Complete Privacy Act Compliance Guide for Australian SMEs
The Privacy Act 1988 (Cth) applies to most Australian organisations that handle personal information. This guide explains the Australian Privacy Principles (APPs), breach notification requirements, privacy policies, Privacy Impact Assessments (PIAs), and how to prepare for OAIC investigations.
The Privacy Act 1988: Your Legal Obligations
If your organisation handles personal information — such as customer details, employee records, online identifiers, or health information — you may be required to comply with the Privacy Act 1988 (Cth). The OAIC (Office of the Australian Information Commissioner) enforces the Act and can investigate complaints or initiate audits. For a full breakdown of who must comply, see our Privacy Act obligations guide.
Consequences of non‑compliance include:
- Civil penalties up to $50 million for serious or repeated breaches
- Compensation claims from affected individuals
- Reputational damage and customer loss
- Mandatory breach notification and remediation costs
The 13 Australian Privacy Principles (APPs)
The APPs outline how personal information must be collected, used, disclosed, secured, accessed, and corrected. They form the core of your Privacy Act obligations. For a practical breakdown of each principle, see our Privacy Act compliance guide.
To streamline compliance, consider using privacy compliance software to automate gap assessments and policy generation.
- APP 1 — Open and transparent management of personal information
- APP 5 — Notification of collection of personal information
- APP 6 — Use and disclosure of personal information
- APP 11 — Security of personal information
- APP 13 — Correction of personal information
Creating Your Privacy Policy
Every organisation covered by the Privacy Act must maintain an up‑to‑date privacy policy that clearly explains how personal information is collected, used, disclosed, stored, and corrected. The policy must be easy for individuals to access. Learn more about your legal obligations in our Privacy Act obligations guide.
- Explain what personal information you collect and why
- Describe how information is stored and secured
- Detail how individuals can access or correct their information
- Include contact details for privacy enquiries
- Address overseas disclosure and direct marketing practices
To simplify this process, use our Privacy Policy Generator for Australia.
Privacy Act Shield includes an AI‑assisted privacy policy generator aligned to the APPs and OAIC guidance.
Notifiable Data Breach Scheme (NDB)
The NDB scheme requires organisations to notify affected individuals and the OAIC when a data breach is likely to result in serious harm. Notification must occur as soon as practicable. For a full explanation of breach obligations, see our Privacy Act obligations guide.
- Assess suspected breaches within 30 days
- Determine whether serious harm is likely
- Notify affected individuals promptly
- Submit an OAIC breach notification statement
- Maintain internal breach assessment records
Privacy Impact Assessments (PIAs)
A Privacy Impact Assessment evaluates how a new project, system, or data flow may affect personal information. PIAs are recommended by the OAIC and required in many government and enterprise contexts. Learn how PIAs fit into your broader compliance duties in our Privacy Act compliance guide.
- Identify privacy risks early
- Assess APP compliance impacts
- Document mitigation strategies
- Demonstrate due diligence to regulators and clients
Automate Your Privacy Act Compliance
Privacy Act Shield generates privacy policies, APP gap assessments, and NDB workflows. Try free for 14 days. You can also review your Privacy Act obligations before you begin.
Start for free