Australia Privacy Laws

Breach Notification

Mandated Timeframe

As soon as practicable

Fines & Penalties

Violations

Fines up to $2.1 M

REGULATION LEVELS

Breach Reporting Consumer Notifications
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

As soon as practicable

Fines & Penalties

Violations

Fines up to $2.1 M

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

As soon as practicable

Fines & Penalties

Violations

Fines up to $2.1 M

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

Australia Privacy Law Information

  • Privacy Program

    Vendors of governmental entities must be contracted. Organisations must have strict oversight of their Vendors located outside of Australia and the external Territories to ensure they comply with all requirements placed on businesses collecting and holding personal information of Australian residents. Organisations assume full liability for any violations of the privacy principles committed by Vendors located outside Australia and the external Territories.

  • Breach Reporting

    The Office of Victorian Information Commissioner (OVIC) administers the Privacy and Data Protection Act 2014 which specifically regulates how government organisations, local councils and government-contracted service providers collect and handle personal information. Victoria’s OVIC strongly recommends that these entities report data breaches to them. Must have measures in place for the disposal or de-identification of records containing personal information. Must have procedures in place to respond within 30 days to individuals requesting access to their personal information.

  • Vendor/Third Parties

    Organisations and Vendors (who are Australian businesses subject to the Australian Privacy Act 1988) must comply with all regulations of the Australian Privacy Principles (“privacy principles”), including: having policies, procedures and secure information systems in place to demonstrate compliance with the privacy principles. a clear and up-to-date privacy policy stating their management of personal information. having measures in place to offer individuals the option to identify anonymously or by pseudonym. ensuring any personal information collected, used and disclosed is necessary, accurate, up-to-date, complete and relevant. ensuring an individual gives consent before collecting sensitive personal information, such as, but not limited ...

  • Industry Specific Laws

    Australia’s My Health Record system operates under and privacy regulations for the collection, use and disclosure of health information fall under the My Health Records Act 2012.

  • Australian Capital Territory’s Information Privacy Act 2014

    This regulates the collection, storage, use, security, and access of personal information for public entities and contracted service providers for public entities.

  • New South Wales’ Privacy and Personal Information Protection Act 1998

    This regulates collection and handling of personal information by New South Wales public sector agencies. New South Wales highly encourages all agencies to report all types of data breaches to the Information and Privacy Commission NSW (IPC) and affected individuals, which may involve personal information.

  • Northern Territory’s Information Act 2002

    This regulates public sector organisations’ collection and handling of personal information. The Office of the Information Commissioner for the Northern Territory oversees the Information Act.