AuditXYZ

Compliance Framework

Privacy Act 1988 (Cth) (Australia)

Australia's Privacy Act 1988 and its 13 Australian Privacy Principles govern how organizations collect, use, disclose, and store personal information. The Act includes the Notifiable Data Breaches scheme and is undergoing significant reform proposals.

$8,000–$100,0003–9 months2022 (Privacy Legislation Amendment, effective December 2022)
Request a ConsultationSee process
Issuing BodyParliament of Australia / Office of the Australian Information Commissioner (OAIC)
First Published1988-12-14
Latest Version2022 (Privacy Legislation Amendment, effective December 2022)
Typical Cost$8,000–$100,000
Typical Timeline3–9 months
Audit RequiredNo
Audit FrequencyNo mandatory external audit. The OAIC may conduct assessments and investigations. The Notifiable Data Breaches scheme requires breach assessments within 30 days.
Geographyaustralia

Australia Privacy Act 1988: The Complete Guide

Australia's Privacy Act 1988 is one of the Asia-Pacific region's longest-standing privacy laws. Substantially reformed in 2014 with the introduction of the 13 Australian Privacy Principles (APPs) and again in 2018 with the Notifiable Data Breaches scheme, the Act establishes a comprehensive framework for the handling of personal information by Australian Government agencies and private sector organizations.

What the Privacy Act Covers

The Privacy Act is built around 13 Australian Privacy Principles that cover the full lifecycle of personal information. APP 1 requires open and transparent management. APPs 2-5 govern collection, including rules for solicited and unsolicited information and notification requirements. APPs 6-9 address use, disclosure, direct marketing, and cross-border disclosure. APPs 10-13 cover quality, security, access, and correction.

Sensitive information — including health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and biometric data — requires consent for collection and is subject to stricter handling requirements.

The Notifiable Data Breaches scheme, introduced in February 2018, requires organizations to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. Organizations must complete a reasonable assessment of a suspected breach within 30 days.

Who Needs to Comply

The Privacy Act applies to Australian Government agencies, private sector organizations with annual turnover exceeding AUD 3 million, health service providers, and certain other entities regardless of turnover. Small businesses below the turnover threshold may opt in or may be brought within scope through regulations.

Organizations outside Australia that collect or hold personal information of Australian residents may also be subject to the Act under its extraterritorial provisions.

Ongoing Reform

The Australian Government's Privacy Act Review (released in 2023) proposes significant reforms including a statutory tort for serious privacy invasions, a children's privacy code, enhanced enforcement powers, and alignment with international standards. Organizations should monitor these developments closely.

Practical Compliance Steps

  1. APP compliance review — Assess practices against all 13 Australian Privacy Principles
  2. Privacy policy — Publish a clear, current privacy policy meeting APP 1 requirements
  3. Collection notices — Provide APP 5 collection notices at or before the time of data collection
  4. NDB response plan — Establish breach identification, assessment, and notification procedures
  5. Cross-border disclosures — Assess overseas recipients and ensure APP 8 accountability
  6. Access and correction — Implement processes for individuals to access and correct their information

Get the Privacy Act 1988 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

gdprpipedapdpa-singaporeappi

Get matched with a Privacy Act 1988 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

APPI
Framework
Japan's APPI is one of Asia's longest-standing data protection laws, recently strengthened with enhanced cross-border transfer rules, mandatory breach reporting, and expanded individual rights. The EU has recognized Japan as providing adequate protection.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
PDPA (Singapore)
Framework
Singapore's PDPA governs the collection, use, and disclosure of personal data by private organizations, with mandatory breach notification, DPO appointment requirements, and the Do Not Call Registry.
View
PIPEDA
Framework
PIPEDA is Canada's federal private-sector privacy law built on ten fair information principles. It governs how commercial organizations collect, use, and disclose personal information in the course of business activities.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View