Privacy and Personal Data in Western Australia
Reviewed by the Commoner Law Editorial Team. Sourced from Commonwealth Acts of Parliament, federal regulations, and official government guidance. State-level information reflects each state's own Acts and court decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards
What is this right?
The Privacy Act 1988 and the 13 Australian Privacy Principles (APPs) govern how organisations handle your personal information:
- Who it covers: Australian Government agencies, private sector organisations with annual turnover over $3 million, and all health service providers, regardless of size. Some small businesses are also covered if they trade in personal information or provide services under a Commonwealth contract.
- Right to know (APP 1 & 5): Organisations must tell you what information they collect, why, and who they share it with through a clear privacy policy.
- Right to access and correct (APP 12 & 13): You can request access to your personal information and ask for corrections if it is wrong.
- Data breach notification: Since February 2018, organisations must notify you and the Office of the Australian Information Commissioner (OAIC) about data breaches that are likely to result in serious harm.
- Penalties: Serious or repeated privacy breaches carry penalties of up to $50 million, three times the benefit obtained, or 30% of adjusted domestic turnover (whichever is greatest).
When does it apply?
- An organisation covered by the Privacy Act collects, uses, or discloses your personal information.
- You want to access or correct personal information an organisation holds about you.
- You believe an organisation has breached your privacy or failed to notify you of a data breach.
- Note: employee records held by a current or former employer are generally exempt from the APPs (except for government agencies).
What to Do If an Australian Organisation Has Misused or Breached Your Personal Data
- Check the organisation’s privacy policy to understand how they handle your data.
- To access or correct your data, make a written request to the organisation. They must respond within 30 days.
- If you believe your privacy has been breached, complain to the organisation first. If unresolved after 30 days, lodge a complaint with the OAIC at oaic.gov.au.
- If you receive a data breach notification, follow the recommended steps to protect yourself (change passwords, monitor accounts).
What should you NOT do?
- Don’t assume every business is covered — most small businesses (under $3 million turnover) are exempt unless they handle health information or meet other criteria.
- Don’t ignore data breach notifications — act quickly to protect your accounts and identity.
- Don’t confuse privacy with defamation — the Privacy Act protects your data, not your reputation.
How Western Australia differs from federal law
Privacy is primarily governed by the federal Privacy Act 1988 (Cth). WA does not have comprehensive state privacy legislation — it is one of the few states without a dedicated information privacy act.
- WA does not have a state equivalent of Victoria's Information Privacy Act or Queensland's Information Privacy Act. Instead, WA Government agencies handle personal information under administrative policies and guidelines rather than specific legislation.
- The Freedom of Information Act 1992 (WA) gives Western Australians the right to access documents held by WA Government agencies, with a right of review by the Information Commissioner WA.
- The Surveillance Devices Act 1998 (WA) regulates the use of listening devices, optical surveillance devices, and tracking devices in WA, providing some privacy protections.
- For private-sector privacy issues, the Office of the Australian Information Commissioner (OAIC) handles complaints under the federal Privacy Act.
- There have been ongoing calls for WA to enact comprehensive state privacy legislation, but no bill has been introduced as of 2025.
Additional Steps in Western Australia
For private-sector privacy complaints, contact the OAIC (oaic.gov.au or 1300 363 992). For WA Government FOI requests, apply to the relevant agency, with external review by the Information Commissioner WA (oic.wa.gov.au). For surveillance complaints, contact WA Police or seek legal advice.
Relevant Law: Privacy Act 1988 (Cth); Freedom of Information Act 1992 (WA); Surveillance Devices Act 1998 (WA)
Common Questions
When does privacy and personal data apply?
An organisation covered by the Privacy Act collects, uses, or discloses your personal information.You want to access or correct personal information an organisation holds about you.You believe an organisation has breached your privacy or failed to notify you of a data breach.Note: employee records held by a current or former employer are generally exempt from the APPs (except for government agencies).
What should I do if a company in Australia has mishandled my personal data or suffered a data breach?
Check the organisation’s privacy policy to understand how they handle your data.To access or correct your data, make a written request to the organisation. They must respond within 30 days.If you believe your privacy has been breached, complain to the organisation first. If unresolved after 30 days, lodge a complaint with the OAIC at oaic.gov.au.If you receive a data breach notification, follow the recommended steps to protect yourself (change passwords, monitor accounts).
What mistakes should I avoid with privacy and personal data?
Don’t assume every business is covered — most small businesses (under $3 million turnover) are exempt unless they handle health information or meet other criteria.Don’t ignore data breach notifications — act quickly to protect your accounts and identity.Don’t confuse privacy with defamation — the Privacy Act protects your data, not your reputation.
Privacy and Personal Data in other states
Same topic, different jurisdiction. Pick the one that applies to you.