Close this search box.

The Privacy Act: Understanding Penalties and Remedies for Non-Compliance

Both government and non-government organizations collect, store and use personal information of individuals. Such personal information is sensitive, and its misuse can lead to disastrous consequences. The Privacy Act is a federal legislation in Australia that aims to protect individuals’ personal information by regulating its handling by organizations. This article will delve into the Privacy Act, its key provisions and penalties for non-compliance, as well as remedies available in case of breaches of privacy.

A Brief Overview of the Privacy Act

The Privacy Act 1988 was passed to regulate the handling of individuals’ personal information. The Act applies to all entities that store, use, collect or disclose personal information in the course of their business or service provision. The Act has 13 Australian Privacy Principles (APPs) outlining the obligations that entities must follow while handling personal information.

Personal information is defined as any information or opinion that identifies an individual or can be used to identify an individual. This includes a person’s name, address, email address, phone number, date of birth, financial information, and medical records.

The Purpose of the Privacy Act

The Privacy Act aims to maintain the privacy of individuals’ personal information by regulating its handling by organizations. It facilitates transparency and accountability by governing how such information is collected, stored, used, and disclosed and securing people’s right to access their information. The Privacy Act also encourages organizations to adopt best practices in managing personal information by requiring them to have a privacy policy that outlines how they manage personal information. This policy must be easily accessible and available to individuals upon request.

Key Provisions of the Privacy Act

One of the key principles of the Privacy Act is the requirement to obtain individuals’ consent to collect and use their information. This means that organizations must inform individuals of the purpose for which their information is being collected and obtain their consent before collecting it. Organizations must also only collect information that is necessary for the purpose for which it is being collected.

The Privacy Act also places an obligation on organizations to ensure the security and confidentiality of personal information. This means that organizations must take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure.

Individuals also have the right to access their personal information held by an organization. This means that organizations must provide individuals with access to their information upon request and correct any inaccurate information upon request.

Who is Subject to the Privacy Act?

The Privacy Act applies to all Australian government agencies and organizations that have an annual turnover of over AUD 3 million. The Act also applies to some organizations with an annual turnover of less than AUD 3 million, such as health service providers, credit reporting bodies, and entities that trade in personal information.

It is important for organizations to understand their obligations under the Privacy Act and to take steps to ensure that they are complying with the APPs. Failure to comply with the Privacy Act can result in significant penalties, including fines and damages claims.

Penalties for Non-Compliance

The Privacy Act is a critical piece of legislation that safeguards the privacy of individuals and aims to promote transparency in the handling of personal information. The Office of the Australian Information Commissioner (OAIC) enforces the Privacy Act and ensures that entities comply with the privacy provisions.

Civil Penalties

Entities that breach the privacy provisions can face several penalties. The OAIC can issue civil penalties of up to AUD 2.1 million. This amount depends on the seriousness and extent of the breach of privacy. The entity may also be required to pay compensation to affected individuals.

It is essential to note that the OAIC takes a risk-based approach to compliance and enforcement. This approach considers the nature and extent of the personal information held by the entity, the harm that could result from a breach, and the entity’s compliance history.

Criminal Penalties

In cases of reckless or intentional breaches of privacy, criminal charges can be filed against the responsible employee or director of the organization. The penalty for criminal privacy breaches can be up to AUD 420,000 or two years in prison. It is crucial for entities to understand that they have a legal obligation to protect personal information and that failure to do so can result in severe consequences. It is not enough to plead ignorance or claim that the breach was unintentional. Entities must take proactive steps to ensure that they comply with the privacy provisions.

Administrative Penalties

The OAIC also has the authority to issue enforceable undertakings to entities violating privacy provisions. An enforceable undertaking is a legally binding agreement between the entity and the OAIC. It outlines the steps that the entity will take to ensure they remain compliant with the privacy laws. Failure to comply with the enforceable undertaking can result in fines or civil penalties. Entities must take enforceable undertakings seriously and ensure that they comply with the agreed-upon steps. Failure to do so can result in further legal action and reputational damage.

Reputational Damage

Besides legal penalties, entities that breach the Privacy Act can also suffer significant reputational damage. Privacy breaches can lead to the loss of customers and a tarnished reputation, which could have severe consequences on the entity’s bottom line.

Entities must understand that protecting personal information is not only a legal obligation but also a crucial aspect of maintaining customer trust and loyalty. It is essential to have robust privacy policies and procedures in place and to ensure that all employees are aware of their responsibilities when handling personal information.

