enactedAUEffective December 14, 1988

Privacy Act 1988 (Privacy Act)

Complete compliance guide for companies with <200 employees. Everything you need to know about Privacy Act requirements, deadlines, and penalties.

DSAR Deadline

30 calendar days

+ 30 days extension

Max Penalty

AUD 50,000,000/violation

Maximum penalty is the greater of: AUD $50 million, three times the benefit obtained from the contravention, or 30% of the entity's adjusted turnover during the relevant period. Significantly increased by the Privacy Legislation Amendment Act 2022.

Threshold

No threshold

or $3,000,000 revenue

Est. Cost

$6,000 – $25,000

6-16 weeks

Mid-Market Compliance Guide

The Privacy Act applies to organizations with annual turnover above AUD $3 million, plus some smaller organizations (health services, trading in personal information). The 2022 amendments drastically increased penalties. A major review is underway that may introduce a right to erasure and a tort for serious privacy invasion.

Key Requirements

Comply with 13 Australian Privacy Principles (APPs)
Notifiable Data Breach scheme — report eligible breaches to OAIC
Privacy Impact Assessment for high-risk activities
Implement reasonable security safeguards (APP 11)
Cross-border disclosure requirements (APP 8)
Collection limited to what is reasonably necessary (APP 3)

Enforced by: Office of the Australian Information Commissioner (OAIC)Official site

Consumer Rights

Right of Access (APP 12)

Right to Correction (APP 13)

Right to Anonymity/Pseudonymity (APP 2)

Right to Complain to OAIC

Right to Know Collection Purpose (APP 5)

Business Obligations

1.Comply with all 13 Australian Privacy Principles
2.Respond to access requests within 30 days
3.Report eligible data breaches to OAIC and affected individuals
4.Have a clearly expressed privacy policy (APP 1)
5.Take reasonable steps to ensure data quality (APP 10)

Exemptions

•Small businesses with annual turnover under AUD $3 million (with exceptions)
•Employee records for current/former employment relationship
•Journalism by media organizations committed to privacy standards
•Political parties and representatives

Related Privacy Laws

POPIA

Protection of Personal Information Act

PDPA

Personal Data Protection Act 2012

Recommended Compliance Tools

Securiti

AI-powered data command center for privacy, security, and governance

Privacy Act APPs compliance framework

Browse all compliance tools

Get a mid-market compliance checklist for Privacy Act

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce Privacy Act in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under Privacy Act.

Browse Enforcement Actions

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/27/2026.

Read the official text of Privacy Act