Privacy & data protection in Victoria

Notify the OAIC and affected individuals of eligible data breaches

Eligible data breaches must be notified to OAIC and affected individuals 'as soon as practicable'.

Automated Decision-Making transparency under Privacy Act (phased)

From a phased commencement, APP entities using ADM must disclose in Privacy Policy.

APP 3 — collection of sensitive information requires consent

Health, religion, race, sexual orientation + similar 'sensitive' info requires consent before collection.

Provide an APP 5 collection notice at or before collection

APP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.

APP 8 — cross-border disclosure of personal information

Before disclosing personal info overseas, take reasonable steps so the recipient won't breach the APPs (or meet an exception).

Handle APP 12 access and APP 13 correction requests

Individuals can request access to and correction of their personal info, with strict response times.

Comply with credit reporting obligations (Part IIIA Privacy Act)

Credit providers and CRBs must adhere to the CR Code on collection, use, disclosure, hardship and dispute resolution.

Consumer Data Right (CDR) participant accreditation + compliance

Banking, energy and (soon) non-bank lending data sharing — accredited participants must comply with privacy safeguards.

Lodge Payment Times Reports (large business)

Large businesses (>$100M revenue) must report payment times to small business suppliers every 6 months.

Comply with doxxing criminal offence (Criminal Code s 474.17C)

From 11 December 2024, using a carriage service to dox personal data with menace is criminal.

CDR Energy sector — phased

Energy retailers + distributors must share data via CDR.

Simplified Debt Restructuring (small business)

Small companies (<$1M liabilities) can use SDR to restructure without full external admin.

Pre-2025 ban on unsolicited credit limit increase invitations

Credit card limit increase offers cannot be sent without prior written consent.

Privacy Act Reform — information controllers regime (proposed Tranche 2)

Tranche 2 reforms in scoping — information controllers + processors regime.

Use of personal information for direct marketing (APP 7)

APP 7 restricts use + disclosure of personal info for direct marketing.

Children's Online Privacy Code 2026

OAIC developing mandatory children's online privacy code (in force December 2026).

Prepare for the proposed removal of the small business exemption

Removing the Privacy Act small business exemption (<$3M turnover) is proposed for a future reform tranche — agreed in principle, not yet law.

Comply with the Spam Act 2003 (consent, identify, unsubscribe)

All commercial electronic messages must have consent, identify the sender, and offer a working unsubscribe.

Automated Decision-Making transparency (Privacy Act 2024 reforms)

APP entities making decisions about individuals using ADM must disclose this in privacy policy from December 2026.

Privacy statutory tort (serious invasions of privacy)

From June 2025 — serious invasion of privacy actionable in tort.

Publish a Privacy Policy compliant with APP 1

Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.

APP 2 — anonymity + pseudonymity for individuals

Where reasonable, individuals must be able to deal with you anonymously or under a pseudonym.

Instant Asset Write-Off (annually re-set threshold)

SBE asset write-off threshold reset annually; $20,000 for FY25-26.

Data Availability and Transparency Act 2022

Commonwealth data sharing regime — accredited users + entities.