Privacy law reform

2014 law reform

What’s changed?

  1. Australian Privacy Principles
  2. Enhanced powers for the OAIC
  3. Changes to credit reporting laws
  4. Recognising external dispute resolution schemes
  5. Privacy codes
  6. Resources

Current privacy reviews and inquiries

Previous privacy reviews and inquiries

2014 law reform

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) made many significant changes to the Privacy Act 1988 (Privacy Act). These changes commenced on 12 March 2014.
The Privacy Regulation 2013, made under the Privacy Act, also commenced on 12 March 2014.

The Privacy Amendment Act is a part of a privacy law reform process that began in 2004. The ‘Previous Privacy Reviews’ section below, includes more information about that process.

What’s changed?

Australian Privacy Principles

The Privacy Act now includes a set of 13 new harmonised privacy principles that regulate the handling of personal information by Australian and Norfolk Island Government agencies and some private sector organisations. These principles are called the Australian Privacy Principles (APPs). They replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organisations.

A number of the APPs are significantly different from the existing principles, including APP 7 on the use and disclosure of personal information for the purpose of direct marketing, and APP 8 on cross-border disclosure of personal information.

For more information on the APPs and the OAIC’s APP guidelines, see Australian Privacy Principles.

Australian Capital Territory public sector agencies continued to be covered by the Privacy Act, as in force on 1 July 1994 (and as modified by the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth)), until 1 September 2014 when the Information Privacy Act 2014 (ACT) came into force. For more information on the ACT privacy reforms see Australian Capital Territory Privacy.

Back to top

Enhanced powers for the OAIC

The Privacy Act now includes enhanced powers for the OAIC which include:

  • conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
  • accepting enforceable undertakings
  • seeking civil penalties in the case of serious or repeated breaches of privacy

The OAIC is developing a policy and guide (covering existing and new powers) that outline and explain the OAIC’s approach to using its privacy regulatory action powers.

For more information, see Applying privacy law.

Back to top

Changes to credit reporting laws

The Privacy Act now includes new credit reporting provisions including:

  • the introduction of more comprehensive credit reporting, a simplified and enhanced correction and complaints process
  • the introduction of civil penalties for breaches of certain credit reporting provisions
  • a requirement for credit providers to be a member of an external dispute resolution scheme, recognised under the Privacy Act, to be able to participate in the credit reporting system.

See our Privacy fact sheet 25: Credit reporting in Australia — summary

For a more detailed explanation of the credit changes see:

The new mandatory Privacy (Credit Reporting) Code 2014 (CR code), developed by the Australian Retail Credit Association, can be found on the OAIC's Codes register.

For more information see Credit reporting.

Back to top

Recognising external dispute resolution schemes

The Privacy Act, now gives the OAIC the power to recognise external dispute resolution (EDR) schemes to handle privacy-related complaints.

The OAIC has issued guidelines to provide guidance to EDR schemes applying for recognition.

For more  information, including a list of EDR schemes that have been recognised, see Recognised EDR schemes.

Privacy codes

The Privacy Act includes  new provisions on codes of practice about information privacy (APP codes) and a code of practice for credit reporting (the CR code), including enabling the Information Commissioner to develop and register binding codes that are in the public interest.

The OAIC has released Code development guidelines to assist agencies and organisations considering developing a code under the Privacy Act.

For more information, including  Codes that have been registered , see Codes register.

Back to top


The following resources will assist entities and individuals understand the privacy law that applies from 12 March 2014:


The Australian Privacy Principles (APPs)

Other key documents to assist implementing the APPs

Credit reporting

External dispute resolution schemes


Health research

Missing persons


From 12 March 2014 many of the webpages on this website have been updated to reflect the amended Privacy Act.

Back to top

Current privacy reviews and inquiries

There are no current reviews or inquiries.

Back to top

Previous privacy reviews and inquiries


2013-14: The protection of privacy in the digital era

On 12 June 2013, the Australian Law Reform Commission (ALRC) was given Terms of Reference for an inquiry into the protection of privacy in the digital era. The inquiry addresses both prevention and remedies for serious invasions of privacy.

The OAIC made the following submission to the inquiry:

  •  Submission to the Australian Law Reform Commission — Serious Invasions of Privacy in the Digital Era (December 2013)

    2010–11: Exposure Drafts of Australian Privacy Amendment Legislation

    In June 2010, the Australian Government released Exposure Drafts of Australian Privacy Amendment Legislation (Exposure Draft Legislation) which reflected its response to the ALRC report. The Exposure Draft Legislation included draft APPs and credit reporting provisions. On 24 June 2010 the Senate referred the Exposure Draft Legislation to the Senate Finance and Public Administration Committee (Senate Finance Committee) for inquiry and report.
    The OPC (and later the OAIC) made the following submissions on the Exposure Draft Legislation:

    The Exposure Draft Legislation, the Senate Finance Committee reports and other information can be found on the Senate Finance Committee inquiry webpage.
    On 23 September 2011, the Australian Government released an issues paper on the right to sue for serious invasion of personal privacy, A Commonwealth statutory cause of action for serious invasion of privacy.
    The paper invited comments to inform the Australian Government’s response to the ALRC Report which recommended the introduction of a statutory cause of action (a right to sue created by law) for serious invasions of privacy of natural persons.
    In November 2011, the OAIC made a submission on the issues paper:

    On 23 May 2012, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Reform Bill) was introduced into the Australian Parliament. The Reform Bill reflected elements of the Government’s first stage response to the ALRC Report.
    The Reform Bill was referred to both the House Standing Committee on Social Policy and Legal Affairs (House Committee) and the Senate Legal and Constitutional Affairs Legislation Committee (Senate Committee) for inquiry and report.
    The OAIC made the following submissions to the House Committee:

    The Reform Bill passed through the Parliament with amendments on 29 November 2012 and received royal assent on 12 December 2012.
    In October 2012, the Attorney-General's Department released Discussion Paper: Australian Privacy Breach Notification. The discussion paper was released in response to one of the ALRC’s recommendations that a mandatory data breach notification scheme be introduced.
    The OAIC made a submission on the discussion paper:

    2009: Australian Government response 'Enhancing National Privacy Protection'

    On 14 October 2009, the Australian Government released Enhancing National Privacy Protection, the first stage of its response to the ALRC Report on 14 October 2009.
    Given the large number of recommendations, the Government announced that it would respond to the ALRC Report in two stages. The Government’s first stage response addressed 197 of the ALRC’s 295 recommendations. Stage two of the Government’s response will consider the remaining 98 recommendations in the ALRC Report.

    Back to top

    2006-08: The ALRC privacy inquiry

    On 31 January 2006, the ALRC received Terms of Reference from the Australian Attorney-General for an inquiry into the extent to which the Privacy Act and related laws continue to provide an effective framework for the protection of privacy in Australia. This had been the primary recommendation of the OPC's review into the private sector provisions completed in 2005.
    The ALRC Final Report, For Your Information - Australian Privacy Law and Practice (ALRC Report) was provided to the Australian Attorney-General on 30 May 2008 and was made publicly available on 11 August 2008.
    The following submissions were made by the OPC in relation to the ALRC Inquiry:

    Back to top

    2004-05: OPC review of private sector provisions

    On 13 August 2004 the Australian Attorney-General requested the Privacy Commissioner to undertake a review of the private sector provisions of the Privacy Act 1988. The report of that review, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988was submitted to the Attorney-General on 31 March 2005.



    Share this page

    Protecting information rights — advancing information policy