Remedies for Non-Compliance

Privacy breaches can have serious consequences. The Office of the Australian Information Commissioner (OAIC) enforces privacy provisions and ensures that entities comply with the law. When an entity is found to be in violation of privacy provisions, there are several remedies that the OAIC may pursue.

Corrective Measures

Corrective measures are steps that an entity must take to rectify a privacy breach. The OAIC may issue directions to the entity, which could include public apologies, modifying privacy policies, and processes, as well as implementing procedures to prevent future breaches. These measures are intended to ensure that the entity takes responsibility for the breach and takes steps to prevent it from happening again.

For example, if an entity experiences a data breach that results in the exposure of personal information, it may be required to notify affected individuals and provide them with information on how to protect themselves from identity theft or fraud. The entity may also need to implement new security measures to prevent future breaches.

Compensation for Affected Individuals

Individuals whose privacy has been breached may be entitled to compensation for damages incurred as a result. This can include financial losses, emotional distress, or damage to reputation. The entity responsible for the breach may be required to compensate the affected individuals.

For example, if an entity releases medical records without the patient’s consent, the patient may experience emotional distress or damage to their reputation. Consequently, the entity may be required to compensate the patient for these damages.

Injunctions and Enforcement Actions

If an entity continues to violate privacy provisions despite corrective measures, the OAIC can request the court to issue an injunction against the entity or take enforcement action against them. An injunction is a court order directing the entity to cease certain activities. An enforcement action is a penalty or fine imposed by the court.

For example, if an entity repeatedly fails to secure personal information, despite being warned by the OAIC, the court may issue an injunction requiring the entity to improve its security measures. If the entity still fails to comply, the court may impose fines or other penalties.

Privacy Training and Education

Entities that have suffered privacy breaches should provide privacy training and awareness to their employees. By educating their teams, they can prevent future breaches and improve privacy compliance overall.

For example, an entity that experienced a data breach due to an employee’s mistake may provide additional training on data security and handling procedures to prevent similar mistakes in the future.

Overall, the remedies for non-compliance with privacy provisions are intended to hold entities accountable for their actions and prevent future breaches. By taking corrective measures, compensating affected individuals, and enforcing compliance, the OAIC can help ensure that personal information is protected and privacy is respected.

Steps to Ensure Compliance

Developing a Privacy Policy

In order to be compliant with the Privacy Act, organizations must have a privacy policy that outlines how they handle and protect personal information. The policy should be accessible to all stakeholders and clearly state what personal information the organization holds, how it is used and for what purposes, and the security measures in place to ensure its confidentiality.

Implementing Privacy Controls

Organizations must implement privacy controls and measures to ensure that personal information is protected from unauthorized access, misuse, and loss. These measures can include protecting digital data with encryption, password protection, or multi-factor authentication, access controls, data backup, and secure disposal of data.

Regular Privacy Audits

Organizations should conduct regular privacy audits to identify and address any weaknesses or lapses in their privacy control measures. This can help prevent breaches and ensure that the entity remains compliant.

Employee Training and Awareness

All employees should receive regular privacy training to ensure that they understand their obligations under the Privacy Act. Ensuring that employees are aware of how they handle personal information and that they are following the correct protocols and procedures can prevent breaches and protect the entity from non-compliance penalties.


The Privacy Act is a critical federal legislation that outlines how entities must handle personal information. Failure to comply with these provisions can result in hefty penalties, reputational damage, and loss of customer trust. Organizations must take steps to ensure compliance with privacy legislation, including the development of a privacy policy, implementation of privacy controls, and regular privacy audits. The mission of PPGS ™ is to help companies communicate their privacy policies effectively and transparently. Our letter grading system can provide a clear and objective assessment of your privacy policies and security measures to ensure that you are in compliance with industry standards and federal legislation. Contact the team at PPGS ™ today for more information. 

Benjamin Franklin
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”
Stephen King,
“Friends don’t spy; true friendship is about privacy, too.”
Ayn Rand
Civilization is the progress toward a society of privacy. The savage's whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men.
Bill Nelson - NASA
If we don't act now to safeguard our privacy, we could all become victims of identity theft.
John Twelve Hawks
Anyone who steps back for a minute and observes our modern digital world might conclude that we have destroyed our privacy in exchange for convenience and false security
Edward Snowden
I don't see myself as a hero because what I'm doing is self-interested: I don't want to live in a world where there's no privacy and therefore no room for intellectual exploration and creativity.
Previous slide
Next slide
Connect with us