Australia Privacy Act Compliance: Track the 13 APPs and the Staged 2024 Reforms Without Missing a Change
The Privacy Act 1988 and its 13 Australian Privacy Principles set the rules for APP entities, and the Privacy and Other Legislation Amendment Act 2024 begins a multi-tranche overhaul. RegSpace monitors the OAIC and the reform tranches, scores your policies against the law, and gives your counsel source-linked draft intelligence to act on.
What is Australia Privacy Act?
The Privacy Act 1988 (Cth) is Australia's principal data protection law, regulating how Australian Government agencies and many private-sector organisations handle personal information. Its core is the 13 Australian Privacy Principles (APPs) in Schedule 1, which govern the collection, use, disclosure, quality, security and correction of personal information, along with individuals' rights of access. The Act is administered and enforced by the Office of the Australian Information Commissioner (OAIC), which also operates the Notifiable Data Breaches (NDB) scheme. The Privacy and Other Legislation Amendment Act 2024, passed by the Parliament in late 2024, delivers the first tranche of a wider reform program, introducing a statutory tort for serious invasions of privacy, a forthcoming Children's Online Privacy Code, new transparency requirements about automated decisions, enhanced OAIC enforcement powers and civil penalty tiers, and a criminal offence for doxxing. Further tranches of reform are expected.
Who does Australia Privacy Act apply to?
The Privacy Act applies to APP entities, a category defined mainly by entity type and turnover rather than by sector alone. Some organisations are covered regardless of size because of the kind of personal information they handle.
- Australian Government agencies and most agencies of the Australian Capital Territory and Norfolk Island, which are bound by the APPs
- Private-sector organisations with an annual turnover of more than 3 million AUD (businesses, individuals, body corporates, partnerships and trusts, subject to the Act's definitions)
- Smaller businesses caught regardless of turnover, including health service providers that hold health information, and businesses that buy or sell personal information (trading in personal information)
- Credit reporting bodies, credit providers and other entities handling credit-related personal information under Part IIIA's credit reporting rules
- Organisations that opt in to be treated as APP entities, and certain contractors and operators linked to in-scope agencies or schemes
- Overseas organisations with an Australian link that collect or hold personal information, given the Act's extraterritorial reach in defined circumstances
Key Australia Privacy Act obligations
Comply with the 13 Australian Privacy Principles (APPs)
Meet the obligations across all 13 APPs in Schedule 1, covering open and transparent management of personal information (APP 1), anonymity and pseudonymity (APP 2), collection of solicited and unsolicited information (APPs 3 to 4), notice (APP 5), use and disclosure (APP 6), direct marketing (APP 7), cross-border disclosure (APP 8), government related identifiers (APP 9), data quality (APP 10), security (APP 11), and access and correction (APPs 12 to 13).
Maintain an up-to-date APP privacy policy (APP 1)
Manage personal information in an open and transparent way, including by having a clearly expressed and current privacy policy that sets out what personal information is collected and held, how it is collected and used, how individuals can access and correct it, and how they can complain, with the policy made available free of charge.
Notify eligible data breaches (NDB scheme)
Under the Notifiable Data Breaches scheme in Part IIIC, assess suspected eligible data breaches expeditiously (and generally within 30 days), then notify affected individuals and the OAIC where a breach is likely to result in serious harm and cannot be remediated in time.
Secure personal information and destroy or de-identify it (APP 11)
Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure, and take reasonable steps to destroy or de-identify information that is no longer needed for a permitted purpose.
Control cross-border disclosures (APP 8)
Before disclosing personal information to an overseas recipient, take reasonable steps to ensure the recipient does not breach the APPs, noting that an APP entity can remain accountable for acts of the overseas recipient under the accountability provisions in section 16C unless an exception applies.
Provide access and correction (APPs 12 and 13)
Give individuals access to the personal information you hold about them on request, subject to the exceptions in the Act, and take reasonable steps to correct that information so it is accurate, up to date, complete, relevant and not misleading.
Prepare for the 2024 reforms (staged)
Get ready for the first-tranche reforms in the Privacy and Other Legislation Amendment Act 2024, including the statutory tort for serious invasions of privacy, a new transparency requirement to disclose in privacy policies where automated decisions significantly affect individuals, the Children's Online Privacy Code once the OAIC develops it, and the new criminal offence for doxxing.
Operate within the OAIC's enhanced enforcement regime
Account for the OAIC's strengthened enforcement powers and the new tiers of civil penalties introduced by the 2024 amendments, which sit alongside the existing serious or repeated interference with privacy penalty, increasing the consequences of non-compliance.
Key dates
- 1 January 1989The Privacy Act 1988 (Cth) commenced, originally applying to Australian Government agencies and credit reporting, before later extending to the private sector.
- 12 March 2014The 13 Australian Privacy Principles (APPs) commenced, replacing the earlier separate Information Privacy Principles and National Privacy Principles.
- 22 February 2018The Notifiable Data Breaches (NDB) scheme commenced, requiring notification of eligible data breaches likely to result in serious harm to the OAIC and affected individuals.
- Late 2024The Parliament passed the Privacy and Other Legislation Amendment Act 2024, the first tranche of reforms, introducing the statutory tort, the doxxing offence, automated-decision transparency, the Children's Online Privacy Code framework, and enhanced OAIC enforcement and civil penalty tiers.
