The Privacy Act 1988 and Australian Privacy Principles
The Privacy Act 1988 establishes the framework for protecting personal information in Australia. At its core are the thirteen Australian Privacy Principles (APPs), which govern how APP entities collect, use, disclose, store, provide access to and correct personal information. The APPs apply to Australian Government agencies, private sector organisations with annual turnover exceeding A$3 million, and certain other organisations regardless of turnover.
Key obligations under the APPs include open and transparent management of personal information (APP 1), anonymity and pseudonymity options for individuals (APP 2), requirements for collection of solicited information (APP 3), restrictions on use and disclosure (APP 6), data quality obligations (APP 10), and security requirements (APP 11). Privacy professionals must understand these principles deeply and implement practical compliance programmes across their organisations.
The Notifiable Data Breaches scheme
The Notifiable Data Breaches (NDB) scheme, which came into effect in February 2018, requires organisations covered by the Privacy Act to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. The scheme has had a significant impact on the privacy profession in Australia, creating demand for professionals who can manage breach detection, assessment, containment and notification processes.
Since its introduction, the NDB scheme has generated hundreds of notifications per half-year reporting period. The most commonly reported breach types are malicious or criminal attacks (including phishing, ransomware and compromised credentials), human error and system faults. This has driven investment in breach response capabilities and created new career opportunities in incident management and forensic investigation.
Privacy Act reform: what is changing
The Attorney-General's Department completed a comprehensive review of the Privacy Act, resulting in 116 proposals for reform. Key proposed changes include:
- Statutory tort for serious invasions of privacy: Creating a right of action for individuals whose privacy has been seriously invaded
- Children's privacy code: Specific protections for the personal information of children, similar to the UK's Age Appropriate Design Code
- Expanded individual rights: Including rights to erasure, de-identification and explanation of automated decision-making
- Removal of the small business exemption: Extending Privacy Act coverage to organisations with annual turnover below A$3 million
- Mandatory privacy impact assessments: Required for activities with a high privacy risk
- Enhanced OAIC enforcement powers: Including increased civil penalties, infringement notices and a tiered penalty regime
- Organisational accountability: Requirements for privacy management programmes, privacy-by-design and default, and record-keeping
Following the Optus and Medibank breaches, the government fast-tracked certain reforms, increasing maximum penalties under the Privacy Act to A$50 million, three times the benefit obtained from the breach, or 30% of adjusted turnover -- whichever is greater.
The Consumer Data Right (CDR)
The Consumer Data Right gives consumers greater control over their data by requiring designated sectors to share data with accredited recipients at the consumer's request. Initially applied to banking (Open Banking), the CDR has been extended to the energy sector and is being considered for telecommunications. CDR compliance requires specialised knowledge of the CDR Rules, data standards, accreditation requirements and security obligations, creating niche career opportunities.
Career opportunities in Australian data protection
| Role | Experience | Annual Salary (AUD) | Primary Focus |
|---|---|---|---|
| Privacy Analyst | 1-3 years | A$70,000 - A$95,000 | PIAs, APP compliance, policy drafting |
| Privacy Specialist | 3-5 years | A$95,000 - A$130,000 | Compliance programmes, breach response |
| Data Protection Officer | 5-8 years | A$130,000 - A$170,000 | Regulatory liaison, programme oversight |
| Senior Privacy Director | 8-12 years | A$170,000 - A$210,000 | Strategic privacy governance, board reporting |
| Chief Privacy Officer | 12+ years | A$210,000 - A$280,000+ | Enterprise privacy strategy, executive leadership |
Essential certifications for privacy professionals
- CIPP/ANZ: The regional privacy certification covering Australian and New Zealand privacy law, administered by the IAPP
- CIPM (Certified Information Privacy Manager): Focused on building and managing privacy programmes
- CIPT (Certified Information Privacy Technologist): For professionals implementing privacy by design in technology systems
- CIPP/E: Important for organisations with European operations subject to GDPR
- ISO 27701 Lead Implementer: For integrating privacy into information security management systems
The role of the OAIC
The Office of the Australian Information Commissioner (OAIC) is the independent regulator responsible for privacy and freedom of information. The OAIC investigates complaints, conducts Commissioner-initiated investigations, publishes guidance, monitors compliance and takes enforcement action. Privacy professionals regularly interact with the OAIC through complaint resolution, NDB notifications, privacy impact assessments and guidance consultations.
Under the reform proposals, the OAIC would gain significantly enhanced enforcement powers, making understanding OAIC processes and expectations even more important for privacy professionals.
Looking for data protection roles in Australia?
Browse our complete overview of privacy and data protection vacancies across Australia. Check our 2026 salary trends for the latest compensation data.
Browse Privacy Vacancies