Last review date: 31 December 2024

☒         omnibus – all personal data

☒         sector-specific

e.g., telecoms, healthcare sector, critical infrastructure

Last review date: 31 December 2024

Privacy (Commonwealth):

• Privacy Act 1988 (Cth) ("Privacy Act") (this contains the Australian Privacy Principles (APPs))
• Spam Act 2003 (Cth) ("Spam Act") (regulates sending of commercial electronic messages)
• Do Not Call Register Act 2006 (Cth) ("DNCR Act") (regulates telemarketing activities)

Privacy (State and Territory - public sector only):

• Information Privacy Act 2014 (ACT)
• Privacy and Personal Information Protection Act 1998 (NSW) ("PPIP Act")
• Information Act 2002 (NT)
• Information Privacy Act 2009 (Qld)
• Personal Information and Protection Act 2004 (Tas)
• Privacy and Data Protection Act 2014 (Vic)
• South Australia (SA) has public sector privacy policies/guidelines (e.g., the PC012 Information Privacy Principles ("IPPs") Instructions), although these do not have the force of law.
• Western Australia (WA) historically had some privacy principles related to the disclosure and amendment of personal information held by Western Australian State and local government agencies in its freedom of information legislation (see below). However, in 2024, WA passed the Privacy and Responsible Information Sharing Act 2024 (WA) and Information Commissioner Act 2024 (WA), most aspects of which are to commence on a date to be proclaimed.

Health sector-specific (Commonwealth):

• Healthcare Identifiers Act 2010 (Cth)
• My Health Records Act 2012 (Cth) ("MHR Act")

Health sector-specific (State / Territory):

• Health Records (Privacy and Access) Act 1997 (ACT)
• Health Records and Information Privacy Act 2002 (NSW)
• Health Records Act 2001 (Vic)

Note: The responses that follow focus primarily on the Privacy Act but also mention (where specifically relevant) State and Territory public sector privacy laws, health records laws, surveillance laws, telecommunications laws and critical infrastructure laws.

Last review date: 31 December 2024

In November 2024, Australia passed the Cyber Security Act 2024 (Cth) ("Cyber Security Act"), being the first broadly applicable cybersecurity-specific law.

The Cyber Security Act:

• Requires manufacturers and suppliers to comply with minimum security standards for smart devices acquired in Australia, with the standards to be specified in Ministerial rules
• Requires businesses that make themselves or have made for them a ransomware payment in relation to a cyber security incident to report the payment to the Commonwealth within 72 hours (of making or finding out the payment was made)
• Establishes a limited use obligation to restrict the sharing of information provided to the National Cyber Security Coordinator, to promote business confidence in sharing information following an incident, and
• Establishes a Cyber Incident Review Board to conduct reviews after some cyber security incidents

The main sector-specific cybersecurity-related law is the Security of Critical Infrastructure Act 2018 (Cth) ("SOCI Act"). This applies in relation to 22 critical infrastructure asset classes in 11 sectors, including: communications, financial services and markets, data storage or processing, the defense industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage.

For the telecommunications sector, given existing security regulations, relevant requirements have historically been split between the SOCI Act and instruments issued pursuant to the Telecommunications Act 1997 (Cth) that apply to carriers and eligible carriage service providers. 2024 reforms will move key requirements relating to the security of critical telecommunications assets to the SOCI Act.

Additionally, the privacy laws and rules listed in the previous question also have implications for cybersecurity. For example, the Privacy Act contains APP 11, which requires APP entities to take reasonable steps to protect personal information that they hold from misuse, interference and loss and from unauthorized access, modification or disclosure. Given that most APP entities store personal information digitally, this effectively requires them to take at least reasonable cybersecurity measures to protect that personal information.

Public sector agencies are also subject to security requirements as a matter of government policy (e.g., see the Protective Security Policy Framework (PSPF)), which does not have the force of law but with which Australian Commonwealth government entities are expected to comply. The PSPF is complemented by the Information Security Manual (ISM) issued by the Australian Cyber Security Centre. The ISM outlines a cybersecurity framework that organizations can apply to protect their systems and data from cyber threats. Compliance with the ISM is not mandatory unless legislation or a lawful direction specifically requires it.

