The Privacy Act 1988 (Cth) is the principal Australian Commonwealth statute governing the handling of personal information. It applies to Commonwealth government agencies, private-sector organisations with annual turnover above AU$3 million, and certain organisations regardless of turnover — including all health service providers, credit-reporting bodies, and organisations that trade in personal information.
The substantive obligations sit in the thirteen Australian Privacy Principles (APP 1 through APP 13), which cover collection, use, disclosure, data quality, security, access and correction. Additional schemes within the Act include the Notifiable Data Breaches scheme (NDB, in force February 2018) and the Consumer Data Right framework.
The Privacy Act is regulated by the Office of the Australian Information Commissioner (OAIC). The Act has been under reform review since 2020; expected changes include narrowing or removing the small-business exemption, introducing a statutory tort for serious privacy invasions, and increasing penalties. Many organisations are now preparing on the basis that current exemptions may not last.