Privacy & data protection
Privacy Act 1988 obligations including APPs, NDB scheme, the 2024 amendments (statutory tort, enhanced penalties, doxxing offence), the 10 December 2026 commencements (ADM transparency, Children's Online Privacy Code), and the proposed removal of the small-business exemption (a future reform tranche, not yet law).
26
Obligations
4
Regulators
20
Recent enforcement
Regulators
Obligations (26)
- criticalCWLTHcurrentNotifiable Data Breach (NDB) scheme
Under the NDB scheme, APP entities must notify the OAIC and affected individuals of an eligible data breach likely to cause serious harm — assessed within 30 days.
- criticalCWLTHupcomingAutomated Decision-Making transparency under Privacy Act (phased)
From a phased commencement, APP entities using ADM must disclose in Privacy Policy.
- criticalCWLTHcurrentAPP 3 collection of sensitive information
APP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
- highCWLTHcurrentComply with the Spam Act 2003 (consent, identify, unsubscribe)
All commercial electronic messages must have consent, identify the sender, and offer a working unsubscribe.
- highCWLTHcurrentProvide an APP 5 collection notice at or before collection
APP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.
- highCWLTHcurrentAPP 8 cross-border disclosure
Before disclosing personal information overseas, APP 8 requires reasonable steps so the recipient meets the APPs — unless an exception applies. Steps and exceptions.
- highCWLTHcurrentAPP 12 & APP 13 access and correction requests
Individuals can ask to access (APP 12) and correct (APP 13) the personal information you hold — the strict response times, allowable refusals and how to comply.
- highCWLTHcurrentComply with credit reporting obligations (Part IIIA Privacy Act)
Credit providers and CRBs must adhere to the CR Code on collection, use, disclosure, hardship and dispute resolution.
- highCWLTHcurrentConsumer Data Right (CDR) participant accreditation + compliance
Banking, energy and (soon) non-bank lending data sharing — accredited participants must comply with privacy safeguards.
- highCWLTHcurrentLodge Payment Times Reports (large business)
Large businesses (>$100M revenue) must report payment times to small business suppliers every 6 months.
- highCWLTHcurrentComply with doxxing criminal offence (Criminal Code s 474.17C)
From 11 December 2024, using a carriage service to dox personal data with menace is criminal.
- highNSWcurrentComply with Workplace Surveillance Act 2005 (NSW)
NSW employers conducting workplace surveillance must give notice + meet specific conditions.
- highACTcurrentComply with Workplace Privacy Act 2011 (ACT)
ACT employers must follow ACT workplace surveillance + privacy framework.
- highCWLTHcurrentSimplified Debt Restructuring (small business)
Small companies (<$1M liabilities) can use SDR to restructure without full external admin.
- highCWLTHcurrentPre-2025 ban on unsolicited credit limit increase invitations
Credit card limit increase offers cannot be sent without prior written consent.
- highCWLTHcurrentAPP 7 direct marketing
APP 7 restricts using or disclosing personal information for direct marketing and requires a simple opt-out — when it applies, the exceptions and penalties.
- highCWLTHupcomingPrepare for the proposed removal of the small business exemption
Removing the Privacy Act small business exemption (<$3M turnover) is proposed for a future reform tranche — agreed in principle, not yet law.
- highCWLTHupcomingPrivacy Act Reform — information controllers regime (proposed Tranche 2)
Tranche 2 reforms in scoping — information controllers + processors regime.
- highCWLTHcurrentPublish a Privacy Policy compliant with APP 1
Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
- highCWLTHupcomingAutomated Decision-Making transparency (Privacy Act 2024 reforms)
APP entities making decisions about individuals using ADM must disclose this in privacy policy from December 2026.
- highCWLTHcurrentPrivacy statutory tort (serious invasions of privacy)
From June 2025 — serious invasion of privacy actionable in tort.
- highCWLTHupcomingChildren's Online Privacy Code 2026
OAIC developing mandatory children's online privacy code (in force December 2026).
- highCWLTHcurrentCDR Energy sector — phased
Energy retailers + distributors must share data via CDR.
- mediumCWLTHcurrentAPP 2 — anonymity + pseudonymity for individuals
Where reasonable, individuals must be able to deal with you anonymously or under a pseudonym.
