Privacy & data protection
Privacy Act 1988 obligations including APPs, NDB scheme, the 2024 amendments (statutory tort, enhanced penalties, doxxing offence), and the 10 December 2026 removal of the small-business exemption.
26
Obligations
4
Regulators
0
Recent enforcement
Regulators
Obligations (26)
- criticalCWLTHcurrentAPP 3 — collection of sensitive information requires consent
Health, religion, race, sexual orientation + similar 'sensitive' info requires consent before collection.
- criticalCWLTHupcomingAutomated Decision-Making transparency under Privacy Act (phased)
From a phased commencement, APP entities using ADM must disclose in Privacy Policy.
- criticalCWLTHcurrentNotify the OAIC and affected individuals of eligible data breaches
Eligible data breaches must be notified to OAIC and affected individuals 'as soon as practicable'.
- criticalCWLTHupcomingPrepare for the removal of the small business exemption
From 10 December 2026, businesses with <$3M turnover lose the Privacy Act exemption.
- highCWLTHcurrentAPP 8 — cross-border disclosure of personal information
Before disclosing personal info overseas, take reasonable steps so the recipient won't breach the APPs (or meet an exception).
- highCWLTHupcomingAutomated Decision-Making transparency (Privacy Act 2024 reforms)
APP entities making decisions about individuals using ADM must disclose this in privacy policy from December 2026.
- highCWLTHcurrentCDR Energy sector — phased
Energy retailers + distributors must share data via CDR.
- highCWLTHupcomingChildren's Online Privacy Code 2026
OAIC developing mandatory children's online privacy code (in force December 2026).
- highCWLTHcurrentComply with credit reporting obligations (Part IIIA Privacy Act)
Credit providers and CRBs must adhere to the CR Code on collection, use, disclosure, hardship and dispute resolution.
- highCWLTHcurrentComply with doxxing criminal offence (Criminal Code s 474.17C)
From 13 December 2024, using a carriage service to dox personal data with menace is criminal.
- highCWLTHcurrentComply with the Spam Act 2003 (consent, identify, unsubscribe)
All commercial electronic messages must have consent, identify the sender, and offer a working unsubscribe.
- highACTcurrentComply with Workplace Privacy Act 2011 (ACT)
ACT employers must follow ACT workplace surveillance + privacy framework.
- highNSWcurrentComply with Workplace Surveillance Act 2005 (NSW)
NSW employers conducting workplace surveillance must give notice + meet specific conditions.
- highCWLTHcurrentConsumer Data Right (CDR) participant accreditation + compliance
Banking, energy and (soon) non-bank lending data sharing — accredited participants must comply with privacy safeguards.
- highCWLTHcurrentHandle APP 12 access and APP 13 correction requests
Individuals can request access to and correction of their personal info, with strict response times.
- highCWLTHcurrentLodge Payment Times Reports (large business)
Large businesses (>$100M revenue) must report payment times to small business suppliers every 6 months.
- highCWLTHcurrentPre-2025 ban on unsolicited credit limit increase invitations
Credit card limit increase offers cannot be sent without prior written consent.
- highCWLTHupcomingPrivacy Act Reform — information controllers regime (proposed Tranche 2)
Tranche 2 reforms in scoping — information controllers + processors regime.
- highCWLTHcurrentPrivacy statutory tort (serious invasions of privacy)
From June 2025 — serious invasion of privacy actionable in tort.
- highCWLTHcurrentProvide an APP 5 collection notice at or before collection
APP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.
- highCWLTHcurrentPublish a Privacy Policy compliant with APP 1
Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
- highCWLTHcurrentSimplified Debt Restructuring (small business)
Small companies (<$1M liabilities) can use SDR to restructure without full external admin.
- highCWLTHcurrentUse of personal information for direct marketing (APP 7)
APP 7 restricts use + disclosure of personal info for direct marketing.
- mediumCWLTHcurrentAPP 2 — anonymity + pseudonymity for individuals
Where reasonable, individuals must be able to deal with you anonymously or under a pseudonym.
- mediumCWLTHcurrentData Availability and Transparency Act 2022
Commonwealth data sharing regime — accredited users + entities.
- mediumCWLTHcurrentInstant Asset Write-Off (annually re-set threshold)
SBE asset write-off threshold reset annually; $20,000 for FY25-26.