Support Centre



Law: Privacy Act 1988 (No. 119, 1988) (as amended) ('the Privacy Act')

Regulator: The Office of the Australian Information Commissioner ('OAIC')

Summary: The Privacy Act and the OAIC operate on the federal (commonwealth) level and are applicable across the Australian states and territories. For further information, please see the Australia – Federal jurisdiction dashboard below. In addition, there are various other pieces of privacy legislation and authorities within the states and territories, further information on which is available through the jurisdiction dashboard links below.


Two major Australian retailers are being investigated by the Office of the Australian Information Commissioner ('OAIC') for using facial recognition technology ('FRT') without getting informed consent from patrons. In Australia, retailers are not permitted to use biometric information for profiling and surveillance purposes without the person's knowledge. Katherine Sainty and Aisling Hamilton, from Sainty Law, discuss what FRT is, how it is used, and what businesses should consider for its use.

The American Data Privacy and Protection Act1 ('ADPPA'), whilst still under review, has many similarities with existing privacy legislation, including Australia's Privacy Act 1988 (Cth) ('the Privacy Act'). Katherine Sainty and Aisling Hamilton, from Sainty Law, provide an introduction to some of the main features of the ADPPA, as well as a glance into how the ADPPA compares with the Privacy Act.

A data subject access request ('DSAR') is a request made by an individual to an organisation or agency, asking for access to any personal information collected or stored regarding the individual. Katherine Sainty, Director at Sainty Law, considers how, under Australian law, organisations should handle DSARs involving employees and prospective employees, also discussing situations where personal information is stored on employee's own devices used during the course of their work.

On 1 April 2022, the Parliament of Australia announced that, following a number of debates and amendments, it had passed the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 ('the Act'), which was assented to on the same day, and entered into effect on 2 April 2022. The Act was proposed by the Australian Department of Home Affairs ('the Government') in December 2021, with the intention of enhancing the resilience of Australia's critical infrastructure to security risks, including cyber-attacks. OneTrust DataGuidance discusses the Act and gives an overview of the key areas of its contents.

China has implemented data protection legislation that impacts how companies operate in, or transact with, businesses or individuals in China. The Personal Information Protection Law ('PIPL') applies to organisations and individuals who process 'personally identifiable information' in China. Companies that process, analyse, or access personal data relating to individuals based in China, for example to provide a product or service or analyse their behaviour, will be required to comply with the PIPL. Katherine Sainty and Aisling Hamilton, from Sainty Law, share insight into the impact of the PIPL on Australian businesses and look at what affected businesses should consider in order to stay compliant with Chinese legislation.

On 6 December 2021, the Australian Department of Home Affairs ('DHA') commenced consultations on the reform of Australia's electronic surveillance framework, publishing a Discussion Paper on the same, with submissions being accepted until 11 February 2022. In particular, the DHA highlighted that this followed a recommendation from the National Intelligence Community that the DHA repeal and replace the Telecommunications (Interception and Access) Act 1979 ('the Telecommunications Act'), the Surveillance Devices Act 2004 ('the Surveillance Devices Act'), and parts of the Australian Security Intelligence Organisation Act 1979 ('the Security Intelligence Organisation Act'). OneTrust DataGuidance provides background to the reform and discusses the key points put forward in the Discussion Paper.

Countries across the APAC region have been introducing comprehensive data protection laws and/or updating existing legislation to ensure personal data is protected in the digital era. OneTrust DataGuidance provides an overview of the status of current privacy/data protection bills in Australia, Brunei Darussalam, India, Malaysia, Mongolia, Myanmar, Pakistan, Sri Lanka, Thailand, and Vietnam.

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part one of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from Australia, China, India, and Japan.

For insight into handling children's personal data in New Zealand, the Philippines, and Singapore, please see part two here.

In the aftermath of lengthy lockdowns across Australia, Australia's states and territories, including New South Wales and Victoria, are progressively re-opening for business, with governments counselling that we must 'learn to live with COVID-19'. In that context, many businesses are considering whether they may lawfully collect vaccination data from employees, customers, and other visitors to their premises and how they may use and disclose the data they collect. Angela Flannery and Clare Giugni, from Holding Redlich, provide answers to questions in the context of COVID-19 vaccination data, its collection, disclosure, and storage.

After more than two years since the outbreak of the global COVID-19 pandemic, challenges and rapidly changing requirements in terms of privacy, data protection, and disclosure of the employees' vaccination status in the context of employment are at the forefront. This Insight series looks across a variety of countries with regards to which information employers can collect, outlining the local requirements in Australia, New Zealand, and Singapore in part one and in China, Japan, India, and Russia in part two.

The Online Safety Act 2021('the Act') commenced on 23 January 2022, replacing a patchwork of online safety legislation to create a more consistent and clearer regulatory framework. The Act gives new powers to the eSafety Commissioner, Julie Inman Grant, and aims to protect Australians from online harm and bullying. Katherine Sainty, Director of Sainty Law, provides an overview of how the Act works and what it aims to achieve.

In October 2021, the Australian Government introduced the draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 20211 ('the Online Privacy Bill'), aimed at amending the Privacy Act 1988 (No. 119, 1988) (as amended) ('the Privacy Act'). Katherine Sainty, Director at Sainty Law, provides an overview of the Online Privacy Bill, as well as the framework the Online Privacy Bill creates in order to implement and enforce a new Online Privacy Code ('the Code').