The Privacy Act Evolution
Australia's Privacy Act 1988 has evolved significantly over three decades. Originally focused on credit reporting, it was transformed by the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which introduced the Australian Privacy Principles (APPs). The Notifiable Data Breaches (NDB) scheme was added in 2018, requiring organizations to report serious data breaches.
The Act applies to Australian Government agencies and private sector organizations with an annual turnover exceeding $3 million AUD. Small businesses under this threshold are generally exempt, unless they trade in personal information, provide health services, or are related to larger entities.
In 2023, the Privacy Legislation Amendment (Enforcement and Other Measures) Act increased penalties and gave the OAIC stronger enforcement powers, bringing Australian privacy law closer to GDPR standards.
The 13 Australian Privacy Principles
Schedule 1 of the Privacy Act sets out 13 APPs that regulate the handling of personal information:
- APP 1 - Open and Transparent Management: Document privacy practices and make them available
- APP 2 - Anonymity and Pseudonymity: Give individuals the option of not identifying themselves
- APP 3 - Collection of Solicited Personal Information: Collect only necessary information by lawful and fair means
- APP 4 - Dealing with Unsolicited Personal Information: Destroy or de-identify unsolicited information you cannot collect
- APP 5 - Notification of Collection: Notify individuals about collection at or before the time of collection
- APP 6 - Use or Disclosure: Use or disclose personal information only for the primary purpose or permitted secondary purposes
- APP 7 - Direct Marketing: Special rules for using personal information for direct marketing
- APP 8 - Cross-border Disclosure: Ensure overseas recipients do not breach APPs
- APP 9 - Adoption, Use or Disclosure of Government Identifiers: Restrictions on using government identifiers
- APP 10 - Quality of Personal Information: Ensure personal information is accurate, up-to-date, and complete
- APP 11 - Security of Personal Information: Protect personal information from misuse, interference, loss, and unauthorized access
- APP 12 - Access: Give individuals access to their personal information on request
- APP 13 - Correction: Correct personal information to ensure quality
APP 3: The Collection Limitation
APP 3 is particularly relevant for zero-knowledge architecture. It states that an APP entity must not collect personal information unless:
Necessary: The information is reasonably necessary for one or more of the entity's functions or activities
Lawful and Fair: The information is collected by lawful and fair means
Consensual: For sensitive information, the individual must consent
When you use zero-knowledge tools, you eliminate APP 3 obligations for that processing because:
No Collection Occurs: Data never enters your systems, so you are not 'collecting' personal information
User Processing: The user processes their own data locally; you merely provide the tool
APP 2 Compliance: Users can use tools without identifying themselves, satisfying the anonymity principle
The Notifiable Data Breaches (NDB) Scheme
Since February 22, 2018, organizations subject to the Privacy Act must notify affected individuals and the OAIC when a data breach is likely to result in serious harm. This is the Notifiable Data Breaches (NDB) scheme.
Key NDB requirements:
- Serious Harm Threshold: Breaches must be assessed for likelihood of serious harm to affected individuals
- Types of Serious Harm: Includes physical, psychological, emotional, financial, or reputational harm
- Notification Timing: As soon as practicable after becoming aware of the breach
- Content Requirements: Notifications must include identity, description, information involved, and steps taken
Zero-knowledge tools eliminate NDB obligations for tool processing. With no personal information stored, there is no data to breach. This removes both the compliance burden and the reputational damage of breach notifications.
OAIC Enforcement Powers
The Office of the Australian Information Commissioner has significant enforcement powers under the Privacy Act:
- Investigations: The OAIC can investigate complaints and conduct own-motion investigations
- Determinations: Following investigation, the OAIC can make determinations requiring specific actions
- Acceptable Undertakings: Organizations can offer enforceable undertakings to address compliance issues
- Civil Penalties: Since 2023, serious or repeated interferences with privacy can result in penalties up to $50 million AUD or 30% of turnover during the breach period
- Injunctions: Courts can issue injunctions to stop privacy breaches
The 2023 penalty increases brought Australian privacy enforcement closer to GDPR levels. Organizations now face meaningful financial consequences for privacy failures. Zero-knowledge architecture provides a proactive defense by eliminating the data that could be breached.
Frequently Asked Questions
Does the Privacy Act apply to my organization?
The Privacy Act applies to Australian Government agencies and most private sector organizations with an annual turnover exceeding $3 million AUD. Small businesses under this threshold are generally exempt unless they: trade in personal information, provide health services, are related to larger entities, or are contracted service providers to government. If you use ZeyroVault's client-side tools, your APP obligations for those tools are minimized because no personal information collection occurs.
I am a small business under $3M turnover. Do I need to worry about privacy law?
Small businesses under the $3 million threshold are generally exempt from the Privacy Act, but there are important exceptions. You are covered if you: trade in personal information (buying or selling personal information lists), provide health services (which includes many wellness and fitness businesses), are related to a larger entity that is covered, or are a contracted service provider to the Australian Government. Additionally, all businesses must comply with the Spam Act 2003 and the Do Not Call Register Act 2006. Zero-knowledge tools help by ensuring you do not inadvertently collect personal information that would bring you under the Act.
What is the timeline for NDB reporting?
The NDB scheme requires notification 'as soon as practicable' after you become aware of an eligible data breach. The OAIC expects this to be within 30 days in most cases. You must assess whether a breach is likely to result in serious harm, and if so, notify affected individuals and the OAIC. The notification must include: your organization's identity, description of the breach, types of information involved, steps taken in response, and how individuals can protect themselves. Zero-knowledge tools eliminate this concern by ensuring there is no personal information to breach.
Do I need a privacy policy under Australian law?
APP 1 requires APP entities to have a clearly expressed and up-to-date privacy policy. The policy must cover: the kinds of personal information you collect, how you collect it, purposes of collection, how individuals can access and correct their information, how they can complain, and whether you are likely to disclose information overseas. Even if you are not legally required to have a privacy policy (e.g., small business exemption), having one builds trust with customers. If you use zero-knowledge tools, your privacy policy should highlight that these tools process data client-side and do not collect personal information.
References
This guide is based on Australian privacy legislation and OAIC guidance: