Security + privacy regulations in Australia

Australia's Privacy Act 1988 is the foundational privacy law, setting out 13 Australian Privacy Principles (APPs) that govern collection, use, disclosure, and management of personal information. The Act applies to APP entities — primarily private-sector organizations with annual turnover above AU$3M, plus specific sectoral categories (health-service providers, contracted federal service providers, etc.) regardless of size. The 2022 Optus + Medibank breaches triggered a major reform package in 2023-2024. Penalties were substantially increased (maximum now AU$50M or 30% of annual turnover for serious/repeated interferences). The Notifiable Data Breaches scheme — part of the Privacy Act — requires notification to the OAIC and affected individuals for eligible data breaches that are likely to cause serious harm. Further reform is expected through 2025-2026. The Attorney-General's Department has proposed a comprehensive review including a direct right of action, removal of the small-business exemption, and tighter rules on targeted advertising. IRAP (Information Security Registered Assessors Program) is Australia's federal security certification — required for vendors providing services to Australian federal agencies at PROTECTED level and above. It's a heavier lift than SOC 2 and is worth pursuing only if you have committed federal pipeline.

Key laws + frameworks

Privacy Act 1988 + APPs

13 Australian Privacy Principles governing personal information.

Notifiable Data Breaches

Part of Privacy Act — mandatory breach notification regime.

IRAP

Information Security Registered Assessors Program — required for Australian federal contracts at PROTECTED level+.

SOCI Act

Security of Critical Infrastructure Act — applies to critical-infrastructure operators.

Privacy Act Review reforms (2024+)

Major reform package raising penalties and expanding obligations.

Regulators
  • Office of the Australian Information Commissioner (OAIC)
  • Australian Cyber Security Centre (ACSC)
Breach notification

Within 30 days of becoming aware of an eligible data breach (likely to cause serious harm), notify the OAIC and affected individuals. Statement of eligible data breach must include specific content prescribed by OAIC.

Cross-border transfer

APP 8 — reasonable steps to ensure the overseas recipient handles personal information in a manner consistent with the APPs. Binding corporate rules, contractual safeguards, or consent are the typical mechanisms.

Startup priority

Priority stack for Australia-facing SaaS: (1) Privacy Policy compliant with APPs + Privacy Collection Notice on signup flows; (2) Notifiable Data Breaches response plan documented; (3) OAIC as a regulator in your incident-response runbook. Pursue IRAP only if pursuing federal contracts — otherwise it's disproportionate.