Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Australian Capital Territory Privacy

The Information Privacy Act 2014 (ACT) regulates how personal information is handled by ACT public sector agencies. This Act includes a set of Territory Privacy Principles, which cover the collection, use, storage and disclosure of personal information, and an individual’s access to and correction of that information.

The Information Privacy Act commenced on 1 September 2014 and replaces the Privacy Act 1998 (Cth) as in force on 1 July 1994 (and as modified by the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth), which previously applied to ACT public sector agencies.  More information on the Information Privacy Principles that applied before 1 September 2014 can be found at Information Privacy Principles.

What is the role of the OAIC?

Under an arrangement between the ACT Government and the Australian Government, the Australian Information Commissioner is exercising some of the functions of the ACT Information Privacy Commissioner. These responsibilities include handling privacy complaints against, and receiving data breach notifications from, ACT public sector agencies, and conducting assessments of ACT public sector agencies’ compliance with the Information Privacy Act.

Back to Contents

Rights and responsibilities under the Information Privacy Act

Who has rights under the Information Privacy Act?

As an individual, the Information Privacy Act 2014 (ACT) gives you greater control over the way that your personal information is handled. Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.

The Information Privacy Act allows individuals to:

  • know why your personal information is being collected, how it will be used and who it will be disclosed to
  • have the option of not identifying yourself, or of using a pseudonym, in certain circumstances
  • ask for access to your personal information
  • ask for your personal information that is incorrect to be corrected
  • make a complaint about an agency or contractor covered by the Information Privacy Act, if you consider that they have mishandled your personal information.

Who has responsibilities under the Information Privacy Act?

The Information Privacy Act applies to ACT public sector agencies. This includes:

  • Ministers (in their administrative capacities)
  • administrative units
  • statutory office-holders and their staff
  • territory authorities
  • territory instrumentalities
  • territory-owned corporations
  • ACT courts (in their administrative capacities)
  • any entity prescribed by regulation.

The Act also applies to some businesses who are contracted service providers (including subcontractors) for an ACT Government contract and are performing obligations under that contract.

What is not covered by the Information Privacy Act?

The Information Privacy Act does not cover:

Back to Contents

Territory Privacy Principles

The Information Privacy Act 2014 (ACT) includes a set of Territory Privacy Principles (TPPs). The TPPs set out standards, rights and obligations for the collection, use, disclosure, storage, accessing and correction of personal information (including sensitive information).

The TPPs are principles-based rather than prescriptive. Each ACT public sector agency needs to apply the principles to its own situation. The principles cover:

  • the open and transparent management of personal information including having a privacy policy (TPP 1)
  • an individual having the option of transacting anonymously or using a pseudonym where practicable (TPP 2)
  • the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection (TPPs 3, 4 and 5)
  • how personal information can be used and disclosed (including disclosure overseas) (TPPs 6 and 8)
  • maintaining the quality of personal information (TPP 10)
  • keeping personal information secure (TPP 11)
  • rights for individuals to access and correct their personal information (TPPs 12 and 13)

For more detail, see the full text of the TPPs or the TPPs quick reference tool.

TPPs and the Australian Privacy Principles

The TPPs are similar to the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) that apply to most Australian Government (and Norfolk Island Government) agencies and some private sector organisations.

Some of the APPs are not relevant to the handling of personal information by ACT public sector agencies and have not been included in the TPPs. For example, APP 7, which deals with the use and disclosure of personal information for the purpose of direct marketing, and APP 9, which regulates the adoption, use and disclosure of government related identifiers are not included.   

The TPPs also contain some minor textual differences to the APPs, but these do not change the meaning of the principle. For example, the phrase ‘the entity must take such steps (if any) as are reasonable in the circumstances’ is used in the APPs while a similar phrase, ‘the agency must take reasonable steps’, is used in the TPPs.[1] While expressed differently, both provisions could be satisfied by taking no steps if that is reasonable in the particular circumstances.

For more information about the APPs see the APP quick reference tool and the full text of the APPs. Additional information on complying with the APPs can be found in the APP guidelines.

Back to Contents

How to make a complaint

Individuals can make a complaint to the Office of the Australian Information Commissioner (OAIC) about the handling of their own personal information by ACT public sector agencies. Where an individual’s complaint is upheld, the OAIC is required to notify the individual that they can apply to a court for a remedy.

For more information about how you can make a privacy complaint to the OAIC, what you can complain about, who you can complain about, possible outcomes and what you should include with your complaint, see Making a complaint. You may also wish to review Privacy Fact sheet 43: Making a complaint against an ACT agency.

Health records held by ACT Government agencies (including public hospitals) are covered by the Health Records (Privacy and Access) Act 1997 (ACT). The ACT Human Rights Commission handles health record privacy complaints.

Back to Contents

Application of the Notifiable Data Breaches scheme to ACT public sector agencies

The Notifiable Data Breaches (NDB) scheme commenced on 22 February 2018, introducing a requirement to notify individuals likely to be at risk of serious harm from a data breach. The OAIC must also be notified.

The NDB scheme applies to entities with existing information security obligations under the Privacy Act 1988 (Cth). Relevantly, the scheme applies to file number recipients that hold tax file number (TFN) information.

ACT public sector agencies hold TFN information for a number of reasons, but most commonly, for their employment and payroll functions.

If an ACT public sector agency experiences an eligible data breach involving TFN information, it must notify affected individuals and the OAIC. However, ACT public sector agencies are not required to notify data breaches that affect other types of personal information they hold.

The OAIC has published a suite of resources about the NDB scheme at, including guidance about the application of the scheme to file number recipients.  

Back to Contents

ACT privacy resources

The ACT Justice and Community Safety Directorate has established a Privacy Clearinghouse. The Privacy Clearinghouse provides a first point of contact for ACT public sector agencies and staff to access privacy advice, resources and training. To contact the Privacy Clearinghouse email

If an ACT public sector agency has queries about the operation of the Information Privacy Act, those queries should be directed to the Privacy Clearinghouse first, rather than the OAIC. The Clearinghouse will forward questions to the OAIC where appropriate.

The OAIC has also developed a range of privacy resources for the general public and ACT public sector agencies in relation to the Information Privacy Act.

In addition, the OAIC has developed a range of privacy resources to provide information and advice to the general public, private sector organisations and Australian Government agencies in relation to the Australian Privacy Principles (APPs). The obligations for Australian Government agencies under the APPs are substantially similar to those of ACT public sector agencies under the TPPs and the materials may be usefully referred to.

Key resources for agencies

The resources should be read with reference to the full text of the TPPs and are not a substitute for legal advice.

Back to Contents


[1] These phrases can be found in both APPs and TPPs 5.1, 10.1, 10.2, 12.5, 13.1, 13.2. For a more detailed discussion of ‘reasonable steps’ see Chapter B: Key concepts of the OAIC’s APP guidelines.