October 30, 2023

Guide to data protection laws and compliance in Australia

Guide to data protection laws and compliance in Australia

The first known Australian data privacy law dates back to 1988 and was called the Federal Privacy Act of 1988. Since then, several states and territories within Australia have developed data protection legislation for their areas. Such legislation includes the Information Privacy Act 2014 (Australian Capital Territory), Privacy and Data Protection Act 2014 (Victoria), Information Privacy Act 2009 (Queensland), etc. 

In November 2022, the Australian Government announced the Privacy Legislation Amendment Act of 2022. Among other things, it sought to increase the penalties for serious offenses, increase the enforcement powers of the Australian Information Commissioner, and provide greater information-sharing powers to relevant agencies.

This article will review Australia’s data protection laws and compliance requirements, as captured in the Privacy Legislation Amendment 2022. 

Data residency requirements in Australia

Data sovereignty and residency regulations in Australia differ based on the nature of the data involved. Regardless of residency, It’s important to adhere to the Australian Privacy Principles (APPs) whenever data is transferred abroad or accessed by individuals overseas. 

In the case of health data, stringent data sovereignty and residency requirements are in place in Australia. Specifically, data related to Health Records and all associated information, including backups, must never be processed, stored, transmitted, or managed outside the country. This ensures the highest level of data protection and privacy for sensitive health information.

Finally, there are extra conditions to meet before a credit provider can share credit eligibility information with offshore recipients who have no operations in Australia. These conditions are fully provided in the policy.

Other data residency requirements by country are reviewed here extensively.

Who needs to comply with personal data protection laws in Australia?

It is essential for organizations and individuals to understand who is required to comply with these data protection laws. Compliance is essential not only to protect individuals’ privacy but also to avoid potential legal consequences. This section will review the individuals and organizations obligated to comply with these laws. They are as follows: 

  • Government agencies

All levels of government in Australia, from federal to local, are subject to data protection laws. They must comply with both the Privacy Act and the Australian Privacy Principles (APPs), which set out standards for handling personal information. 

  • Private organizations

All private organizations with an annual turnover of over $3 million are expected to fully comply with this policy. This, however, does not exempt private organizations with a smaller turnover from being penalized if they defy the laws.

  • Private health organizations

Health service providers, such as hospitals, medical clinics, health insurance providers, and individual healthcare practitioners, have specific obligations under the Privacy Act. They must protect patients’ health information and maintain strict confidentiality. This includes not only medical records but also any personal data collected during the provision of healthcare services.

  • Data processing organizations

Private Organizations that purchase or sell personal information to organizations to use in making business decisions are also required to comply with the provisions of this law.

  • Private contractors 

Private entities that carry out contractual obligations for the government of Australia, including the delivery of services to the citizens of Australia, are also mandated to adhere to these provisions.

  • Residential tenancy database operators

These are companies that provide tenant background check services for property owners. They also maintain a database of tenant information and their rental histories. They must also comply with this data protection law in Australia due to the nature of their business. 

  • Credit providers and credit reporting bodies

Credit reporting bodies play a crucial role in maintaining financial data. These entities collect and provide credit information to credit providers, which significantly impacts an individual’s financial standing. Credit reporting bodies and providers are also regulated by the Privacy Act and are required to manage personal data responsibly.

What Australian data privacy laws do you need to know?

Below are some Australian personal data protection laws you should be aware of:

The Privacy Act 1988

In Australia, data privacy regulation primarily revolves around the Privacy Act of 1988, which underwent significant amendments in 2022. This legislation serves as the foundation of data collection and management policies across the country. Notably, the Privacy Act’s purview extends to various entities, including most government agencies and private sector organizations.

This comprehensive framework establishes crucial standards for safeguarding individuals’ personal data, promoting transparency, and ensuring accountability across a broad spectrum of entities in the country. Its provisions apply to most Australian government agencies, private sector organizations with an annual turnover of over $3 million, and certain small businesses.

