Privacy Complaints FAQ

The Privacy Act 1988 (Cth) is the primary federal legislation. It contains 13 Australian Privacy Principles (APPs) that regulate the handling of personal information by Australian Government agencies and organisations with an annual turnover of more than $3 million (and some smaller organisations). State and territory legislation also applies to state government agencies.

The 13 APPs cover: open and transparent management of personal information (APP 1), anonymity and pseudonymity (APP 2), collection (APPs 3-5), dealing with unsolicited information (APP 4), notification of collection (APP 5), use and disclosure (APP 6), direct marketing (APP 7), cross-border disclosure (APP 8), adoption of government identifiers (APP 9), quality (APP 10), security (APP 11), access (APP 12), and correction (APP 13).

Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether recorded in a material form or not. It includes names, addresses, dates of birth, financial information, health information, and online identifiers.

A subset of personal information that receives higher protection. It includes health information, genetic information, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, trade union membership, and criminal records. Collection of sensitive information generally requires consent.

First, complain directly to the organisation or agency. They must have a complaints process and respond within 30 days. If unsatisfied, complain to the OAIC using the online complaint form. The OAIC may investigate, conciliate, or make a determination. Complaints must generally be made within 12 months of the act or practice.

The OAIC can investigate the complaint, attempt conciliation between the parties, and make a determination. Determinations can include declarations, orders to compensate for loss or damage (including non-economic loss), orders to perform specified acts, and orders to refrain from specified acts.

Yes. The OAIC can order compensation for loss or damage suffered as a result of an interference with privacy. This includes economic loss (financial damage from identity theft, costs of remediation) and non-economic loss (distress, anxiety, embarrassment). Courts can also award compensation in civil penalty proceedings.

Since February 2018, organisations subject to the Privacy Act must notify the OAIC and affected individuals when a data breach is likely to result in serious harm. Notification must occur as soon as practicable, and no later than 30 days after the organisation becomes aware of the breach.

A data breach is eligible for notification when there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by the organisation, and a reasonable person would conclude the breach is likely to result in serious harm to the affected individuals.

The notification must include the identity and contact details of the organisation, a description of the breach, the kinds of information involved, and recommendations for steps individuals should take in response. The OAIC notification must also include the number of individuals affected.

Following the 2022 amendments, maximum civil penalties increased to the greater of: $50 million, three times the value of the benefit obtained from the breach, or 30% of the organisation's adjusted turnover during the breach period. These penalties apply to serious or repeated interferences with privacy.

The OAIC can initiate an investigation without a complaint if it believes there may have been an interference with privacy. This power is often used for large-scale data breaches or systemic privacy issues. The OAIC can compel production of documents and require attendance at hearings.

The Commissioner can accept an enforceable undertaking from an organisation to take specific actions to address a privacy concern. Breach of an enforceable undertaking can result in court enforcement proceedings. This is often used as an alternative to civil penalty proceedings for cooperative organisations.

Generally no. Organisations with annual turnover of $3 million or less are exempt, unless they trade in personal information, are a health service provider, are a childcare provider, report under the NDB scheme, are a credit reporting body, or have opted in. Proposed reforms may remove the small business exemption.

The Privacy Act contains an exemption for employee records held by a current or former employer in relation to the employment relationship. This means the APPs do not apply to an employer's handling of its own employee records. However, state surveillance and workplace monitoring legislation may apply.

Under APP 12, you have the right to request access to personal information an organisation holds about you. The organisation must respond within 30 days. Access can be refused in limited circumstances (for example, if it would reveal commercially sensitive decision-making processes or prejudice enforcement activities).

Yes. Under APP 13, you can request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information. The organisation must correct the information within 30 days or provide reasons for refusal. If refused, you can request a statement of the correction be associated with the information.

The Attorney-General's Department review proposed significant reforms including a statutory tort for serious invasions of privacy, removal of the small business exemption, a right to erasure, strengthened consent requirements, a children's online privacy code, and a direct right of action for individuals. Implementation is ongoing.

Currently, there is no standalone statutory tort for invasion of privacy (though one is proposed). You can enforce OAIC determinations in the Federal Court or Federal Circuit Court. Courts can also hear civil penalty proceedings brought by the Commissioner. Some individuals have also pursued equitable claims for breach of confidence.

APP 8 restricts disclosure of personal information to overseas recipients. Before disclosing, the organisation must take reasonable steps to ensure the overseas recipient complies with the APPs, or obtain consent after informing the individual that APP 8 will not apply. The disclosing organisation remains liable for the overseas recipient's handling of the information.