Rights and responsibilities

Last updated: 22 July 2019

On this page

  • What rights an individual has under the Privacy Act
  • The organisations and agencies the Privacy Act covers and those it doesn’t
  • What privacy laws apply to Australian Capital Territory public sector agencies

Who has rights under the Privacy Act?

The Privacy Act regulates the way individuals’ personal information is handled.

As an individual, the Privacy Act gives you greater control over the way that your personal information is handled. The Privacy Act allows you to:

Who has responsibilities under the Privacy Act?

Australian Government agencies (and the Norfolk Island administration) and organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions.

What is an organisation?

The Privacy Act defines an ‘organisation’ as:

  • an individual, including a sole trader (though generally, the Privacy Act doesn’t apply to an individual acting in a personal capacity)
  • a body corporate
  • a partnership
  • any other unincorporated association, or
  • a trust

unless they’re a small business operator, registered political party, state or territory authority or a prescribed instrumentality of a state.

What small businesses are covered?

The Privacy Act cover some small business operators (organisations with an annual turnover of $3 million or less), including:

  • a private sector health service provider — an organisation that provides a health service includes:
    • a traditional health service provider, such as a private hospital, a day surgery, a medical practitioner, a pharmacist and an allied health professional
    • a complementary therapist, such as a naturopath and a chiropractor
    • a gym or weight loss clinic
    • a child care centre, a private school and a private tertiary educational institution
  • a business that sells or purchases personal information
  • a credit reporting body
  • a contracted service provider for a Australian Government contract
  • an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009
  • a business that has opted-in to the Privacy Act
  • a business that is related to a business that is covered by the Privacy Act
  • a business prescribed by the Privacy Regulation 2013

Which acts and practices are covered by the Privacy Act?

Particular acts and practices of some other small business operators are covered by the Privacy Act including:

The Privacy Act also covers specified persons handling your:

Who doesn’t have responsibilities under the Privacy Act?

The Privacy Act does not cover:

  • state or territory government agencies, including a state and territory public hospital or health care facility (which is covered under state and territory legislation) except:
    • certain acts and practices related to My Health Records and individual healthcare identifiers
    • an entity prescribed by the Privacy Regulation 2013
  • an individual acting in their own capacity, including your neighbours
  • a university, other than a private university and the Australian National University
  • a public school
  • in some situations, the handling of employee records by an organisation in relation to current and former employment relationships
  • a small business operator, unless an exception applies (see above)
  • a media organisation acting in the course of journalism if the organisation is publicly committed to observing published privacy standards
  • registered political parties and political representatives

Privacy laws applying to ACT public sector agencies

The Information Privacy Act 2014 (ACT) applies to Australian Capital Territory (ACT) public sector agencies.

The Information Privacy Act includes a set of Territory Privacy Principles (TPPs) that cover the collection, use, disclosure, storage, access to, and correction of, personal information. The TPPs are similar to the Australian Privacy Principles.

The Australian Privacy Commissioner is exercising some of the ACT Information Privacy Commissioner’s functions. These responsibilities include investigating privacy complaints about ACT public sector agencies, and receiving data breach notifications from ACT public sector agencies.

For more information about privacy laws apply to ACT public sector agencies, see Privacy in the ACT

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au