Privacy Act (Australia)

Australia's primary federal privacy legislation, regulating how organisations and government agencies collect, use, store, and disclose personal information, including employee data, through 13 Australian Privacy Principles (APPs).

What Is the Privacy Act?

Key Takeaways

  • The Privacy Act 1988 (Cth) is Australia's primary federal privacy law. It governs how organisations and government agencies handle personal information, including employee records.
  • The Act contains 13 Australian Privacy Principles (APPs) that set out standards for collecting, using, disclosing, storing, and destroying personal information.
  • A critical exception for HR teams: the employee records exemption (section 7B(3)) excludes personal information held in an employee record from the APPs, but only for current and former employees of the same organisation. Contractors, job applicants, and third-party data aren't exempt.
  • The 2022 amendments dramatically increased maximum penalties to $50 million, three times the benefit obtained, or 30% of adjusted turnover in the relevant period, whichever is greatest.
  • The Office of the Australian Information Commissioner (OAIC) is the federal privacy regulator. It investigates complaints, conducts assessments, and can seek civil penalties for serious breaches.

The Privacy Act tells organisations what they can and can't do with people's personal information. For HR teams, this creates a dual reality. On one hand, there's a broad employee records exemption that means most of what you do with employee data doesn't fall under the APPs. On the other hand, that exemption has significant gaps that catch many HR teams off guard. The employee records exemption only applies to information in an "employee record" held by the employer. It doesn't cover: job applicants (their resumes, interview notes, and reference checks are fully subject to the APPs), contractors (who aren't employees), health surveillance data collected under WHS obligations (which may fall outside the employee record definition), and any data transferred to a third party (like a cloud-based HRIS provider). The 2022 Optus and Medibank data breaches prompted the government to significantly increase penalties. A body corporate now faces fines of up to $50 million per serious or repeated breach. This changed the risk calculation for every organisation. A major government review completed in 2023 recommended abolishing the employee records exemption entirely, which would bring all employee data under the APPs. If enacted, this would be the most significant change to HR data management in Australia since the Act was introduced.

13Australian Privacy Principles (APPs) that regulate handling of personal information
$50MMaximum civil penalty for serious or repeated privacy breaches by a body corporate (Privacy Act Amendment, 2022)
$3MRevenue threshold below which small businesses are generally exempt from the Privacy Act
1,111Notifiable Data Breaches reported to the OAIC in the first half of 2024 (OAIC, 2024)

The 13 Australian Privacy Principles (APPs)

The APPs apply to organisations with annual turnover above $3 million, government agencies, and certain other entities regardless of size.

APP #NameKey Requirement
1Open and transparent managementHave a clearly expressed, up-to-date privacy policy describing how you handle personal information
2Anonymity and pseudonymityGive individuals the option of not identifying themselves where practicable
3Collection of solicited personal informationOnly collect personal information that is reasonably necessary for your functions; collect sensitive information only with consent
4Dealing with unsolicited personal informationIf you receive information you didn't ask for, determine if you could have collected it under APP 3; if not, destroy or de-identify it
5Notification of collectionTell individuals what information you're collecting, why, who it will be shared with, and how they can access or complain
6Use or disclosureOnly use or disclose information for the primary purpose of collection, or a related secondary purpose the individual would reasonably expect
7Direct marketingDon't use personal information for direct marketing unless the individual would reasonably expect it or has consented
8Cross-border disclosureBefore disclosing personal information to an overseas recipient, take reasonable steps to ensure they comply with the APPs
9Adoption, use, or disclosure of government identifiersDon't use government identifiers (like Tax File Numbers) as your own identifier
10Quality of personal informationTake reasonable steps to ensure personal information is accurate, up-to-date, complete, and relevant
11Security of personal informationProtect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure; destroy or de-identify when no longer needed
12Access to personal informationGive individuals access to their personal information on request
13Correction of personal informationCorrect personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading

The Employee Records Exemption

This exemption is the most important Privacy Act provision for HR teams, and the most misunderstood.

What the exemption covers

Section 7B(3) exempts an organisation from the APPs in relation to an "employee record" about a current or former employee, where the information relates directly to the employment relationship. Employee records include information about: the employee's terms and conditions of employment, their engagement, training, disciplining or termination, health information related to fitness for work, trade union membership, leave and taxation records, and banking details for salary payments.

