AU
Law Assistant
Sign in Sign up
⚠ Disclaimer: General information only — not legal advice. Consult a qualified lawyer or the relevant government body for advice about your specific situation.
Home Guides Consumer Law
Consumer Law

Your Privacy Rights in Australia: What the Privacy Act Covers

Last updated: June 2026

What Is the Privacy Act?

The Privacy Act 1988 (Cth) regulates how Australian government agencies and private organisations handle personal information. It is administered by the Office of the Australian Information Commissioner (OAIC).

The Act contains 13 Australian Privacy Principles (APPs) that govern the collection, use, disclosure, and storage of personal information.

Who Does It Apply To?

The Privacy Act applies to:

  • Australian Government agencies
  • Private sector organisations with an annual turnover of more than $3 million
  • Health service providers (regardless of size)
  • Credit reporting bodies and credit providers

Most small businesses are exempt, but this threshold is under review and may change.

Your Rights Under the APPs

APP 12. Access to your information: You can request access to personal information an organisation holds about you. They must respond within 30 days.

APP 13. Correction: If information is inaccurate, out of date, or misleading, you can request a correction.

APP 6. Use and disclosure: Organisations generally cannot use or disclose your personal information for purposes other than the primary purpose it was collected for, without your consent.

APP 1. Transparency: Organisations must have a clearly expressed privacy policy and tell you what information they collect and why.

Data Breaches: The Notifiable Data Breaches Scheme

If an organisation covered by the Privacy Act suffers an eligible data breach: unauthorised access that is likely to result in serious harm to you, it must:

  1. Notify the OAIC
  2. Notify you directly (if practicable)

You can then take steps to protect yourself, such as changing passwords or alerting your bank.

How to Make a Privacy Complaint

  1. Complain to the organisation first: most covered entities have an internal privacy complaints process
  2. If unresolved after 30 days, complain to the OAIC (oaic.gov.au), free and confidential
  3. The OAIC can investigate, conciliate, and make determinations
  4. If the determination is not followed, the matter can be referred to the Federal Court

Health Information

Health information has additional protections. Any health service provider, including small GP practices, must comply with the Privacy Act in relation to your health records.

Have a question about your specific situation?

Ask about your privacy rights, a data breach affecting you, or how to complain about misuse of your personal information.

Ask a question →