What Your Business Should Know About “Australian Privacy Act 1988”?

Australian Privacy Act, 1988 is getting updated.  Does your business know enough about the amendments to the Act and how they affect your business?

Q: Do you know that Privacy Act, 1988 will be updated in 2014?

The updates to existing Privacy Act, 1988 (Cth) will come into effect on 12 March, 2014.

Amendments to the the Australian Privacy Act 1988 (Cth) do away with the existing National Privacy Principles (NPP), which currently apply to the private sector in Australia, and the Information Privacy Principles (IPP), that currently apply to the public sector in Australia. Instead a set of uniform principles called the Australian Privacy Principles (“APPs“) shall apply to both public sector and private sector entities in Australia.

Q: Do you know if your business is covered by the Privacy Act, 1988 (Cth)?

The Australian Privacy Act, 1988 applies to organisations  in Australia with a turnover of $3 million or more. The Privacy Act, 1988 in the case of organisations, which have a turnover of less than $3 million applies to certain types of small businesses  only, for example where the small business:

  • provides personal information in exchange for any benefit, service or advantage
  • is related to a business that has an annual turnover of greater than $3 million;
  • provides someone else with a benefit, service or advantage to collect personal information;
  • provides health services and holds health information other than employee records; or
  • is a contracted service provider for a Commonwealth contract.

Note: Small businesses in Australia that aren’t covered by the  Privacy Act, 1988(Cth), can choose to “opt-in” if they so wish.

Q: Do you know that as per changes in the Privacy Act, 1988 (Cth)   your business could face fines for breaching personal information privacy?

Businesses  could face fines of up to $1.7 million & Individuals  could face fines for up to $340,000 under the new Privacy Act for serious and repeated interferences with privacy on confirmation of incidents of data breach.

Q: Do you know that your business has obligations for protecting personal information under the Australian Privacy Act, 1988?

A business must protect the identity of any person whose information they hold.

According to Australian Information Commissioner (OAIC) publication ‘Data breach notification — A guide to handling personal information security breaches, April 2012’ referred to as ‘OAIC guide’:

“Agencies and organisations have obligations under the Privacy Act 1988 (Cth) to put in place reasonable security safeguards and to take reasonable steps to protect the personal information that they hold from loss and from unauthorised access, use, modification or disclosure, or other misuse”.

Q: Are these DEFINITIONS related to the Privacy Act,1988(Cth)  understood by your business?

Personal Information

According OAIC website, personal information means “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.

Personally Identifiable Information

According to Wikipedia definitionPersonal Information may be further qualified as “Personally identifiable information” (PII) i.e. the information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Data Breach

Data breach means when personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse (OAIC Guide).

Contrary to the general belief, data breach is not breach of data held by an agency, but is the breach of personal information the entity holds. Privacy is the intrusion on someone’s seclusion or infringement of their right to anonymity.

Q: Does your business hold personal information that may be covered by the Australian Privacy Act, 1988?

All such data below may be classified as personal information of a person and covered by the Privacy Act, 1988. Does your business hold any of this data for consumers, employees, third party, suppliers, customers, etc?

  • name or address
  • bank account details and credit card information
  • photos, images, videos or audio footage
  • tax file no.
  • information about likes/dislikes
  • racial or ethnic origin
  • health or medical information
  • political opinions
  • places of work
  • memberships
  • beliefs (including religious or philosophical)
  • sexual preferences or practices
  • criminal record
  • biometric or genetic information

Q: How does a data breach occur that may be seen as a breach of Australian Privacy Act, 1988?

According to OAIC guide, Data breaches can occur through a number of ways. Some examples include:

  • lost or stolen laptops, removable storage devices or paper records containing personal information.
  • hard disk drives and other digital storage media (integrated in other devices, for example, multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased.
  • databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of the agency or organisation.
  • employees accessing or disclosing personal information outside the requirements or authorisation of their employment.
  • paper records stolen/found from insecure recycling or garbage bins.
  • an agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address.
  • an individual deceiving an agency or organisation into improperly releasing the personal information of another person.



The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.


A cyber attack can cripple a business of any size. By planning in advance and purchasing a cyber liability insurance/data breach insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.

To learn how a Cyber/Data Breach Insurance policy can help you be prepared for a cyber attack, network security, or data breach event, please complete the box below. Or  call Cyber Data -Risk Managers Pty Ltd 03 8640 0962.

Organisation/ Business Name
Captcha Field
Captcha Field

Share your thoughts


+ seven = 8