Last review date: 31 December 2025

Privacy (Commonwealth):

• Privacy Act 1988 (Cth) ("Privacy Act") (this contains the Australian Privacy Principles (APPs))
• Spam Act 2003 (Cth) ("Spam Act") (regulates sending of commercial electronic messages)
• Do Not Call Register Act 2006 (Cth) ("DNCR Act") (regulates telemarketing activities)

Privacy (State and Territory - public sector only):

• Information Privacy Act 2014 (ACT)
• Privacy and Personal Information Protection Act 1998 (NSW) ("PPIP Act")
• Information Act 2002 (NT)
• Information Privacy Act 2009 (Qld)
• Personal Information and Protection Act 2004 (Tas)
• Privacy and Data Protection Act 2014 (Vic)
• South Australia (SA) has public sector privacy policies/guidelines (e.g., the PC012 Information Privacy Principles ("IPPs") Instructions), although these do not have the force of law.
• Western Australia (WA) Privacy and Responsible Information Sharing Act 2024 (WA) (commences 1 July 2026, with breach reporting required from 1 July 2027) and Information Commissioner Act 2024 (WA).

Health sector-specific (Commonwealth):

• Healthcare Identifiers Act 2010 (Cth)
• My Health Records Act 2012 (Cth) ("MHR Act")

Health sector-specific (State / Territory):

• Health Records (Privacy and Access) Act 1997 (ACT)
• Health Records and Information Privacy Act 2002 (NSW)
• Health Records Act 2001 (Vic)

Note: The responses that follow focus primarily on the Privacy Act but also mention (where specifically relevant) State and Territory public sector privacy laws, health records laws, surveillance laws, telecommunications laws and critical infrastructure laws.

Last review date: 31 December 2025

In November 2024, Australia passed the Cyber Security Act 2024 (Cth) ("Cyber Security Act"), being the first broadly applicable cybersecurity-specific law.

The Cyber Security Act:

• Requires manufacturers and suppliers to comply with minimum security standards for smart devices acquired in Australia, with the standards to be specified in Ministerial rules
• Requires businesses that make themselves or have made for them a ransomware payment in relation to a cybersecurity incident to report the payment to the Commonwealth within 72 hours (of making or finding out the payment was made)
• Establishes a limited use obligation to restrict the sharing of information provided to the National Cyber Security Coordinator, to promote business confidence in sharing information following an incident, and
• Establishes a Cyber Incident Review Board to conduct reviews after some cyber security incidents

The main sector-specific cybersecurity-related law is the Security of Critical Infrastructure Act 2018 (Cth) ("SOCI Act"). This applies in relation to 22 critical infrastructure asset classes in 11 sectors, including: communications, financial services and markets, data storage or processing, the defense industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage.

For the telecommunications sector, given existing security regulations, relevant requirements have historically been split between the SOCI Act and instruments issued pursuant to the Telecommunications Act 1997 (Cth) that apply to carriers and eligible carriage service providers. 2024 reforms uplifted, enhanced and clarified security and related obligations for critical telecommunications assets and moved them into the SOCI Act.

Additionally, the privacy laws and rules listed in the previous question also have implications for cybersecurity. For example, the Privacy Act contains APP 11, which requires APP entities to take reasonable steps to protect personal information that they hold from misuse, interference and loss and from unauthorized access, modification or disclosure. Given that most APP entities store personal information digitally, this effectively requires them to take at least reasonable cybersecurity measures to protect that personal information.

Public sector agencies are also subject to security requirements as a matter of government policy (e.g., see the Protective Security Policy Framework (PSPF)), which does not have the force of law but with which Australian Commonwealth government entities are expected to comply. The PSPF is complemented by the Information Security Manual (ISM) issued by the Australian Cyber Security Centre. The ISM outlines a cybersecurity framework that organizations can apply to protect their systems and data from cyber threats. Compliance with the ISM is not mandatory unless legislation or a lawful direction specifically requires it.

Many of Australia's privacy laws have cybersecurity implications, while various other laws deal with aspects of national security in Australia, which may have implications for data security and computer-related offenses, including:

• Australian Security Intelligence Organisation Act 1979 (Cth)
• Crimes Act 1914 (Cth) (e.g., Section 3, "terrorism offences")
• Criminal Code Act 1995 (Cth) (e.g., Divisions 82, 91, 92 and 122 - sabotage, espionage, foreign interference and secrecy of information)
• State and territory criminal laws on computer offences (e.g., Part 6 of the Crimes Act 1990 (NSW))
• Foreign Influence Transparency Scheme Act 2018 (Cth)
• Intelligence Services Act 2001 (Cth)
• Office of National Intelligence Act 2018 (Cth)

Last review date: 31 December 2025

Commonwealth public sector data:

• Data Availability and Transparency Act 2022 (Cth) ("DATA Act")

Telecommunications-specific:

• Telecommunications Act 1997 (Cth) ("Telecommunications Act") (particularly, Part 13 - Protection of Communications, Part 14 - National Interest Matters and Part 15 - Industry Assistance)
• Telecommunications (Interception and Access) Act 1979 (Cth)

Surveillance (including workplace surveillance):

• Listening Devices Act 1992 (ACT)
• Workplace Privacy Act 2011 (ACT)
• Surveillance Devices Act 2007 (NSW)
• Workplace Surveillance Act 2005 (NSW)
• Surveillance Devices Act 2007 (NT)
• Invasion of Privacy Act 1971 (QLD)
• Surveillance Devices Act 2016 (SA)
• Listening Devices Act 1991 (Tas)
• Surveillance Devices Act 1999 (Vic)
• Surveillance Devices Act 1998 (WA)

Freedom of information (FOI) laws:

• Freedom of Information Act 1982 (Cth) (FOI Act)
• Freedom of Information Act 2016 (ACT)
• Government Information (Public Access) Act 2009 (NSW)
• Information Act 2002 (NT)
• Right to Information Act 2009 (QLD)
• Freedom of Information Act 1991 (SA)
• Right to Information Act 2009 (Tas)
• Freedom of Information Act 1982 (Vic)
• Freedom of Information Act 1992 (WA)

Other:

• Part IVD of the Competition and Consumer Act 2010 (Cth) which regulates the Consumer Data Right (CDR) scheme
• Data-matching Program (Assistance and Tax) Act 1990 (Cth)
• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the Anti-Money Laundering and Counter-Terrorism Financing Rules include requirements for "reporting entities" relating to 'know your customer' and customer due diligence. Banks also have a common law duty of secrecy to their customers. Prudential standards and guidelines also provide for a range of requirements relating to data, privacy and security for prudentially-regulated organizations, e.g., CPS 234 and CPG 234 Information Security and CPG 235 Managing Data Risk.
• The Identity Verification Services Act 2023 (Cth) and the Identity Verification Services (Consequential Amendments) Act 2023 (Cth) together regulate Commonwealth-provided automated identity verification services, establishing important safeguards, oversight and transparency arrangements for these services. The legislative regime includes transparency requirements, privacy and security requirements and penalties for non-compliance (among other things).
• The Digital ID Act 2024 (Cth) provides for the accreditation of entities in relation to digital IDs and establishes the Australian Government Digital ID System. It requires entities participating in the system to comply with certain privacy safeguards in addition to those in the Privacy Act and also provides for the making of Digital ID Data Standards and rules.
• The Online Safety Amendment (Social Media Minimum Age) Act 2024 (Cth) introduced a ban on providing access to age-restricted social media platforms to children under 16. It contains additional privacy restrictions relating to data collected for age verification purposes.