Privacy and Personal Data in New South Wales

Source: Privacy Act 1988 (Cth) — Australian Privacy Principles (APPs); Privacy Amendment (Notifiable Data Breaches) Act 2017

Reviewed by the Commoner Law Editorial Team. Sourced from Commonwealth Acts of Parliament, federal regulations, and official government guidance. State-level information reflects each state's own Acts and court decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Australian Federal Law

What is this right?

The Privacy Act 1988 and the 13 Australian Privacy Principles (APPs) govern how organisations handle your personal information:

  • Who it covers: Australian Government agencies, private sector organisations with annual turnover over $3 million, and all health service providers, regardless of size. Some small businesses are also covered if they trade in personal information or provide services under a Commonwealth contract.
  • Right to know (APP 1 & 5): Organisations must tell you what information they collect, why, and who they share it with through a clear privacy policy.
  • Right to access and correct (APP 12 & 13): You can request access to your personal information and ask for corrections if it is wrong.
  • Data breach notification: Since February 2018, organisations must notify you and the Office of the Australian Information Commissioner (OAIC) about data breaches that are likely to result in serious harm.
  • Penalties: Serious or repeated privacy breaches carry penalties of up to $50 million, three times the benefit obtained, or 30% of adjusted domestic turnover (whichever is greatest).

When does it apply?

  • An organisation covered by the Privacy Act collects, uses, or discloses your personal information.
  • You want to access or correct personal information an organisation holds about you.
  • You believe an organisation has breached your privacy or failed to notify you of a data breach.
  • Note: employee records held by a current or former employer are generally exempt from the APPs (except for government agencies).

What to Do If an Australian Organisation Has Misused or Breached Your Personal Data

  • Check the organisation’s privacy policy to understand how they handle your data.
  • To access or correct your data, make a written request to the organisation. They must respond within 30 days.
  • If you believe your privacy has been breached, complain to the organisation first. If unresolved after 30 days, lodge a complaint with the OAIC at oaic.gov.au.
  • If you receive a data breach notification, follow the recommended steps to protect yourself (change passwords, monitor accounts).

What should you NOT do?

  • Don’t assume every business is covered — most small businesses (under $3 million turnover) are exempt unless they handle health information or meet other criteria.
  • Don’t ignore data breach notifications — act quickly to protect your accounts and identity.
  • Don’t confuse privacy with defamation — the Privacy Act protects your data, not your reputation.
New South Wales Law

How New South Wales differs from federal law

Privacy protection in NSW involves both the federal Privacy Act 1988 (Cth) (which covers private-sector organisations) and the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA), which covers NSW Government agencies.

  • PPIPA regulates how NSW Government agencies (including NSW Police, NSW Health, Transport for NSW, and local councils) collect, use, store, and disclose personal information.
  • The Health Records and Information Privacy Act 2002 (NSW) (HRIPA) provides additional protections for health information held by both NSW Government and private health service providers in NSW.
  • The NSW Privacy Commissioner (part of the Information and Privacy Commission NSW) oversees compliance with PPIPA and HRIPA. Individuals can make complaints to the Commissioner about breaches by NSW Government agencies.
  • For private-sector organisations with annual turnover exceeding $3 million, the federal Privacy Act's Australian Privacy Principles (APPs) apply. Complaints go to the Office of the Australian Information Commissioner (OAIC).
  • NSW has a mandatory data breach notification scheme for NSW Government agencies under PPIPA (since 2023), in addition to the federal Notifiable Data Breaches scheme for private organisations.

Additional Steps in New South Wales

For complaints about NSW Government agencies, contact the Information and Privacy Commission NSW (ipc.nsw.gov.au or 1800 472 679). For private-sector privacy complaints, contact the OAIC (oaic.gov.au). For health information complaints, contact the IPC under HRIPA.

Relevant Law: Privacy and Personal Information Protection Act 1998 (NSW); Health Records and Information Privacy Act 2002 (NSW); Privacy Act 1988 (Cth); Government Information (Public Access) Act 2009 (NSW)

Common Questions

When does privacy and personal data apply?

An organisation covered by the Privacy Act collects, uses, or discloses your personal information.You want to access or correct personal information an organisation holds about you.You believe an organisation has breached your privacy or failed to notify you of a data breach.Note: employee records held by a current or former employer are generally exempt from the APPs (except for government agencies).

What should I do if a company in Australia has mishandled my personal data or suffered a data breach?

Check the organisation’s privacy policy to understand how they handle your data.To access or correct your data, make a written request to the organisation. They must respond within 30 days.If you believe your privacy has been breached, complain to the organisation first. If unresolved after 30 days, lodge a complaint with the OAIC at oaic.gov.au.If you receive a data breach notification, follow the recommended steps to protect yourself (change passwords, monitor accounts).

What mistakes should I avoid with privacy and personal data?

Don’t assume every business is covered — most small businesses (under $3 million turnover) are exempt unless they handle health information or meet other criteria.Don’t ignore data breach notifications — act quickly to protect your accounts and identity.Don’t confuse privacy with defamation — the Privacy Act protects your data, not your reputation.

More in Consumer Rights

Consumer Guarantees (in New South Wales)Every product sold in Australia comes with automatic consumer guarantees under the Australian Consumer Law (ACL). These ...Read more →Right to Refund, Repair, or Replacement (in New South Wales)When a product fails to meet a consumer guarantee, you have the right to a remedy. The remedy you can demand depends on ...Read more →Unfair Contract Terms (in New South Wales)The ACL protects you from unfair terms in standard form contracts — the kind of “take it or leave it” agreements you sig...Read more →

Related Topics

Workers' RightsNotice of Termination and Redundancy Pay (in New South Wales)Tax RightsTax Offsets (Rebates) (in New South Wales)
← Browse all Consumer Rights

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

LawDepotSend a formal demand letter to a business or creditor. State-specific financial and consumer documents ready in minutes.Create a Demand LetterCredit KarmaFree credit monitoring, dispute tools, and alerts. Know when your credit report changes.Check Your Credit FreeIdentityGuardIdentity theft protection and monitoring. Get notified if your personal information is misused.Protect Your Identity

You came here to know your rights — help someone else know theirs.

Support This Mission