities must not use or disclose the personal information they hold for a purpose of direct marketing unless an exception applies.
Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.
Marketing Emails / Messages
Additionally, the Spam Act 2003 (Spam Act) details rules regarding marketing which occurs via email and text messages etc.
Do different rules apply to business-to-business and business-to-consumer marketing?
No – the Spam Act and the Privacy Act do not impose different rules for business-to-business verses business-to-consumer marketing.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
The Spam Act sets out the rules which individuals and businesses need to comply with when sending out marketing emails or messages.
The following rules specifically deal with cookies:
The Privacy Act is written in ‘technology neutral’ language, and there are no specific legislative provisions dealing with cookies. Rather, the applicability of the privacy regime to cookies requires the ‘usual’ assessment of whether that information is information that can be used to identify an individual.
The consequences of non compliance with data protections laws (including marketing laws) are:
A breach of the Privacy Act relating to an ‘interference with privacy’ can attract penalties including:
- jail terms (eg, up to 2 years);
- compensation orders;
- fines of up to AUD$444,000 per contravention for individuals; and
- fines of up to AUD$2.22 million per contravention for companies.
Additionally, for the sectors subject to the Consumer Data Right, the penalties can range up to:
- for individuals:up to AUD$500,000; and
- for entities:the greater of:
- AUD$10 million;
- 3 x the value of any ‘benefit’ obtained through the misuse of the personal information; or
- 10% of the entity’s turnover.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
It is important for multinational companies to consider that each country has its own specific privacy compliance requirements, and that a “one-size-fits-all” approach will not achieve proper privacy compliance.
Further, whilst the European General Data Protection Regulation (GDPR) is widely considered to be the “gold standard” of data protection, it is not replicated like-for-like in Australia - even if a business is fully compliant with the GDPR, there are some Australian-specific requirements that will still need to be addressed.
Multinational organisations should be aware of the following upcoming data protection developments:
The Australian Government has proposed the further strengthening of privacy protections and regulatory tools, including:
- increased penalties for serious or repeated breaches;
- new infringement notice powers and other options to address breaches;
- a requirement for social media and online platforms to stop using or disclosing an individual’s personal information upon request; and
- rules to protect Australian’s privacy online including vulnerable groups such as children / minors.