Australian Data Protection Laws: An Introduction

The Australian Federal Privacy Act 1988 (also known as the Privacy Act) and its Australian Privacy Principles (APPs) were introduced in an effort to guard the privacy of individuals and promote responsible handling of personally identifiable information (PII). The Privacy Act allows individuals to see how their PII is going to be used and who it will be disclosed to. It also gives individuals the right to ask for access to their PII, appeal for corrections to their information and even request to halt direct marketing.

Australian data protection mimics other compliance laws in many ways, but there are a few key items to note. The Privacy Act has a broad definition of consent under their data protection laws, differentiating itself from other compliance laws such as the GDPR. The Privacy Act refers to two types of consent – “express” and “implied” consent. Moreso, the Privacy Act needs to be upheld beyond just businesses. Individuals, partnerships, unincorporated associates, non-profit organizations, and trusts may also be held accountable to abide by the Act and its principles.

Furthermore, the Office of the Australian Information Commissioner (OAIC) can proactively investigate companies to see if they meet compliance instead of standing idle for complaints to guide action.

Most Australian states and territories also have their own data protection legislation applicable to them, including:

  • Information Privacy Act 2014 (Australian Capital Territory)
  • Information Act 2002 (Northern Territory)
  • Privacy and Personal Information Protection Act 1998 (New South Wales)
  • Information Privacy Act 2009 (Queensland)
  • Personal Information Protection Act 2004 (Tasmania), and
  • Privacy and Data Protection Act 2014 (Victoria)

Who is Subject to Australia Data Protection Laws?

The Privacy Act and APP apply to private sector entities with an annual revenue of at least $3 million AUD, and all Commonwealth Government and Australian Capital Territory Government agencies. They may also apply to small businesses (annual revenue under $3 million AUD) such as, but not limited to, private-sector health service providers, businesses that conduct transactions with PII, and credit reporting bodies. 

Additionally, Australian data privacy laws apply to registered political parties, and state/territory authorities or instrumentalities. Generally, the Privacy Act applies to medium to large sized organizations carrying out business in Australia, which includes actively collecting personal information in Australia or from Australian residents, or, an entity that promotes an offshore website to Australian residents.

New Australia Data Protection Law: Consumer Data Right (CDR)

The Australian Government is currently implementing the CDR, which came into force February 2020. This recent law gives consumers the privilege to see what data has been collected on them and the right to securely share data points with reliable third-parties. 

The CDR is first being applied to the banking sector. Under provisions of CDR, the ‘big 4’ in Australian banks (Westpac Banking Corporation, Australia and New Zealand Banking Group Limited, National Australia Bank and The Commonwealth Bank of Australia) are obliged to share consumer data amongst themselves and possibly third parties. Sharing of information is intended to promote data transparency but also enhance competition and the spirit of innovation among service providers.

The CDR is expected to eventually extend past the banking sector. It will be applied to the retail energy sector, followed by the telecommunication industry. More industries will be introduced to the CDR over time and small businesses are generally going to be exempt from many of the CDR requirements. In the event of a data breach, the CDR gives organizations 30 days to assess the gravity of a breach before reporting it. 

Discover and Protect Australian Data With a PII Tool

Compliance with Australian data protection laws begins with knowing where your personal and sensitive data resides. You need to go through an in-depth discovery process by leveraging a data discovery solution. Once you have a full understanding of what personal and sensitive data your organization is storing, you can start taking steps to ensure its protection and fulfill customer trust. Ground Labs Enterprise Recon makes PII scanning efficient and simple by finding and remediating data regardless of where it is stored within your network.

Ready to take your first step to prepare your organization for Australian data protection laws? Discover Ground Lab’s PII tools and solutions by scheduling a demo with a data discovery expert today.

Want to keep up with all our blog posts? Subscribe to our newsletter!