What the exemption doesn't cover

The exemption doesn't apply to: job applicants (they're not employees), contractors and volunteers (they're not employees), health surveillance data collected under WHS obligations (may fall outside the employment relationship nexus), information shared with third parties (once data leaves the employer's hands, the exemption may not follow), and information used for a purpose unrelated to the employment relationship. If you use employee data for marketing purposes, the exemption doesn't apply to that use. If you share employee data with a cloud HRIS provider, the cross-border disclosure requirements (APP 8) may apply if the provider stores data overseas.

Proposed abolition

The Attorney-General's Department Privacy Act Review Report (2023) recommended removing the employee records exemption. If implemented, all employee data would be subject to the full APPs, including consent requirements for collecting sensitive information, access and correction rights, and the Notifiable Data Breaches scheme. The government has agreed "in principle" to this recommendation but hasn't set a timeline. HR teams should prepare by treating employee data as if the exemption didn't exist, which many privacy advisors already recommend.

Notifiable Data Breaches Scheme

Since February 2018, organisations must report eligible data breaches to the OAIC and affected individuals.

When notification is required

An eligible data breach occurs when there's unauthorised access, disclosure, or loss of personal information, a reasonable person would conclude the breach is likely to result in serious harm, and the organisation hasn't been able to prevent the likely harm through remedial action. Serious harm includes identity theft, financial loss, physical harm, serious psychological harm, and damage to reputation. The notification must be made to the OAIC as soon as practicable after the organisation becomes aware (or should have become aware) of the breach. A 30-day assessment period applies from the time the organisation suspects a breach has occurred.

HR-specific breach scenarios

Common data breach scenarios in HR include: payroll data sent to the wrong recipient via email, HRIS system compromised by cyberattack exposing employee records, physical personnel files lost or stolen, terminated employee's access to HR systems not promptly revoked, and employee health records accessed by unauthorized staff. Even where the employee records exemption applies, best practice (and often state legislation) requires notification. And if the breach involves applicant data, contractor data, or data held by a third-party provider, the NDB scheme applies in full.

Privacy Compliance for HR Teams

Practical steps to meet Privacy Act obligations in an HR context.

  • Draft a clear employee privacy notice separate from your general privacy policy. It should explain what personal information you collect, why, who it's shared with (including cloud providers and their locations), and how employees can access or correct their records.
  • Conduct a data mapping exercise to identify what personal information your HR function collects, where it's stored, who has access, and whether it's transferred overseas (including through cloud HRIS, payroll, or benefits platforms).
  • Review HRIS and payroll vendor contracts for APP 8 compliance. If data is stored or processed overseas, ensure contractual protections requiring the vendor to handle data consistently with the APPs.
  • Implement access controls so only personnel who need employee data can access it. Audit access logs regularly. A common breach cause is overly broad access to HR systems.
  • Establish a data retention and destruction schedule. Don't keep personal information longer than needed. Tax records: 5 years. Employment records: 7 years. Unsuccessful applicant records: 6-12 months unless the applicant consents to longer retention.
  • Train HR staff on privacy obligations at least annually. Cover common breach scenarios, the difference between employee records (exempt) and applicant/contractor data (not exempt), and the NDB scheme requirements.
  • Develop a data breach response plan specific to HR data. Include who to notify, how to assess harm, communication templates, and OAIC notification procedures.
  • Obtain informed consent before collecting sensitive information (health, race, religious beliefs, criminal records) from applicants. The employee records exemption may cover this for existing employees, but consent is best practice regardless.

Privacy Act Penalties and Enforcement

The 2022 amendments dramatically increased the consequences for privacy breaches.

Enforcement actions

The OAIC can: investigate complaints and conduct own-motion investigations, make determinations requiring organisations to take specific actions (compensation, apology, policy changes), accept enforceable undertakings, seek civil penalties in the Federal Court for serious or repeated interferences with privacy, and issue infringement notices for specific administrative breaches. The OAIC also publishes investigation outcomes, which means reputational damage accompanies formal enforcement action.

Entity TypeMaximum Penalty Per Serious/Repeated BreachAlternative Calculations
Body corporate$50,000,0003x the value of benefit obtained, or 30% of adjusted turnover during the breach period (whichever is greater)
Individual (non-body corporate)$2,500,000Not applicable

Upcoming Privacy Act Reforms

The government's response to the 2023 Privacy Act Review signals major changes ahead.

