1300 739 335

Data Protection

Does your organisation follow all data protection regulations? You may have hefty penalties if you do not follow these laws. Discover how you can protect data and avoid these fines.

Data protection is a crucial function for organisations. Companies that protect data secure their operations, reputation, and clients’ details. They also avoid sanctions, such as the fine of up to AUD 2.1 million that the OAIC/Privacy Commissioner can recommend to the court.

Keeping up with data protection laws can be a challenge. There are many laws that stakeholders often change to suit developing concerns.

Do you know the data protection laws? How can you ensure compliance?

Organisations often ask Steadfast Solutions how they can comply with data protection requirements. Steadfast Solutions provides IT services in Melbourne, Brisbane, and throughout Australia. This article will help you discover essential data protection regulations and how we can help you comply with them.

Data Protection Laws in Australia

The primary regulation guiding data protection in Australia is The Privacy Act 1988 (Privacy Act). Authorities introduced this law to protect and promote the privacy of individuals. It also regulates how most Australian Government Agencies and organisations that have a turnover of over AUD 3 million should handle personal information.

Are There Sector-Specific Laws Affecting Data Protection? Here are some industry’s regulations that affect data protection. You read these laws with the Privacy Act.

  1. Telecommunications sector: Laws are in the Telecommunications Act 1997 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth).
  2. Healthcare: Laws are in the My Health Records Act 2012 (Cth) and the Healthcare Identifiers Act 2010 (Cth). Various state laws exist to protect healthcare data.
  3. Financial services and gambling: Organisations should comply with the Anti-Money Laundering and Counter-Terrorism Financing Rules and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).

Organisations will also comply with the newly legislated Part IVD of the Competition and Consumer Act 2010 (Cth) that sets out the framework for Consumer Data Right (CDR). Sectors will implement this legislation at separate periods. Implementation started with the banking sector in July 2020, and energy and telecommunications industries will follow.

Which Authorities Oversee Data Protection?

Institutions that ensure organisations comply with data protection laws include:

  • The Office of the Australian Information Commissioner (OAIC) — the primary institution
  • The Australian Competition and Consumer Commission
  • The Australian Communications and Media Authority
  • The Commonwealth Attorney General’s Department
  • The National Health and Medical Research Council
  • The Australian Transaction Reports and Analysis Centre
  • Various territory and state authorities including the ACT Information Privacy Commissioner and the Office of the Information Commissioner for the Northern Territory

Institutions and Processing That the Data Protection Laws and Regulations Apply

The Privacy Act and regulations apply to federal government agencies and all private organisations (APP entities) other than:

  1. Registered political parties.
  2. Organisations (including all their related corporate bodies) with an annual turnover of less than AUD 3 million (unless they disclose or use personal information for a benefit or collect and use health information).
  3. Territory or state authorities or instrumentalities, but the notifiable data breaches (NDB) frameworks apply to eligible data breaches involving TFNs.

The Privacy Act/APPs covers all institutions (except those above) conducting business in Australia that comprises collecting personal information in Australia or promoting an offshore entity to Australian residents.

The Privacy Act/APPs cover all processing (collection, disclosure, and use) of personal data by APP entities. They do not cover the processing of anonymous or de-identified information.

APP entities should notify individuals before collecting their personal information. They should also inform the OAIC and individual relevant data breaches. The law recommends that institutions have a privacy officer to handle data protection.

Institutions dealing with TFNs should also comply with:

  • The TFN Rules
  • The NDB provisions relevant to data breaches affecting TFNs or TFN information
  • Some activities are exempt from complying with the Privacy Act/APPs. They include:
  • Purely domestic/personal processing of information (people in a non-business capacity)
  • Small business data processing — those that do not meet the AUD 3 million turnover threshold and not otherwise subject to the regulations — for organisations engaged under a Commonwealth agreement and by media institutions if they process data in journalism.
  • Employee records that an employer once held.
  • Political practices and acts.

What Are the Key Principles Applicable to the Processing of Personal Information?

The principles for processing personal information include:

  1. Transparency: APP entities should manage personal information openly and transparently. They should have clear and accessible data protection policies, practices and systems that enable them to comply with the APPs, and a framework to handle complaints.
  2. Lawful Basis for Processing: Primarily, the fundamental legal basis for lawful processing of personal information is the consent of the individual. Other laws may also inform the basis of this principle, such as Commonwealth agreements.
  3. Purpose Limitation: Data processing can only happen for the purpose the individual consented, but some situations are exempt to this principle, such as court determinations and some health situations.
  4. Data Minimisation: APP entities hold data to serve the consented purpose only. Once they use the information, they should discard or de-identify it.
  5. Proportionality: APP entities can only collect information relevant to their functions or activities.
  6. Retention: APP entities should discard or de-identify data that they no longer need for the specified function. Information on a Commonwealth record or those prescribed by law is exempt to this principle.
  7. Collection of Unsolicited Personal Information: If an APP entity gets non-solicited data, it should establish if it solicited it. The organisation should discard or de-identify the data if it did not request it.
  8. Cross-Border Disclosure: Foreign bodies that get personal information of Australian residents should comply with the relevant Australian data protection laws.
  9. Government-Related Identifiers: Private organisations should not use this information, except in prescribed cases.
  10. The Sensitivity of Personal Information: APP entities should use accurate, up-to-date, and complete personal information.
  11. Security: APP entities must have measures to protect personal information from loss, misuse, interference, unauthorised access, and disclosure.

What Sanctions Can Institutions Impose to Organisations That Do Not Comply With Data Protection Laws?

The OAIC/Privacy Commissioner can petition the courts to impose a fine of up to AUD 2.1 million to organisations and AUD 420,000 to individuals that breach the APPs.

The government has announced that new laws will come into effect next year. The changes will increase fines under the Privacy Act. Severe and repeated invasions of privacy will attract a penalty of up to AUD 10 million or three times the illegal benefit received — whichever is greater.

The Privacy Commissioner can also award compensation, impose enforceable undertakings, and publicise decisions or investigations on infringements.

How Steadfast Solutions Can Help You Comply With Data Protection Laws

Steadfast Solutions knows the data protection laws and regulations that affect various industries. We can help you develop compliant policies, streamline your processes, secure your networks, and train your employees to ensure compliance with data protection regulations. 

Our experts will ensure you comply with statutes and provide the cybersecurity solutions you need for data protection, leaving you to concentrate on your core functions.

Steadfast Solutions provides IT services and support in Melbourne, Brisbane, Perth, and across Australia. We offer expert, customised, and reliable IT solutions, such as cloud computing, managed IT service, cybersecurity, etc.

Schedule A Free Consultation With Steadfast Solutions

Contact us today to discover more about how we can help you comply with data protection regulations.

Ready to speak with us? Contact us via phone on 1300 739 335 or email us at to discover more on how we can help you have compliant data protection.