Data Protection and Privacy (AU) glossary
Data protection in Australia is driven by the Privacy Act 1988 (Cth), the thirteen Australian Privacy Principles, the Notifiable Data Breaches scheme, and the SOCI Act for critical infrastructure. Reform is under way following the 2023 Privacy Act Review. This glossary covers 40 terms current as at mid-2026, including post-reform changes where relevant.
This is a glossary of 40 terms used in Australian privacy, data protection, and cyber law practice. Each definition cites the controlling provision of the Privacy Act 1988 (Cth) or related authority.
Definitions
APP 1 (Open management)
The APP requiring entities to manage personal information in an open and transparent way, including a clearly expressed privacy policy.
APP 11 (Security)
The APP requiring reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.
APP 6 (Use and disclosure)
The APP limiting use and disclosure of personal information to the primary purpose of collection, subject to exceptions.
APP 8 (Cross-border disclosure)
The APP requiring entities to take reasonable steps before disclosing personal information to overseas recipients, with accountability for breaches.
APP entity
An organisation (with revenue above $3m or specified) or agency bound by the APPs.
APPs (Australian Privacy Principles)
The thirteen principles in Schedule 1 of the Privacy Act governing the handling of personal information by APP entities.
Collection
The act of obtaining personal information for inclusion in a record. APP 3 limits collection to what is reasonably necessary.
Consent
Express or implied agreement to a use, disclosure, or practice. Must be voluntary, informed, specific, current, and with capacity.
Consumer Data Right (CDR)
The economy-wide data portability regime allowing consumers to direct sharing of their data with accredited recipients.
Controller
A proposed term in post-reform Australian privacy law analogous to the GDPR controller — the entity determining purposes and means of processing.
Credit reporting
The Part IIIA regime regulating the handling of credit reporting information — separate from the APPs.
Cross-border disclosure
The disclosure of personal information to an overseas recipient. Triggers APP 8 accountability.
Data breach
Unauthorised access to, disclosure, or loss of personal information. May trigger the NDB scheme if likely to result in serious harm.
De-identification
The process of removing or altering information that identifies an individual, so they can no longer be reasonably identifiable.
Direct marketing
Communications promoting goods or services. APP 7 limits direct marketing by APP entities and requires opt-out.
Eligible data breach
A data breach likely to result in serious harm, triggering mandatory notification to the OAIC and affected individuals.
Fair and reasonable test
A proposed post-reform overlay requiring collection, use, and disclosure to be fair and reasonable in the circumstances, irrespective of consent.
Health information
Sensitive information about an individual's health, genetic information, or related services. Extra APP protections apply.
Identifier
A number, letter, or symbol used to uniquely identify an individual. APP 9 restricts use of government identifiers.
Mandatory Notifiable Data Breach (NDB)
The scheme requiring notification of eligible data breaches to the OAIC and affected individuals.
My Health Records Act
The Act governing the national digital health record system, with its own privacy regime.
OAIC
The Office of the Australian Information Commissioner — the privacy regulator and FOI complaints body.
Overseas recipient
A recipient located outside Australia. Under APP 8, an APP entity is accountable for its acts and practices in some circumstances.
Personal information
Information or an opinion about an identified or reasonably identifiable individual — whether or not recorded.
Privacy Act
The Privacy Act 1988 (Cth) — the principal federal privacy statute. Subject to ongoing reform following the 2022 Review Report.
Privacy by design
An APP 1 expectation that privacy is considered at the design stage of systems, practices, and products.
Privacy Impact Assessment (PIA)
A systematic assessment of privacy risk for a project or system. Mandatory for high-risk Commonwealth projects.
Processor
A proposed post-reform term for an entity processing personal information on behalf of a controller — GDPR-aligned.
Reasonable steps
The context-specific standard applied across APPs — considering nature of data, risk, and technical options.
Record
A document or electronic record holding personal information. APP obligations attach to records.
Research exemption
An exemption allowing use or disclosure for specified research in the public interest, subject to guidelines.
Right to erasure (proposed)
A proposed individual right to request deletion of personal information in specified circumstances.
Sensitive information
A subset of personal information (e.g. health, race, sexual orientation) attracting higher APP protections.
Serious harm
The threshold for a data breach to be notifiable — considered by reference to the kind, sensitivity, and likelihood of harm.
Small business exemption
An exemption from the APPs for organisations with annual turnover of $3m or less, subject to exceptions (e.g. health providers).
SOCI Act
The Security of Critical Infrastructure Act 2018 (Cth) — cyber and security obligations for responsible entities of critical infrastructure.
Spam Act
The Spam Act 2003 (Cth) — regulating commercial electronic messages. Consent and unsubscribe obligations.
Statutory tort (proposed)
A proposed statutory cause of action for serious invasion of privacy — under active legislative consideration.
Telecommunications data
Metadata and content data under the Telecommunications Act, with its own access and disclosure rules.
Unique identifier
An identifier assigned by an organisation to uniquely identify an individual. APP 9 restricts adoption of government identifiers.
Research these terms in context
Quillio is built for Australian privacy and technology lawyers. Use it to map obligations under the APPs, draft NDB assessments, and advise on Privacy Act reform with live citations to the Act, OAIC guidelines, and determinations. See /practice-areas/technology-lawyers or start a free trial.
These definitions are general explanations for educational purposes — not legal advice. Privacy law in Australia is undergoing significant reform. Always verify against current Privacy Act provisions and OAIC guidance.
Research these terms with citations.
Quillio gives you the term, the current authority, and a clickable citation — all in one place. The free trial requires no credit card and no sales call.
Start your free trial