Many of Australia's privacy laws have cybersecurity implications, while various other laws deal with aspects of national security in Australia, which may have implications for data security and computer-related offenses, including:

• Australian Security Intelligence Organisation Act 1979 (Cth)
• Crimes Act 1914 (Cth) (e.g., section 3, "terrorism offences")
• Criminal Code Act 1995 (Cth) (e.g., Divisions 82, 91, 92 and 122 - sabotage, espionage, foreign interference and secrecy of information)
• State and territory criminal laws on computer offences (e.g., Part 6 of the Crimes Act 1990 (NSW))
• Foreign Influence Transparency Scheme Act 2018 (Cth)
• Intelligence Services Act 2001 (Cth)
• Office of National Intelligence Act 2018 (Cth)

Last review date: 31 December 2024

Commonwealth public sector data:

• Data Availability and Transparency Act 2022 (Cth) ("DATA Act")

Telecommunications-specific:

• Telecommunications Act 1997 (Cth) ("Telecommunications Act") (particularly, Part 13 - Protection of Communications, Part 14 - National Interest Matters and Part 15 - Industry Assistance)
• Telecommunications (Interception and Access) Act 1979 (Cth)

Surveillance (including workplace surveillance):

• Listening Devices Act 1992 (ACT)
• Workplace Privacy Act 2011 (ACT)
• Surveillance Devices Act 2007 (NSW)
• Workplace Surveillance Act 2005 (NSW)
• Surveillance Devices Act 2007 (NT)
• Invasion of Privacy Act 1971 (QLD)
• Surveillance Devices Act 2016 (SA)
• Listening Devices Act 1991 (Tas)
• Surveillance Devices Act 1999 (Vic)
• Surveillance Devices Act 1998 (WA)

Freedom of information (FOI) laws:

• Freedom of Information Act 1982 (Cth) (FOI Act)
• Freedom of Information Act 2016 (ACT)
• Government Information (Public Access) Act 2009 (NSW)
• Information Act 2002 (NT)
• Right to Information Act 2009 (QLD)
• Freedom of Information Act 1991 (SA)
• Right to Information Act 2009 (Tas)
• Freedom of Information Act 1982 (Vic)
• Freedom of Information Act 1992 (WA)

Other:

• Part IVD of the Competition and Consumer Act 2010 (Cth) which regulates the Consumer Data Right (CDR) scheme
• Data-matching Program (Assistance and Tax) Act 1990 (Cth)
• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the Anti-Money Laundering and Counter-Terrorism Financing Rules include requirements for "reporting entities" relating to 'know your customer' and customer due diligence. Banks also have a common law duty of secrecy to their customers. Prudential standards and guidelines also provide for a range of requirements relating to data, privacy and security for prudentially-regulated organizations, e.g., CPS 234 and CPG 234 Information Security and CPG 235 Managing Data Risk.
• The Identity Verification Services Act 2023 (Cth) and the Identity Verification Services (Consequential Amendments) Act 2023 (Cth) together regulate Commonwealth-provided automated identity verification services, establishing important safeguards, oversight and transparency arrangements for these services. The legislative regime includes transparency requirements, privacy and security requirements and penalties for non-compliance (among other things).
• The Digital ID Act 2024 (Cth) provides for the accreditation of entities in relation to digital IDs and establishes the Australian Government Digital ID System. It requires entities participating in the system to comply with certain privacy safeguards in addition to those in the Privacy Act and also provides for the making of Digital ID Data Standards and rules.
• The Online Safety Amendment (Social Media Minimum Age) Act 2024 (Cth) introduces a ban on access to age-restricted social media platform by children under 16. It contains additional privacy restrictions relating to data collected for age verification purposes.