Key provisions of the Privacy Act include:

  1. The Australian Privacy Principles (APPs): These are a set of 13 principles that outline the rights and responsibilities of individuals and organizations concerning handling personal information.
  2. Notification of Data Breaches: Under the Notifiable Data Breaches scheme, organizations must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in case of a data breach that is likely to result in serious harm.
  3. Cross-border Data Transfers: Organizations must take reasonable steps to protect personal information when it is transferred to overseas entities.

Other important aspects of the Privacy Act (APPs) should be noted:

  • Data processing notice

The law requires organizations to notify individuals before or at the point of collecting their personal information that their personal data will be collected and what purposes they will be used for. 

  • Data transfers

This policy requires organizations to take reasonable steps to ensure that personal information transferred overseas is protected in a way that is consistent with the Australian Privacy Principles (APPs).

  • Data protection impact assessment

This is an assessment to identify any potential risks to individual data that is being stored or processed by an organization. The Australian data protection law does not mandate all data processing entities to conduct impact assessments; it simply recommends this. However, it is mostly mandatory for government agencies.

  • Data protection officer

Although the policy does not mandate this, it is recommended by the Privacy Commissioner in Australia. This has led many large data processing organizations to hire data privacy officers to ensure privacy compliance.

  • Data breach notification

The policy requires the organization to inform the privacy commissioner and all affected individuals when a data breach occurs.

  • Data retention

Furthermore, this law stipulates that organizations handling personal information must delete it or make it anonymous when they are no longer legally required to store it in its original form. 

  • Data controller and processor rights and responsibilities

The policy makes no distinction between data controllers and data processors. They both have the same main duties and jobs under the Australian Privacy Act. Because there’s no separation between them, there are no specific rules or requirements for agreements between data controllers and data processors in Australia. 

Consequently, it is advised to put things in writing when you work with a third-party service provider, especially if they’re located outside Australia. This written agreement should detail your reasons for sharing these data to ensure they follow the Privacy Act.

Please note that a data controller determines why and how personal data is collected and why the data processor controls the data on behalf of the controller. 

  • Data subject rights

The rights of those whose data is being collected, processed, and stored in Australia are as follows:

  • Right to be informed of the purpose of the data being collected and the type of data collected.
  • Right to access their data anytime.
  • Right to rectify their data anytime.
  • Right to request their personal data to be deleted anytime.
  • Right to object to the use of your data in any way that is unacceptable.
  • Right to data portability.
  • Right not to be subject to automated decision-making, etc.

 These provisions are similar to what is offered by the German data privacy laws

My Health Record Act

Australia has a unique digital health initiative called My Health Record. While it offers various benefits, including easier access to medical information, it raises concerns about data privacy. The My Health Records Act 2012 governs the collection, use, and sharing of health data. Under this act, individuals have control over who can access their health records, and it outlines strict regulations to protect the privacy of healthcare information.

Consumer Data Right (CDR)

The Australian Consumer Data Right (CDR) is a framework designed to enhance consumers’ control over their data and promote competition in various industries, including banking and finance. It allows consumers to securely share their data with trusted service providers, enabling them to access better products and services. The CDR framework includes the following key elements:

  • Data Sharing: Consumers have the right to share their data with accredited service providers, making it easier to switch between different service providers and access personalized services.
  • Accreditation: Service providers must be accredited by the Australian Competition and Consumer Commission (ACCC) to participate in CDR data sharing.
  • Consent: Data sharing can only occur with the explicit consent of the consumer. Consumers have control over what data is shared and for how long.
  • Privacy and Security: Stringent privacy and security standards are in place to protect consumer data and ensure its safe handling.
  • Industry Application: While it initially applied to the banking sector, the CDR framework was planned to expand to other industries, such as energy and telecommunications. 

Defence and Strategic Goods List (DGSL)

The DGSL regulates banking activity and requires each credit provider with an Australian link to be responsible for its breach of credit reporting provisions of Australian privacy laws. Original data and copies of it would be subject to the exact requirements.

Objects listed in the DGSL may not be exported, delivered, published, or brokered from Australia unless either a permit has been given by the Minister for Defence or a legislative exemption applies to the export, supply, publication, or brokering activity.

Spam Act 2003

The Spam Act 2003 addresses unsolicited commercial electronic messages, such as email and SMS marketing. It sets rules for obtaining consent and includes provisions for an “unsubscribe” mechanism in all marketing communications.

