Your Rights Under the Privacy Act 1988 (Cth) — Australia

Researched by , Head Researcher

Primary sources cited; not legal advice.

Last verified:

Source: Privacy Act 1988 (Cth); Australian Privacy Principles (APPs); OAIC; Notifiable Data Breaches scheme (Part IIIC, in force February 2018).

Sourced from Commonwealth Acts of Parliament, federal regulations, and official government guidance. State-level information reflects each state's own Acts and court decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Australian Federal Law

What is this right?

Australia's data-protection framework is the Privacy Act 1988 (Cth) + the 13 Australian Privacy Principles (APPs). APP 6 (access), APP 12 (correction), APP 11 (security), APP 13 (cross-border transfers), and others. Regulator: OAIC. Notifiable Data Breaches scheme requires mandatory notification of eligible breaches since February 2018. Civil penalties for serious or repeated breaches up to AUD 50 million or 3× the benefit obtained or 30% of adjusted turnover (whichever is greater) since 2022 reforms.

When does it apply?

  • An APP entity refuses to disclose, correct, or delete your data.
  • Data breach notification required (or not made when it should have been).
  • Cross-border transfer without adequate APP 8 protections.
  • Direct marketing not allowing opt-out.

Using Your Rights Under the Privacy Act

  1. Send written APP 6 access request to the controller.
  2. If unsatisfied, complain to OAIC at oaic.gov.au. Free; OAIC conciliates and can issue determinations.
  3. For damages, OAIC determinations can include compensation; civil litigation may also be possible.

What should you NOT do?

  • Don't skip the controller's internal channel.
  • Don't provide more identifying data than necessary.

About Data Privacy & Digital Rights in Australia

Australia's data-protection framework is the Privacy Act 1988 (Cth) + the Australian Privacy Principles (APPs). Regulator: Office of the Australian Information Commissioner (OAIC). The Notifiable Data Breaches scheme has applied since February 2018. For NCII, Australia has the eSafety Commissioner under the Online Safety Act 2021 — a world-leading regulator with takedown power for image-based abuse (24-hour removal notices). State criminal offences (e.g., NSW Crimes Act s.91Q) also apply.

Common Questions

Does the Privacy Act apply to small business?

The Privacy Act 1988 (Cth) generally applies to organisations with annual turnover above AUD 3 million (the small-business exemption). Some categories apply regardless of size — health-service providers, businesses trading in personal information, contractors providing services under Commonwealth contracts. The Privacy Act reform agenda has been considering removing the small-business exemption.

What is the small-business exemption status?

The small-business exemption has been controversial and is under active review. The Privacy Act Review (2022) recommended removing it. Statutory tort for serious invasions of privacy is being implemented in stages from late 2024. Confirm current state-of-play with OAIC before relying on the exemption.

What's the data-breach notification timeline?

Under Part IIIC, an entity must notify OAIC and affected individuals 'as soon as practicable' after the entity is aware that there are reasonable grounds to believe a notifiable data breach has occurred. OAIC's expectation is generally within 30 days.

What is the your rights under the privacy act 1988 (cth) right in Australia?

Australia's data-protection framework is the Privacy Act 1988 (Cth) + the 13 Australian Privacy Principles (APPs). APP 6 (access), APP 12 (correction), APP 11 (security), APP 13 (cross-border transfers), and others. Regulator: OAIC. Notifiable Data Breaches scheme requires mandatory notification of eligible breaches since February 2018. Civil penalties for serious or repeated breaches up to AUD 50 million or 3× the benefit obtained or 30% of adjusted turnover (whichever is greater) since 2022 reforms.

When does your rights under the privacy act 1988 (cth) apply?

An APP entity refuses to disclose, correct, or delete your data.Data breach notification required (or not made when it should have been).Cross-border transfer without adequate APP 8 protections.Direct marketing not allowing opt-out.

What are my data-protection rights in Australia?

Send written APP 6 access request to the controller.If unsatisfied, complain to OAIC at oaic.gov.au. Free; OAIC conciliates and can issue determinations.For damages, OAIC determinations can include compensation; civil litigation may also be possible.

What mistakes should I avoid with your rights under the privacy act 1988 (cth)?

Don't skip the controller's internal channel.Don't provide more identifying data than necessary.

More in Data Privacy & Digital Rights

Removing Non-Consensual Intimate Imagery (NCII)Australia has one of the world's strongest NCII frameworks. The eSafety Commissioner under the Online Safety Act 2021 ca...Read more →Cyberstalking and Online Harassment Under the Online Safety Act and Criminal CodeCyberstalking in Australia is covered at multiple levels. Criminal Code Act 1995 (Cth) s.474.17 criminalises using a car...Read more →
← Browse all Data Privacy & Digital Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission