Publication date: 2 September 2021

The Office of the Australian Information Commissioner and state and territory privacy commissioners and ombudsmen have produced the following universal privacy principles to support a nationally consistent approach to solutions and initiatives designed to address the ongoing risks related to the COVID-19 pandemic.

These high-level principles provide a framework to guide a best practice approach to the handling of personal information during the pandemic by government and business.

Policymakers enacting laws or rules or developing technological solutions that involve the handling of personal information should have regard to these principles to ensure that a privacy-by-design approach is built into the COVID-19 response to help maintain public trust.

Data minimisation

The collection of personal information, including sensitive information such as health information, should always be limited to the minimum information reasonably necessary to achieve a legitimate purpose. This includes considering alternative solutions which achieve the same purpose and do not require personal information to be collected into a record.

Purpose limitation

Information that is required to be collected for a specific purpose related to mitigating the risks of COVID-19 should generally not be used for other purposes. This is particularly important to ensure that Australians can have trust and confidence that their personal information is protected so they can continue to support the public health response to COVID-19.


Reasonable steps must be taken to protect Australians’ personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. In line with community expectations, personal information should be stored in Australia.


Personal information should be destroyed once it is no longer needed for the purpose for which it was collected. The Australian community expects that the information they provide to support the COVID-19 public health response will not be retained indefinitely and should be deleted as soon as it is no longer needed.

Regulation under privacy law

Australians’ personal information should be protected by an enforceable privacy law to ensure that individuals have redress if their information is mishandled, either the Privacy Act 1988 (Cth)[1] or a state or territory privacy law. This extends rights and protections to all Australians where their information is being shared for public health purposes.


Angelene Falk
Australian Information Commissioner and Privacy Commissioner

Samantha Gavel
Privacy Commissioner, New South Wales

Sven Bluemmel
Information Commissioner, Victoria

Rachael Rangihaeata
Information Commissioner, Queensland

Philip Green
Privacy Commissioner, Queensland

Simon Froude
Director, State Records, Privacy Committee of South Australia

Richard Connock
Ombudsman, Tasmania

Peter Shoyer
Information Commissioner, Northern Territory


[1] Businesses that are not covered by the Privacy Act can opt in to coverage (s6EA). States which do not have enforceable privacy laws may choose to opt in to coverage of the Privacy Act (s6F) by requesting to be prescribed by the Regulations. This would extend rights and protections to residents of other states and territories where their information is being shared with a state which does not have standalone privacy laws in place. If a business opts in to coverage of the Privacy Act, that business may revoke such a choice under subsection 33(3) of the Acts Interpretation Act 1901. Similarly, if a state authority has been prescribed under section 6F, that state authority may be unprescribed under subsection 33(3) of the Acts Interpretation Act. Information on how to opt in to coverage of the Privacy Act can be found on the OAIC website.