State and Territory Privacy Laws

In addition to federal privacy laws, some Australian states and territories have their own privacy laws. For example, Victoria, New South Wales, and the Australian Capital Territory have their regulations. These state and territory laws may apply to a broader range of entities and industries. Therefore, it is essential to consider both federal and local legislation.

Australia data protection law vs GDPR

The data protection law in Australia and the European General Data Protection laws share similarities in almost every aspect, with a few differences. Let’s explore these areas in a comparative table:


AspectAustralia’s Data Protection LawGDPR
ScopeApplies primarily to Australia, its external territories, organizations with a presence in Australia, and external organizations with an Australian link.Applies to all entities processing data of EU residents, regardless of their location.
ConsentRequires organizations to obtain informed consent for data processing. Consent can be withdrawn.Imposes consent requirements also, including the need for explicit consent. Consent can also be withdrawn at any time.
Data subject rightsGrants data subjects have the right to access and correct their personal data.Provides a more extensive set of rights, including data portability, erasure (the right to be forgotten), and the right to object.
Data breach notificationMandates data breach notifications to affected individuals and the Office of the Australian Information Commissioner (OAIC)Requires organizations to report data breaches to both affected individuals and the relevant data protection authority within 72 hours.
Data transfer outside the jurisdictionGenerally allows data transfers abroad under the APPs, subject to certain conditions.Permits data transfers only to countries that provide an adequate level of data protection or with the use of approved safeguards, such as Standard Contractual Clauses (SCCs).
Age of consent for childrenNo specific age for children’s consent; organizations must consider the child’s capacity.Sets the age of consent for data processing at 16, but member states may lower this to a minimum of 13.
Data protection officersDo not mandate the appointment of DPOs. But it’s advisedMandate the appointment of DPOs for certain types of data processing activities.
Penalties for non-compliancePenalties for non-compliance can include fines of up to AUD 10 million or 2% of the entity’s annual turnover, among other remedies.Enforces more significant penalties, with fines of up to 20 million euros or 4% of the global annual turnover, whichever is higher.

Areas of similarities between the GDPR and the Data privacy laws in Australia include data subjects’ rights, consent, objectives, and principles.

Australia’s cross-border data transfer requirements

The following conditions must be met before personal data can be transferred outside the Australian border:

  • The individual or data owners have agreed to the transfer.
  • The transfer is required under law, and it is authorized.
  • The agency is satisfied on reasonable grounds that the transfer is necessary to lessen or prevent a serious threat to the life, health, safety, or welfare of any individual or to public health, safety, and welfare.

You may also want to review InCountry for Salesforce Cross-Border to see how to integrate and utilize this productivity tool across borders in your business.

How to comply with data protection laws in Australia — InCountry’s approach

Understanding the intricacies of Australian data protection regulations is essential for businesses looking to operate in this region. InCountry’s Data Residency-as-a-Service streamlines this procedure, ensuring that you can securely store your data while maintaining compliance.

By adopting InCountry’s approach to data protection compliance, businesses can navigate the legal landscape with confidence, mitigate risks, and build trust with their customers by safeguarding sensitive information in accordance with local laws.

When you choose InCountry’s Data Residency-as-a-Service, you gain access to a host of benefits:

  • Global compliance: Our platform aligns with multiple data residency laws, including not only those in Australia but also internationally recognized regulations like GDPR, CCPA, and PIPL. Learn more about data localization by InCountry here. 
  • Robust data protection: We prioritize the security of your data through encryption, access control, and physical security measures, ensuring that your information remains protected at all times.
  • High performance and availability: Our platform is designed to deliver exceptional performance and availability, even when dealing with extensive data loads, ensuring that your operations run smoothly.
  • Scalability: As your organization’s data needs grow, our platform can easily scale to accommodate those changes, so you never have to worry about outgrowing your solution.

With InCountry’s Data Residency-as-a-Service, complying with data protection laws in Australia becomes a straightforward process, enabling your organization to focus on its core mission while we take care of the intricacies of data residency compliance. 

Get in touch already; let’s discuss your needs and show you how much value we can contribute to your organization.