- mediumCWLTHcurrentData Availability and Transparency Act 2022
Commonwealth data sharing regime — accredited users + entities.
- mediumCWLTHcurrentInstant Asset Write-Off (annually re-set threshold)
SBE asset write-off threshold reset annually; $20,000 for FY25-26.
Recent enforcement
- accccivil penalty2025ACCC CDR enforcement progressing 2024-2025
ACCC + OAIC CDR enforcement progressed in 2024-2025 — first civil penalty proceedings + significant infringement notices.
- oaiccivil penalty2025OAIC investigation — Optus 2022 data breach
September 2022 Optus breach exposed ~10M customer records. OAIC alleges APP 11 failures + delayed notification.
- oaicinvestigation2024OAIC enforcement — multiple SMB breach investigations 2024
OAIC investigated multiple SMB-scale breaches in 2024 — including in legal, retail, healthcare. Most resolved without penalty but documented APP 11 reasonable-steps + NDB notification expectations.
- oaicdetermination2024OAIC + AFP Medibank determination 2024-2025
Class action + OAIC determination on Medibank Oct 2022 data breach affecting ~9.7M customers + their families.
- oaicclass action2024Optus class action — 2022 data breach
Class action by ~9.8M Optus customers affected by September 2022 data breach.
- oaicdetermination2024OAIC determinations on Bunnings and Kmart facial recognition
Both retailers operated in-store facial recognition systems for loss-prevention. OAIC found inadequate notification and unjustified breach of APP 3.3 (sensitive information).
- oaicdetermination2024OAIC determination — Bunnings facial recognition + biometric
Bunnings operated facial recognition in stores for loss prevention without proper notice + consent for sensitive (biometric) information.
- oaicdetermination2024OAIC determination — Kmart facial recognition
Kmart operated facial recognition for loss prevention; same proceedings as Bunnings determination 2024.
- ipc-nswreview2024IPC NSW privacy investigations — government breaches
Multiple NSW government agency privacy reviews including data breaches + PPIPA failures.
- oaiccivil penalty2024OAIC investigation into Australian Clinical Labs (Medlab)
Following the February 2022 Medlab Pathology breach, OAIC alleges ACL failed to take reasonable steps to protect personal information and failed to properly notify the breach.
- acccreview2024ACCC CDR Banking compliance reviews 2024
Periodic ACCC + OAIC compliance reviews of CDR Banking data holders + accredited recipients.
- oaicinvestigation2024OAIC investigation — Latitude Financial 2023 breach
March 2023 Latitude breach exposed personal info of ~14M customers including 7.9M driver licences.
- oaicfollow up2024OAIC follow-up enforcement — Clearview AI compliance
Follow-up compliance from 2021 determination + ongoing biometric processing detected.
- acmainfringement$412K2024ACMA infringement notice — Uber Australia Pty Ltd (Spam Act)
Uber sent more than 2 million commercial electronic messages without consent or proper unsubscribe facility.
- oaiccivil penalty2024OAIC v Medibank Private Limited
The October 2022 Medibank breach exposed personal information of approximately 9.7 million current and former customers. OAIC alleges Medibank failed to take reasonable steps to protect personal information.
- oaicdetermination2023OAIC determination — Health Engine
Health Engine forwarded patient data to insurance brokers without proper consent.
- acmainfringement$2.5M2023ACMA enforcement — Pizza Hut Australia (Spam Act)
Pizza Hut sent over 10 million marketing messages without consent or proper unsubscribe over 2-year period.
- accccivil penalty$60.0M2022ACCC v Google LLC (location data)
Google misled Android users about the personal location data it collected, retained, and used by representing that the Location History setting controlled all location collection when other settings also collected data.
- oaicdetermination2021Commissioner-initiated investigation into Clearview AI Inc
Clearview AI scraped publicly available images from the web and used them to build a facial-recognition tool that was offered to Australian police agencies.
- oaicdetermination2021Commissioner-initiated investigation into 7-Eleven Stores Pty Ltd
7-Eleven collected facial images and faceprints from customers via in-store tablets as part of a customer feedback program. Consent processes were inadequate.