Privacy Act Compliance for Australian Businesses: APPs, Data Breaches and Penalties

The Privacy Act 1988 (Cth) is the primary legislation governing how Australian businesses handle personal information. It establishes the Australian Privacy Principles (APPs), which regulate the collection, use, disclosure, storage and destruction of personal information. With the introduction of the Notifiable Data Breaches (NDB) scheme in 2018, increasing enforcement activity by the Office of the Australian Information Commissioner (OAIC) and proposed reforms that will further expand the scope of the Act, privacy compliance is now a core business obligation. At Astris Law, we advise businesses on Privacy Act compliance, data breach response and APP audit programs.

Who Must Comply with the Privacy Act?

The Privacy Act applies to "APP entities" which include:

• Australian Government agencies
• Organisations with annual turnover of more than $3 million
• Private health service providers (regardless of turnover)
• Organisations that trade in personal information (regardless of turnover)
• Credit reporting bodies and credit providers
• Organisations that have opted in to the Privacy Act
• Certain small businesses that are related to larger entities

Importantly, the proposed Privacy Act reforms may remove the $3 million turnover exemption entirely, which would bring all Australian businesses within scope. Businesses currently below the threshold should prepare for this change.

The Australian Privacy Principles (APPs)

The 13 APPs cover the full lifecycle of personal information. Key principles include:

APP 1 - Open and Transparent Management

Organisations must have a clearly expressed and up-to-date privacy policy that describes how personal information is managed, including the types of information collected, how it is held, the purposes of collection and how individuals can access or correct their information.

APP 3 - Collection of Solicited Personal Information

Personal information may only be collected where it is reasonably necessary for the organisation's functions or activities. Sensitive information (including health, biometric and criminal record data) requires consent and must be directly related to a function or activity.

APP 6 - Use or Disclosure of Personal Information

Personal information may only be used or disclosed for the primary purpose for which it was collected, or for a secondary purpose where the individual would reasonably expect such use and it is related to the primary purpose.

APP 8 - Cross-Border Disclosure

Before disclosing personal information to an overseas recipient, the disclosing entity must take reasonable steps to ensure the recipient complies with the APPs. If the overseas recipient breaches the APPs, the disclosing entity is accountable.

APP 11 - Security of Personal Information

Organisations must take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure. Information that is no longer needed must be destroyed or de-identified.

The Notifiable Data Breaches Scheme

Since February 2018, the NDB scheme requires APP entities to notify affected individuals and the OAIC when a data breach is likely to result in serious harm. A notifiable data breach occurs when:

• There is unauthorised access to, disclosure of or loss of personal information held by the entity
• A reasonable person would conclude that the breach is likely to result in serious harm to any of the individuals to whom the information relates
• The entity has not been able to prevent the likely risk of serious harm through remedial action

Upon becoming aware of a suspected breach, the entity must conduct an assessment within 30 days. If the breach is notifiable, the entity must notify the OAIC and affected individuals as soon as practicable. The notification must describe the breach, the type of information involved and steps individuals can take to respond.

Penalties for Non-Compliance

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 significantly increased penalties for serious or repeated interferences with privacy:

• For bodies corporate: The greater of $50 million, three times the value of any benefit obtained from the contravention or 30% of the entity's adjusted turnover during the relevant period
• For individuals: Up to $2.5 million

These penalties place privacy compliance on a comparable enforcement footing to competition law and financial services regulation. The OAIC also has powers to accept enforceable undertakings, make determinations requiring compensation and seek Federal Court injunctions.

Practical Compliance Steps

• Privacy policy: Review and update your privacy policy to ensure it accurately describes your information handling practices and meets APP 1 requirements
• Data mapping: Understand what personal information your business collects, where it is stored, who can access it, whether it is disclosed overseas and when it is destroyed
• Consent mechanisms: Review how you collect consent, particularly for sensitive information, direct marketing and cross-border disclosures
• Data breach response plan: Develop and test a data breach response plan that enables your business to assess and notify breaches within the statutory timeframe
• Third-party contracts: Ensure contracts with service providers (including cloud providers and offshore processors) include appropriate privacy protections and data breach notification obligations
• Staff training: Train employees on privacy obligations, data handling procedures and breach reporting protocols

Conclusion

Privacy compliance in Australia is no longer a back-office issue. With penalties now reaching $50 million and the OAIC stepping up enforcement, businesses must treat personal information as a regulated asset requiring active management. The proposed removal of the small business exemption will further expand the reach of the Privacy Act. Astris Law's IP, technology and data practice advises businesses on Privacy Act compliance, APP audits, data breach response and the design of privacy governance frameworks.

This article is for general information purposes only and does not constitute legal advice. You should seek professional advice tailored to your specific circumstances before acting on any information in this article. Liability limited by a scheme approved under Professional Standards Legislation.