Privacy Act Obligations
for Australian Businesses
The Privacy Act 1988 (Cth) imposes ongoing legal obligations on most Australian businesses. Understanding these obligations — and maintaining evidence that you meet them — is critical to avoiding OAIC enforcement action.
Need help meeting your Privacy Act obligations?
A Privacy Advisor can map your current practices to each obligation and build the evidence you need to demonstrate compliance.
Talk to a Privacy AdvisorWho has Privacy Act obligations?
The Privacy Act applies broadly. The following categories of organisation have Privacy Act obligations:
- Businesses with annual turnover over $3 million
- Health service providers (regardless of turnover)
- Credit providers and credit reporting bodies
- Businesses that trade in personal information
- Businesses related to a body corporate that is already covered
- Federal government agencies
- Contracted service providers to the Australian Government
Even if your business is not legally required to comply, OAIC guidance recommends voluntary compliance as good business practice. Many contracts, tenders, and enterprise clients require Privacy Act compliance regardless of turnover.
Core Privacy Act obligations
Your obligations under the Privacy Act are structured around the 13 Australian Privacy Principles (APPs). The following are the key ongoing obligations most businesses must manage:
Maintain an open and transparent privacy policy
Your privacy policy must be freely available, current, and describe how you manage personal information. It must be aligned to the APPs and include complaint procedures.
Limit collection to what is reasonably necessary
Only collect personal information that is reasonably necessary for your functions. Have processes for handling unsolicited personal information that does not meet this test.
Notify individuals at the point of collection
Provide a collection notice (or make it readily available) at or before the time of collection, covering: who you are, why you are collecting, who you share it with, and how individuals can access it.
Use and disclose for the primary purpose
Use personal information only for the primary purpose of collection, or for a related secondary purpose the individual would reasonably expect. Direct marketing has additional consent requirements under APP 7.
Manage cross-border disclosures
Before sharing personal information with overseas recipients, take reasonable steps to ensure APP-equivalent protection. You remain accountable for how overseas recipients handle the data.
Secure personal information
Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. Destroy or de-identify when no longer needed.
Respond to access and correction requests
Individuals have the right to access their personal information and request corrections. Have documented procedures and respond within required timeframes.
Notify eligible data breaches promptly
Assess suspected breaches and notify the OAIC and affected individuals without unreasonable delay (and within 30 days) if serious harm is likely. Failure to notify is itself a breach.
Notifiable Data Breaches (NDB) obligations
The NDB scheme creates a specific set of time-sensitive obligations when a data breach occurs. These obligations apply independently of the other APPs.
Take immediate steps to contain the breach and assess whether it meets the threshold of "eligible data breach" (likely to result in serious harm).
If the breach is eligible, notify the OAIC and affected individuals as soon as practicable — the OAIC expects notification within 30 days of becoming aware.
The OAIC statement must describe the nature of the breach, the information involved, and the steps taken in response.
Maintain a complete breach record including the assessment, notification, and remediation steps. This is evidence of your compliance with the NDB scheme.
Privacy Impact Assessment obligations
Privacy Impact Assessments (PIAs) are mandatory for certain federal agencies and for any initiative with a Privacy Act impact under specific programs. For other businesses, PIAs are best practice and increasingly expected by enterprise clients and regulators.
OAIC guidance recommends conducting a PIA when your business:
- Introduces a new system, application, or digital product that handles personal information
- Adopts new data sharing arrangements with third parties
- Significantly changes an existing process that involves personal data
- Implements new surveillance, tracking, or profiling capabilities
- Moves personal information to a new cloud service or overseas provider
Evidencing your Privacy Act obligations
Compliance is not just about having the right policies — it is about being able to demonstrate that you meet your obligations. The OAIC expects businesses to maintain records showing:
- When and how privacy policies were updated
- What APP gap assessments found and how gaps were remediated
- How cross-border disclosure decisions were made and documented
- The complete timeline and handling of any data breach incidents
- Human sign-off on key compliance decisions
Privacy Act Shield's Evidence Vault maintains a structured audit trail of every compliance decision, sign-off, and change — ready for OAIC review.
Frequently asked questions
What are my Privacy Act obligations as an Australian business?
Your core obligations include: maintaining an accessible privacy policy, notifying individuals of data collection, limiting collection to necessary information, securing personal data, providing individuals access to their records, and notifying the OAIC of eligible data breaches.
What is the NDB notification obligation?
Under the NDB scheme, you must notify the OAIC and affected individuals as soon as practicable (and within 30 days of becoming aware) when a data breach is likely to result in serious harm. Failing to notify is itself a breach of the Privacy Act.
When must I conduct a Privacy Impact Assessment?
PIAs are mandatory for certain federal agencies. For private businesses, OAIC guidance recommends PIAs before introducing new systems, data types, or third-party integrations that handle personal information.
What are the cross-border disclosure obligations under APP 8?
Before disclosing personal information to an overseas recipient, you must take reasonable steps to ensure APP-equivalent protection. You remain accountable if the overseas recipient mishandles the data.
Meet your Privacy Act obligations with confidence
A Privacy Advisor will map your obligations and build the evidence you need to demonstrate compliance.
Talk to a Privacy AdvisorPrivacy Act Shield prepares structured compliance evidence aligned to the APPs. It is not legal advice.