Last review date: 31 December 2024

☒  Yes

The Australian Attorney-General's department conducted a review of the Privacy Act through 2020 and 2022, culminating in the release of a report containing extensive reform proposals in February 2023. The government's response to the review report, published in September 2023, indicated agreement with 38 of the report's proposals, and agreement in principle with a further 68 proposals.

In 2024, the government introduced legislation reflecting the first tranche of these proposed reforms, which passed and mostly became effective from 11 December 2024 (“Tranche 1 Reforms”). These changes include:

• A new tort for serious invasion of privacy
• Offenses for "doxxing" (the deliberate release of personal data, e.g., names, photographs, contact details, in a manner that may be menacing or harassing) added to the Criminal Code Act 1995 (Cth)
• Requirements to include in privacy policies information about using personal information for automated decision making, which will take effect from 10 December 2026
• A framework for developing a Children's Online Privacy Code to apply to online services likely to be accessed by children, to be developed within 24 months following 11 December 2024
• Introducing new civil penalty and enforcement provisions to allow for targeted regulatory responses, alongside enhanced enforcement powers for the privacy regulator and the courts.

  A number of highly anticipated reforms outlined in the Review and Response (approximately 50) are yet to be addressed and have been deferred to Tranche 2. These include the "agreed" proposals to:

• Impose thresholds on individuals seeking to rely on the "journalism exemption," by requiring that such individuals be subject to privacy standards overseen by a recognized oversight body (the ACMA, APC or IMC), or other standards that adequately deal with privacy, and
• Introduce a legislative provision that permits broad consent for purposes of research

A number of "agreed in principle" reforms that would have broader impact on the privacy framework in Australia have not been included in the Tranche 1 reforms. These include the introduction of an overarching "fair and reasonable" requirement for collection, use and disclosure of personal information, the introduction of a 72-hour period to notify an eligible data breach, the removal of the small business exemption, the amendment of the employee record exemption and the introduction of a controller and processor distinction. These proposals are expected to be addressed in Tranche 2 legislation, and the 2024 Federal election is a key factor that may affect the timing of these future reforms.

Ransomware attacks have become increasingly prevalent across Australia, resulting in a series of high-profile attacks on large Australian companies. This has given rise to calls for law reform to combat ransomware, with some arguing for a ban on ransom payments to make Australian businesses less attractive to would-be attackers. In November 2023, the Australian Government released its cybersecurity strategy for 2023 - 2030 and associated action plan focused around six "cyber shields": strong businesses and citizens; safe technology; world-class threat sharing and blocking; protected critical infrastructure; sovereign capabilities; resilient region and global leadership. For each "cyber shield" in the Strategy and Action Plan, the government outlines its desired outcomes and the initiatives it will take in order to reach these. In total, there are 60 actions the government is proposing to take across the initiatives under each of the shields. Some of these changes have already been passed via a Cyber Security Legislative Package, including:

• A mandatory no fault, no liability obligation for businesses to report ransomware payments
• Aligning security regulations for telecommunication providers with those applied to other critical infrastructure entities through expansion of various SOCI Act requirements
• Clarifying the regulation of managed service providers under the SOCI Act and delegated legislation
• Minimum cyber security standards for internet of things devices

At a State and Territory level, in Queensland, legislation was passed in late November 2023 to, among other things, amend Queensland's information privacy framework to better protect personal information and provide appropriate responses and remedies for data breaches and misuse of personal information by agencies. A key aspect of the amendments is the introduction of a mandatory notification of data breaches (MNDB) scheme for state public sector agencies similar to a scheme that came into effect in NSW in late November 2023. The information privacy reforms are currently expected to begin on 1 July 2025, with the MNDB scheme not expected to apply to local governments until 1 July 2026.

Western Australia also passed the Privacy and Responsible Information Sharing Act 2024 (WA) and an associated Information Commissioner Act 2024 (WA) in December 2024. Among other things, the former establishes a mandatory information breach notification scheme for the public sector. This and other aspects of the legislation are awaiting commencement, on a date to be proclaimed.