OAIC

Health, religion, race, sexual orientation + similar 'sensitive' info requires consent before collection.

From a phased commencement, APP entities using ADM must disclose in Privacy Policy.

CDR Action Initiation lets accredited recipients initiate payments + actions on consumer behalf.

Eligible data breaches must be notified to OAIC and affected individuals 'as soon as practicable'.

From 10 December 2026, businesses with <$3M turnover lose the Privacy Act exemption.

Before disclosing personal info overseas, take reasonable steps so the recipient won't breach the APPs (or meet an exception).

APP entities making decisions about individuals using ADM must disclose this in privacy policy from December 2026.

Energy retailers + distributors must share data via CDR.

OAIC developing mandatory children's online privacy code (in force December 2026).

Banking data holders must share consumer data with accredited recipients on consumer consent.

Credit providers and CRBs must adhere to the CR Code on collection, use, disclosure, hardship and dispute resolution.

Banking, energy and (soon) non-bank lending data sharing — accredited participants must comply with privacy safeguards.

Individuals can request access to and correction of their personal info, with strict response times.

Tranche 2 reforms in scoping — information controllers + processors regime.

From June 2025 — serious invasion of privacy actionable in tort.

APP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.

Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.

FOI Act 1982 — Commonwealth agencies + ministers must respond to access requests within 30 days.

APP 7 restricts use + disclosure of personal info for direct marketing.

Where reasonable, individuals must be able to deal with you anonymously or under a pseudonym.

September 2022 Optus breach exposed ~10M customer records. OAIC alleges APP 11 failures + delayed notification.

OAIC investigated multiple SMB-scale breaches in 2024 — including in legal, retail, healthcare. Most resolved without penalty but documented APP 11 reasonable-steps + NDB notification expectations.

Class action + OAIC determination on Medibank Oct 2022 data breach affecting ~9.7M customers + their families.

Class action by ~9.8M Optus customers affected by September 2022 data breach.

Both retailers operated in-store facial recognition systems for loss-prevention. OAIC found inadequate notification and unjustified breach of APP 3.3 (sensitive information).

Bunnings operated facial recognition in stores for loss prevention without proper notice + consent for sensitive (biometric) information.

Kmart operated facial recognition for loss prevention; same proceedings as Bunnings determination 2024.

Following the February 2022 Medlab Pathology breach, OAIC alleges ACL failed to take reasonable steps to protect personal information and failed to properly notify the breach.

March 2023 Latitude breach exposed personal info of ~14M customers including 7.9M driver licences.

Follow-up compliance from 2021 determination + ongoing biometric processing detected.

The October 2022 Medibank breach exposed personal information of approximately 9.7 million current and former customers. OAIC alleges Medibank failed to take reasonable steps to protect personal information.

Health Engine forwarded patient data to insurance brokers without proper consent.