Your Data Rights in Australia Under the Privacy Act

The law that protects your information

Australia's main privacy law is the Privacy Act 1988 (Cth). At its heart sit thirteen Australian Privacy Principles, usually shortened to the APPs. These principles set out how many organisations must collect, store, use and disclose personal information, and they give you specific rights to see and correct what is held about you.

The Privacy Act does not cover everyone. It generally applies to Australian Government agencies and to private-sector organisations with an annual turnover above a set threshold, along with certain other bodies such as health service providers. Some small businesses are outside its scope, and several state and territory laws cover their own public sectors separately. It is worth checking whether the organisation you are dealing with falls under the Act before you frame a request.

This article is general information, not legal advice. If your situation is complicated or a lot is at stake, consider speaking with a qualified Australian privacy practitioner or contacting the regulator directly.

The rights you can use

Two everyday rights sit at the centre of the APPs for most people. APP 12 gives you the right to access the personal information an organisation holds about you. APP 13 gives you the right to ask for that information to be corrected if it is inaccurate, out of date, incomplete, irrelevant or misleading.

When you ask for access, the organisation must generally respond within a reasonable period and, for most private-sector requests, within about 30 days. It may charge a reasonable cost for giving access, though the charge should not be excessive, and there are limited situations where access can be refused — for example, where giving it would unreasonably affect another person's privacy.

Australia does not have a broad, standalone right to erasure in the way some other regimes do. Instead, the APPs require organisations to take reasonable steps to destroy or de-identify personal information once it is no longer needed for a permitted purpose. So while you cannot always demand deletion outright, you can ask about retention and raise it where information is being kept without a clear reason.

• APP 12 — access: see the personal information an organisation holds about you.
• APP 13 — correction: ask for inaccurate or outdated information to be fixed.
• Retention under APP 11 — organisations must take reasonable steps to destroy or de-identify information they no longer need.
• Anonymity and pseudonymity under APP 2 — in some dealings you can choose not to identify yourself.

If an organisation does not respond properly

Your first step is usually to raise the matter directly with the organisation. Under the APPs, an organisation that handles personal information must have a clear privacy policy and a way to make a complaint, so ask to use its internal process and keep a record of what you sent and when.

If you are not satisfied with the response, or you do not hear back within a reasonable time, you can complain to the Office of the Australian Information Commissioner (OAIC). The OAIC is the independent regulator for the Privacy Act. It can investigate, try to resolve the matter through conciliation, and in some cases make determinations.

OSINTA is a self-only tool: it helps you understand your own digital footprint and prepare your own requests under your own name. It does not act for you, contact organisations on your behalf, or guarantee any outcome. The decisions, and the requests, stay yours.

Frequently asked questions

Related terms

• Personal data
• Data protection regulator
• Data Subject Access Request (DSAR)
• Right to erasure