Western Australia Privacy and Personal Data Laws (2026)
About this article
Sourced from Commonwealth Acts of Parliament, federal regulations, and official government guidance. State-level information reflects each state's own Acts and court decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards
What is this right?
The Privacy Act 1988 and its 13 Australian Privacy Principles (APPs) govern how organisations handle personal information in Australia. The Act has been around for decades but the enforcement teeth — penalties up to $50 million — are largely a 2022 addition driven by the Optus and Medibank breaches.
- Who it covers: Commonwealth agencies, private organisations with annual turnover over $3 million, and all health service providers regardless of size. Some smaller businesses are also caught if they trade in personal information or operate under a Commonwealth contract.
- Right to know (APPs 1 & 5): organisations must tell you what they collect, why, and who they share it with — usually through a privacy policy.
- Right to access and correct (APPs 12 & 13): you can request access to your information and ask for corrections.
- Data breach notification: since February 2018, organisations must notify you and the OAIC about breaches likely to cause serious harm.
- Penalties: serious or repeated breaches attract up to $50 million, three times the benefit obtained, or 30% of adjusted domestic turnover (whichever is greatest).
- Statutory tort for serious invasions of privacy (in force 10 June 2025): the Privacy and Other Legislation Amendment Act 2024 (assent 10 Dec 2024) added a brand-new statutory tort for serious invasions of privacy. You can sue for damages, injunctions, and apology orders — even against non-APP-entity actors (private individuals, small businesses) who wouldn't otherwise be covered by the APPs. This is a major shift: until now Australia had no general privacy tort, only the Privacy Act regulator route.
When does it apply?
- An organisation covered by the Privacy Act collects, uses, or discloses your personal information.
- You want to access or correct personal information an organisation holds about you.
- You believe an organisation has breached your privacy or failed to notify you of a data breach.
- Note: employee records held by a current or former employer are generally exempt from the APPs (except for government agencies).
What to Do If an Australian Organisation Has Misused or Breached Your Personal Data
- Check the organisation’s privacy policy to understand how they handle your data.
- To access or correct your data, make a written request to the organisation. They must respond within 30 days.
- If you believe your privacy has been breached, complain to the organisation first. If unresolved after 30 days, lodge a complaint with the OAIC at oaic.gov.au.
- If you receive a data breach notification, follow the recommended steps to protect yourself (change passwords, monitor accounts).
What should you NOT do?
- Don’t assume every business is covered — most small businesses (under $3 million turnover) are exempt unless they handle health information or meet other criteria.
- Don’t ignore data breach notifications — act quickly to protect your accounts and identity.
- Don’t confuse privacy with defamation — the Privacy Act protects your data, not your reputation.
How Western Australia differs from federal law
Western Australia does not have a comprehensive state privacy act. WA residents rely on the federal Privacy Act 1988 (Cth) to protect their personal information held by private-sector organisations and Commonwealth agencies.
- WA Government agencies are not covered by the federal Privacy Act. They operate under administrative policies rather than binding privacy legislation. If a WA agency has mishandled your personal information, you can use the Freedom of Information Act 1992 (WA) to request access to documents they hold about you. Complaints about WA agencies go to the Information Commissioner WA (oic.wa.gov.au).
- The Surveillance Devices Act 1998 (WA) prohibits the installation or use of listening devices, optical surveillance devices, and tracking devices without consent. If you believe you have been illegally surveilled, you can report this to WA Police.
- For private-sector organisations mishandling your personal data, lodge a complaint with the Office of the Australian Information Commissioner (OAIC) (oaic.gov.au or 1300 363 992) under the federal Privacy Act.
- WA had not enacted comprehensive state privacy legislation as of 2025. Federal remedies under the Privacy Act are your primary avenue for private-sector complaints.
Additional Steps in Western Australia
For private-sector privacy complaints, contact the OAIC (oaic.gov.au or 1300 363 992). For WA Government agency complaints, submit an FOI request or complain to the Information Commissioner WA (oic.wa.gov.au). For suspected illegal surveillance, report to WA Police.
Generate a formal legal letter to support your rights using our Legal Letter Generator.
Relevant Law: Privacy Act 1988 (Cth); Freedom of Information Act 1992 (WA); Surveillance Devices Act 1998 (WA)
Common Questions
What is the privacy and personal data right in Australia?
The Privacy Act 1988 and its 13 Australian Privacy Principles (APPs) govern how organisations handle personal information in Australia. The Act has been around for decades but the enforcement teeth — penalties up to $50 million — are largely a 2022 addition driven by the Optus and Medibank breaches.Who it covers: Commonwealth agencies, private organisations with annual turnover over $3 million, and all health service providers regardless of size. Some smaller businesses are also caught if they trade in personal information or operate under a Commonwealth contract.Right to know (APPs 1 & 5): or...
When does privacy and personal data apply?
An organisation covered by the Privacy Act collects, uses, or discloses your personal information.You want to access or correct personal information an organisation holds about you.You believe an organisation has breached your privacy or failed to notify you of a data breach.Note: employee records held by a current or former employer are generally exempt from the APPs (except for government agencies).
What should I do if a company in Australia has mishandled my personal data or suffered a data breach?
Check the organisation’s privacy policy to understand how they handle your data.To access or correct your data, make a written request to the organisation. They must respond within 30 days.If you believe your privacy has been breached, complain to the organisation first. If unresolved after 30 days, lodge a complaint with the OAIC at oaic.gov.au.If you receive a data breach notification, follow the recommended steps to protect yourself (change passwords, monitor accounts).
What mistakes should I avoid with privacy and personal data?
Don’t assume every business is covered — most small businesses (under $3 million turnover) are exempt unless they handle health information or meet other criteria.Don’t ignore data breach notifications — act quickly to protect your accounts and identity.Don’t confuse privacy with defamation — the Privacy Act protects your data, not your reputation.
Privacy and Personal Data in other states
Same topic, different jurisdiction. Pick the one that applies to you.