Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy Act

The Privacy Act 1988 (Privacy Act) regulates how personal information is handled. The Privacy Act defines personal information as:

…information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.

The Privacy Act includes thirteen Australian Privacy Principles (APPs), which apply to some private sector organisations, as well as  most Australian and Norfolk Island Government agencies. These are collectively referred to as ‘APP entities’. The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.

Australian Privacy Principles

The Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988 (Privacy Act), outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information.

Credit Reporting

Part IIIA of the Privacy Act 1988 (Privacy Act) regulates consumer credit reporting in Australia. Part IIIA is supported by the Privacy Regulation 2013 and the Privacy (Credit Reporting) Code 2014 (CR code).

Tax file numbers

Under the Privacy Act 1988, the Australian Information Commissioner has a number of monitoring, advice and assessment related functions regarding the handling of tax file numbers (TFNs).

Health information and medical research

Health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act 1988 (Privacy Act) provides extra protections around its handling. For example, an organisation generally needs an individual's consent before they can collect their health information. In addition, all organisations that provide a health service and hold health information (other than in an employee record) are covered by the Privacy Act, whether or not they are a small business.

Privacy Regulations

The Governor-General may issue regulations under s 100 of the Privacy Act 1988 (Privacy Act).