State and territory privacy law

The Office of the Australian Information Commissioner (OAIC) mainly deals with issues that are covered by the Privacy Act 1988. That Act regulates the handling of personal information by Australian Government agencies (and the Norfolk Island Administration), and some private sector organisations. For more information: About privacy.

For information on privacy regulation in the states and territories, please refer to the appropriate links below. You may contact the OAIC Enquiries line if you have further questions about what aspects of privacy are dealt with by the OAIC.

Australian Capital Territory

The Information Privacy Act 2014 (ACT) (which commenced on 1 September 2014) regulates the handling of personal information by ACT public sector agencies.

The Office of the Australian Information Commissioner is exercising some of the functions of the ACT Information Privacy Commissioner. These responsibilities include handling privacy complaints against, and receiving data breach notifications from, ACT public sector agencies, and conducting assessments of ACT public sector agencies’ compliance with the Information Privacy Act. For more detailed information see Australian Capital Territory Privacy.

Health records held by ACT Government agencies (including public hospitals) are covered by the Health Records (Privacy and Access) Act 1997 (ACT). The ACT Human Rights Commission handles health record privacy complaints.

New South Wales

The NSW Information and Privacy Commission undertakes the privacy functions conferred by the Privacy and Personal Information Protection Act 1998 (NSW) and Health Records and Information Privacy Act 2002 (NSW).

Northern Territory

The Office of the Information Commissioner for the Northern Territory is the independent statutory body responsible for overseeing the privacy provisions of the Information Act (NT).


The Queensland Office of the Information Commissioner receives privacy complaints under the Information Privacy Act 2009 (Qld) which covers the Queensland public sector.

South Australia

South Australia has issued an administrative instruction requiring its government agencies to generally comply with a set of Information Privacy Principles and has established a South Australian privacy committee to handle privacy complaints.


The Tasmanian Ombudsman may receive and investigate complaints in relation to the Personal Information and Protection Act 2004 (Tas). This legislation covers the Tasmanian public sector including the University of Tasmania.


The Victorian Commissioner for Privacy and Data Protection is an independent statutory officer established by the Privacy and Data Protection Act 2014 (Vic) (which commenced on 17 September 2014). This legislation covers the handling of all personal information, other than health information, as well as covering protective data security, in the public sector in Victoria.

Health information in the Victorian public sector is covered by the Health Records Act 2001 (Vic) and complaints about the handling of health information can be made to the Victorian Health Services Commissioner.

Western Australia

The state public sector in Western Australia does not currently have a legislative privacy regime. Various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information Act 1992 (WA) overseen by the Office of the Information Commissioner (WA).

Share this page

Protecting information rights — advancing information policy