- Staged commencement (confirm each measure)Different parts of the 2024 amendments commence on different dates, with some measures (for example the statutory tort and the doxxing offence) commencing earlier and others (such as the Children's Online Privacy Code and certain transparency duties) taking effect after a transition or once the OAIC develops the code. Confirm the specific commencement date for each measure against the OAIC and the legislation.
- Expected further tranches (not yet law)The Government has signalled additional tranches of Privacy Act reform beyond the 2024 amendments. These are not yet law, so the obligations above remain the current framework until any further reforms are passed and commence.
How RegSpace helps with Australia Privacy Act
Draft, source-linked intelligence for your team to review. Not legal advice.
Weekly-monitors the Australian regulators and legislative trackers that touch you, including the OAIC, and drafts a source-linked digest of changes, so as the 2024 reform tranches commence, the Children's Online Privacy Code is developed, or OAIC guidance lands, you see it with the citation attached. Where a change hits a policy you have published, Watcher prepares DOCX track-changes redlines for your counsel to review.
Scores your uploaded APP privacy policy, data handling procedures and related documents against the law and corpus, showing where each obligation is missing, partial or covered with a gap score, so you can see where your documentation falls short of the 13 APPs and the new transparency duties before the OAIC does.
Gives you the registers an Australian privacy program leans on in one place: a record of processing-style register, a risk register with a 5x5 matrix, a controls library, an incidents log to support your NDB assessment workflow, plus DPIA-style assessments, cookies, assets and vendors, with a review and approval workflow, tickets and dashboards to evidence accountability.
Scores vendor and third-party risk and reconciles your published privacy notice against what your registers actually record, supporting the cross-border disclosure (APP 8) and accountability work the Act expects when personal information is shared with service providers and overseas recipients.
Builds your compliance profile by crawling your website and classifying your published policies, giving your counsel an editable starting point so the APP-relevant policies on file are mapped before assessment and monitoring begin.
Australia Privacy Act FAQ
Who does the Australian Privacy Act apply to?
The Privacy Act 1988 applies to APP entities. These include Australian Government agencies and private-sector organisations with an annual turnover of more than 3 million AUD. Some organisations are covered regardless of turnover, such as health service providers, businesses that trade in personal information, and entities involved in credit reporting. Overseas organisations with an Australian link can also be caught in defined circumstances.
What are the Australian Privacy Principles?
The Australian Privacy Principles (APPs) are the 13 principles in Schedule 1 of the Privacy Act that govern how APP entities handle personal information. They cover open and transparent management and a privacy policy (APP 1), anonymity (APP 2), collection (APPs 3 to 4), notice (APP 5), use and disclosure (APP 6), direct marketing (APP 7), cross-border disclosure (APP 8), identifiers (APP 9), quality (APP 10), security (APP 11), and access and correction (APPs 12 to 13).
Who regulates the Privacy Act and the NDB scheme?
The Office of the Australian Information Commissioner (OAIC) administers and enforces the Privacy Act 1988, including the 13 APPs and the Notifiable Data Breaches scheme. The OAIC handles privacy complaints, conducts investigations, issues guidance, and exercises the enforcement powers set out in the Act, which were strengthened by the 2024 amendments.
What did the Privacy and Other Legislation Amendment Act 2024 change?
The 2024 Act delivers the first tranche of Privacy Act reform. It introduces a statutory tort for serious invasions of privacy, a new criminal offence for doxxing, a transparency requirement to disclose where automated decisions significantly affect individuals, a framework for a Children's Online Privacy Code to be developed by the OAIC, and enhanced OAIC enforcement powers with new civil penalty tiers. Different measures commence on different dates, and further reform tranches are expected.
When do the 2024 Privacy Act reforms take effect?
The Privacy and Other Legislation Amendment Act 2024 was passed in late 2024 and its provisions commence in stages. Some measures, such as the statutory tort and the doxxing offence, commence earlier, while others, such as the Children's Online Privacy Code and certain transparency duties, take effect after a transition period or once the OAIC develops the relevant code. Confirm the exact commencement date for each measure against the OAIC and the legislation, because they differ.
What is the Notifiable Data Breaches scheme?
The NDB scheme, in Part IIIC of the Privacy Act, requires APP entities to notify the OAIC and affected individuals of an eligible data breach. A breach is eligible where there is unauthorised access or disclosure of, or loss of, personal information that is likely to result in serious harm and cannot be remediated in time. Entities must assess suspected breaches expeditiously, generally within 30 days, and notify where the threshold is met.
Does RegSpace make my organisation compliant with the Privacy Act?
No. RegSpace produces draft regulatory intelligence, gap analysis and register tooling for your qualified counsel to review. Every monitoring item is source-linked so your experts can verify it. RegSpace does not provide legal advice, does not form a lawyer-client relationship, does not lodge or file anything with the OAIC or any regulator, and does not guarantee compliance or replace your legal team.
Stay ahead of Australia Privacy Act changes, automatically.
RegSpace monitors the regulators that touch you, scores your policies against the law, and drafts the redlines. Every claim cited, every output lawyer-reviewed.