Cloud Compliance Center

Australia

Select a Topic
Quick Links
Start Comparison
Data privacy and security
7. Are there any data privacy and/or data security laws that would apply?

Yes. The handling of personal information by private sector entities in Australia is regulated at a federal level by the Privacy Act 1988 (Cth) ("Privacy Act"). The key requirements for handling personal information are set out in the Australian Privacy Principles in Schedule 1 of the Privacy Act. Other notable features of the Privacy Act are the mandatory data breach notification obligations under Part IIIC, and special requirements for handling certain types of data (e.g., Part IIIA of the Privacy Act and the Credit Reporting Code regulate the handling of credit-related personal information; the Privacy (Tax File Number) Rule 2015 regulates the handling of tax file numbers). These requirements apply irrespective of whether personal information is held or processed in cloud services, or otherwise, and are not specific to financial institutions.

The Privacy Act has been recently reviewed and the government is considering making a range of modernizations to Australian privacy law in response. This may ultimately lead to extensive changes to the Privacy Act and how personal information is regulated in Australia.

Additional requirements apply in respect of data that forms part of the Consumer Data Right scheme.

Furthermore, the Security of Critical Infrastructure Act (Cth) ("SCIA") includes the following features:

  • It applies to a range of sectors including communications, data storage and processing, and financial services.
  • It contains positive security obligations (including incident notification obligations) for owners and operators of critical infrastructure assets in these sectors, subject to a ministerial determination being made.
  • It includes enhanced cybersecurity obligations for designated "systems of national significance."
  • It provides the government with powers to direct owners and operators of critical infrastructure to provide information and do things in response to cybersecurity incidents, and to intervene in certain circumstances.

This could have indirect impacts for customers of cloud service providers who fall within the SCIA's regime (e.g., a cloud service provider could be subject to government investigations or interventions in response to cybersecurity incidents, and this may impact systems or data used to support its cloud services customers).

Quick Links
{{ $store.state.loadingScreen.message }} ...