The Australian Parliament passed the Privacy Act 1988 at the end of 1988, and it commenced in 1989. It gave effect to Australia’s agreement to implement the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as to its obligations under Article 17 of the International Covenant on Civil and Political Rights. It set out 11 Information Privacy Principles for how Australian Government agencies must handle personal information.

Expanding coverage of the Privacy Act

1991 – Credit reporting

The Privacy Amendment Act 1990 came into effect on 24 September 1991 to regulate the handling of consumer credit reports by credit reporting bodies and credit providers (Part IIIA of the Privacy Act).

1994 – Australian Capital Territory

ACT Government agencies became bound by a version of the Privacy Act through the Australian Capital Territory Government Service (Consequential Provisions) Act 1994.

2000 – Office of the Privacy Commissioner

The Privacy Amendment (Office of the Privacy Commissioner) Act 2000 established the Office of the Privacy Commissioner and separated the Privacy Commissioner from the Human Rights and Equal Opportunity Commission on 1 July 2000.

2001 – Private sector

In December 2000, the Privacy Amendment (Private Sector) Act 2000 extended coverage of the Privacy Act to some private sector organisations. The amendments commenced on 21 December 2001. These amendments introduced 10 National Privacy Principles into the Privacy Act, which set standards for private sector organisations when they collect, use and disclose, hold secure, give access to, and correct personal information.

2010 – The Office of the Australian Information Commissioner

The Australian Information Commissioner Act 2010 established the Office of the Australian Information Commissioner (OAIC) on 1 November 2010. The former Office of the Privacy Commissioner was integrated into the OAIC on 1 November 2010. The OAIC is headed by the Australian Information Commissioner, who is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner. For more information about the OAIC, see Our Executive.

2011 – Norfolk Island

On 1 January 2011, the Privacy Act was extended to Norfolk Island Government agencies by the Territories Law Reform Act 2010.

2014 – Major privacy reforms

The Privacy Amendment (Enhancing Privacy Protection) Act 2012, which commenced on 12 March 2014, introduced many significant changes to the Privacy Act, including:

  • the Australian Privacy Principles (APPs) regulate the handling of personal information by Australian and Norfolk Island Government agencies and some private sector organisations (they replaced the Information Privacy Principles and National Privacy Principles)
  • a new Part IIIA of the Privacy Act, which allows for more comprehensive credit reporting
  • a new requirement for a credit provider to be a member of an external dispute recognition scheme (EDR scheme) recognised under the Privacy Act to be able to participate in the credit reporting system
  • new laws on codes of practice about information privacy (APP codes) and a code of practice for credit reporting (the CR code); and enabling the Information Commissioner to develop and register binding codes that are in the public interest
  • new enforcement powers for the Information Commissioner.

2014 – ACT privacy reforms

The Information Privacy Act 2014 (ACT), which commenced on 1 September 2014, introduced new privacy laws for Australian Capital Territory public sector agencies. The Information Privacy Act introduced the Territory Privacy Principles, which set out standards for handling personal information. They’re similar to the APPs. For more information about this change, see Privacy in the ACT.

2018 – The Notifiable Data Breaches scheme

The Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches scheme for all organisations and agencies with existing personal information security obligations under the Privacy Act.

2022 – Targeted enforcement and other changes

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which commenced on 13 December 2022, introduced targeted measures to enhance the OAIC’s ability to regulate in line with community expectations and protect Australians’ privacy in the digital environment.

Other additions to our privacy functions

1990 – Spent convictions

The Privacy Commissioner was given compliance and advisory functions for spent conviction information when Part VIIC of the Crimes Act 1914 and came into effect on 30 June 1990. Part VIIC deals with the collection, use and disclosure of old conviction information. For more information see Criminal Records.

1990 – Tax file number data matching

The Data-matching Program (Assistance and Tax) Act 1990, and guidelines made under that Act, gave the Privacy Commissioner oversight and compliance functions for how the Australian Taxation Office and certain other agencies use tax file numbers to compare personal information to detect incorrect payments. For more information see Government Data Matching.

1991 – Medicare and pharmaceutical benefits schemes

The Privacy Commissioner got additional functions under amendments to the National Health Act 1953 about guidelines to safeguard personal information given in the Medicare and Pharmaceutical Benefits schemes.

1997 – Telecommunications

The Privacy Commissioner was given monitoring, advisory and compliance functions for the privacy of personal information held by telecommunications carriers, carriage service providers and others following the introduction of the Telecommunications Act 1997 and amendments to the Telecommunications (Interception and Access) Act 1979. For more information see Telecommunications.

2006 – Anti-money laundering and counter terrorism

The introduction of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) required the Australian Transaction Reports and Analysis Centre (AUSTRAC), the agency responsible for ensuring compliance with the AML/CTF Act, consult the Privacy Commissioner on privacy of individuals matters. For more information see Anti-Money Laundering.

2010 – Healthcare identifiers

The Privacy Commissioner was given oversight and compliance functions with the introduction of the Healthcare Identifiers Act 2010, including the investigation of complaints about the mishandling of healthcare identifiers.

2012 – Personal Property Securities Register

The Australian Information Commissioner was given a new compliance function by the Personal Property Securities Act 2009 for personal information in the Personal Property Securities Register (which commenced in 2012).

2012 – Electronic health records

A new function and, importantly, new powers were conferred on the Australian Information Commissioner by the Personally Controlled Electronic Health Records Act 2012. For more information see My Health Records.