Australia Privacy Act 1988 Guide

The Australia Privacy Act 1988 is a privacy law that was enacted to protect the personal information and privacy rights of Australians online. This law requires certain websites to have a Privacy Policy that makes specific disclosures and provides Australians with privacy rights that website operators must respect. In this guide, we will discuss the following as it relates to this Australian privacy law:

  • Who this privacy law applies to;
  • How it defines personal information;
  • The rights that this law provides to consumers;
  • What a Privacy Policy needs to include to be compliant; and
  • The penalties for non-compliance.

Who does the Australia Privacy Act 1988 apply to?

While most privacy laws are very broad in the sense that they apply to businesses outside of the state or country in which they were enacted, the Australia Privacy Act 1988 is definitely a notable exception to this rule. This privacy law applies to Australian organizations with an annual turnover of more than AUD $3,000,000. The law defines “organization” as:

  • An individual, including a sole trader (acting in a commercial capacity);
  • A body corporate;
  • A partnership;
  • Any other unincorporated association; or
  • A trust.

While this privacy law primarily applies to medium and large businesses due to the revenue requirement, it is important to note that there are a few exceptions which would require small businesses to comply as well. The following small businesses with an annual turnover of AUD $3,000,000 need to comply with this privacy law:

  • A private-sector health care provider – an organization that provides a health service and includes:
    • A traditional health care provider (hospital, medical practitioner, or pharmacy);
    • A complimentary therapist, such as a naturopath or a chiropractor;
    • A gym or weight loss clinic;
    • A childcare center, a private school, and a tertiary educational institution.
  • A business that sells or purchases personal information;
  • A credit reporting body;
  • A contracted service provider for an Australian Government contract;
  • An employee association registered or recognized under the Fair Work (Registered Organisations) Act 2009;
  • A business that has opted-in to the Privacy Act 1988;
  • A business that is related to a business that is covered by this privacy law;
  • A business prescribed by the Privacy Regulation 2013.

The Australia privacy law requires the above businesses to have a Privacy Policy on their website that makes very specific disclosures on how the business collects, uses and shares personal information.

How does this law define personal information?

The Australia Privacy Act 1988 states that the definition of personal information includes a broad range of information that could be used to identify someone. The law provides the following examples of personal information:

  • An individual’s name, signature, address, phone number or date of birth;
  • Sensitive information such as racial or ethnic origin, political opinions and associations, religious or philosophical beliefs or criminal record;
  • Credit information;
  • Employee record information;
  • Photographs;
  • Internet protocol (IP) addresses;
  • Voice print and facial recognition biometrics;
  • Location information from a mobile device.

If you are collecting any of the personal information stated above, and are an Australian company, you need to honor the privacy rights given to consumers under this law.

The consumer rights provided under the Australia Privacy Act 1988

Privacy laws often provide consumers with certain rights when it comes to the collection, use and disclosure of their personal information by businesses. This privacy law provides the following privacy rights to Australians:

  • Know why their personal information is being collected, how it will be used and who it will be disclosed to;
  • Have the option of not identifying oneself, or of using a pseudonym in certain circumstances;
  • Ask for access to their personal information;
  • Stop receiving unwanted direct marketing;
  • Ask for their personal information that is incorrect to be corrected;
  • Make a complaint about an organization or agency the Privacy Act covers, if the consumer thinks that the organization or agency mishandled the consumer’s personal information.

Due to these rights, websites need to have a Privacy Policy that makes sufficient disclosures to properly meet those rights.

Privacy Policy requirements

The Australia Privacy Act 1988 requires that an organization’s Privacy Policy include the following disclosures:

  • Your name and details;
  • What kinds of personal information you collect and store;
  • How you collect the personal information and where it is stored;
  • The reasons why you need to collect the personal information;
  • How you will use and disclose the personal information;
  • How a consumer can access their personal information or ask for a correction;
  • How to lodge a complaint if a consumer believes that their personal information has been mishandled and how you will handle that complaint;
  • If you are likely to disclose the consumer’s personal information outside of Australia and, if practical, which countries you are likely to disclose it to.

You also need to periodically review your Privacy Policy to ensure that it is accurate and update your Privacy Policy when your practices change.

Penalties for non-compliance

The Australia Privacy Act 1988 can impose penalties of up to AUD $2,100,000 for serious or repeated breaches of privacy.

The Australia Privacy Act 1988 protects the privacy rights of Australians by requiring certain websites to have Privacy Policies that make certain disclosures. Use Termageddon’s Privacy Policy generator to get your Australia privacy law ready Privacy Policy today. Curious about what other privacy laws apply to your website? Check out our blog post on what laws require websites to have a Privacy Policy.