Agreed reforms affecting HR

The government has agreed in principle to: removing or narrowing the employee records exemption, introducing a tort for serious invasion of privacy (allowing individuals to sue for privacy breaches), strengthening consent requirements and introducing a concept of "fair and reasonable" processing, requiring privacy impact assessments for high-risk activities, introducing a children's privacy code, and creating a right to erasure (similar to the GDPR's "right to be forgotten"). These reforms will be introduced in stages. HR teams should monitor developments and start building compliance frameworks now rather than waiting for the legislation.

Implications if the employee records exemption is removed

If the exemption is abolished, employers will need to: provide APP 5 collection notices to all employees, obtain consent for collecting sensitive information (health data, criminal record checks, diversity data), allow employees to access and correct all personal information held about them, report data breaches involving employee records to the OAIC, and apply all 13 APPs to every piece of employee data. This would be a massive operational shift for HR teams currently relying on the exemption, particularly for health and medical records, background checks, and disciplinary information.

Australian Data Breach Statistics [2024]

Key figures on data breaches and privacy enforcement in Australia.

1,111
Notifiable data breaches reported to the OAIC in H1 2024OAIC, 2024
67%
Of breaches caused by malicious or criminal attacks (vs human error)OAIC NDB Report, 2024
$50M
Maximum penalty per serious or repeated privacy breach for corporationsPrivacy Act Amendment, 2022
Health
Sector reporting the most data breaches, followed by finance and governmentOAIC, 2024

Frequently Asked Questions

Does the Privacy Act apply to small businesses?

Generally, no. Organisations with annual turnover of $3 million or less are exempt from most Privacy Act obligations. However, there are important exceptions. Small businesses that provide health services, trade in personal information, are contracted by the government, or are a credit reporting body are covered regardless of turnover. The 2023 review recommended removing the small business exemption entirely, which would bring every employer under the APPs. Even exempt small businesses should follow good privacy practices because state legislation, employment law obligations, and contractual requirements may impose similar duties.

Can employees see their personnel file?

Under the APPs (APP 12), individuals have the right to access their personal information on request. However, because of the employee records exemption, this APP right doesn't technically apply to employee records held by the employer. That said, many enterprise agreements, employment contracts, and workplace policies grant access rights independently. Some state laws (like the NSW workplace surveillance legislation) also create specific access rights. Best practice is to allow employees reasonable access to their personnel files. Refusing access creates suspicion and can damage the employment relationship even if it's technically lawful.

Can we store employee data in overseas cloud systems?

Yes, but APP 8 requires you to take reasonable steps to ensure the overseas recipient handles the data consistently with the APPs. If the employee records exemption applies, APP 8 doesn't technically bind you for that data. However, once data is in the hands of an overseas provider, there's a real risk it falls outside the exemption's scope. The safest approach is to include contractual clauses in your vendor agreements requiring APP-equivalent data handling, verify the provider's security certifications (SOC 2, ISO 27001), and assess the privacy laws of the country where data will be stored.

Do we need consent to collect health information from employees?

Health information is "sensitive information" under the Privacy Act. APP 3 requires consent for collecting sensitive information. The employee records exemption may cover health information collected as part of the employment relationship (fitness-for-duty assessments, workers' compensation medical reports). But it won't cover health information collected from applicants before they become employees. Best practice: always obtain informed, specific consent before collecting health information, regardless of the exemption. This protects you if the exemption is narrowed or abolished.

What's the difference between the Privacy Act and state surveillance laws?

The Privacy Act governs personal information generally. State workplace surveillance legislation (like NSW's Workplace Surveillance Act 2005 and ACT's Workplace Privacy Act 2011) governs specific monitoring activities: email and internet monitoring, CCTV, GPS tracking, and computer surveillance. These laws operate alongside (not under) the Privacy Act and impose additional requirements like advance notice before surveillance begins. An employer who monitors employee emails must comply with both the Privacy Act requirements for handling the intercepted data and the state surveillance law requirements for conducting the monitoring itself.
Adithyan RKWritten by Adithyan RK
Surya N
Fact-checked by Surya N
Published on: 25 Mar 2026Last updated:
Share:
Previous
Next