Latest News

Cyber security is important to all businesses. When done correctly, it can mount effective defences to the theft of valuable data, which in turn can protect a business and its people against negative financial, reputational and emotional effects.

But cyber security is increasingly transitioning from being an important but unregulated space, to being a legally mandated requirement. This article is designed to give an overview of how privacy and data security are governed in Australia and some of the expected upcoming changes, so you can understand what your obligations are and where the law is developing. 

How is data privacy governed in Australia?

In Australia, data privacy is primarily governed by the Privacy Act 1988, which regulates the handling of personal information by organisations and individuals. 

The date in the title of the Act shows that the first version of it pre-dated basically all widespread digital communication and data storage. But amendments have been made through the years in an attempt to make the legislation and its principles more relevant to today’s environment. 

Who does the Privacy Act apply to?

The Privacy Act applies to all businesses with revenues over $3million and all Commonwealth government agencies, and covers a wide range of activities including the collection, use, storage and disclosure of personal information.

What are some key features of the Privacy Act?

The Privacy Act includes 13 National Privacy Principles (NPPs) that set out specific obligations for organisations (including businesses) handling personal information. The NPPs cover issues such as the collection of personal information, the use and disclosure of personal information, data security, and the ability of individuals to access and correct their personal information.

What is the enforcement body for the Privacy Act?

Just as the Australian Taxation Office is responsible for administering the Tax Acts, the Office of the Australian Information Commissioner (OAIC) is responsible for enforcing the Privacy Act and providing guidance to users on their obligations under the Privacy Act. The OAIC is also responsible for investigating complaints of breaches of the Privacy Act. It also has the power to take enforcement action, including imposing fines, against organisations that breach the principles of the Privacy Act.

Have there been any big changes in recent years?

The law typically is much slower moving than technology. So despite the widespread use of digital databases and the strong adoption of ecommerce in Australia in the last two decades, it was only in 2018 that a significant law change occurred.

Since February 2018, the Privacy Act has been amended by the Privacy Amendment (Notifiable Data Breaches) Act 2017, which introduced the Notifiable Data Breaches (NDB) scheme. The NDB scheme requires entities covered by the Privacy Act to notify individuals and the OAIC of eligible data breaches. This amendment has increased the importance of data privacy and security for businesses in Australia by imposing a ‘positive obligation to disclose’ on organisations.

A further change occurred in 2022. Data breach fines were increased to either:

• $50 million (for a business, increased from $2.2 million)

• 30% of adjusted quarterly turnover of the company that failed to protect the data, or,

• A penalty based on ‘data monetisation’ by the organisation that is three times the value of the benefit obtained by the misuse of the information. 



If you’d like to understand your obligations as a business owner under the Privacy Act and other Australian regulations, or want to be proactive and get your cyber security audited to begin the new year, CyberUnlocked has the experience to assist you get the answers you need.