Get in touch
Lavan Homepage

In an increasingly data-driven economy, privacy compliance has gradually become a central legal and operational priority for businesses.

Organisations routinely collect, use, store and disclose personal information (relating to customers, employees or third parties) in the course of their activities and are subject to a growing, increasingly complex, body of legal obligations designed to protect that information.  In light of Privacy Awareness Week (4–10 May) earlier this month, and upcoming legislative developments in Australian and Western Australian privacy law, we take this opportunity to:

  • remind businesses of their key privacy obligations pursuant to the Privacy Act 1988 (Privacy Act);
  • outline upcoming reforms to the Privacy Act by the Privacy and Other Legislation Amendment Act 2024 (Cth) (Privacy Amendment Act), with key changes expected to commence on 10 December 2026; and
  • highlight changes to privacy obligations for Western Australian public sector agencies arising from the Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act), with substantive provisions expected to commence on 1 July 2026.

As a result of these upcoming legislative changes, and the increasing use of artificial intelligence (AI) across business systems (and by business employees and contractors), there is a heightened risks of non-compliance with privacy obligations.

While the detailed implications of AI fall beyond the scope of this introductory review of privacy law, this article should serve as a timely reminder for organisations to review their privacy policies and procedures to ensure compliance with applicable privacy laws.

If you require assistance with reviewing your privacy framework or compliance approach, Lavan would be pleased to assist.

Privacy Act

The Privacy Act is the primary legislative framework governing the collection, use, disclosure and management of personal information in Australia. It regulates how organisations handle personal information through a set of enforceable standards known as the Australian Privacy Principles (APPs).

Under the Privacy Act:

  • “Personal information” means any information or opinion about an identified individual, or an individual who is reasonably identifiable, and includes information such as a person’s name, address, date of birth, and phone number; and
  • “Sensitive information” is a subset of personal information that is given a higher level of protection, and includes details such as a person’s health, race or ethnicity, political opinions, religious beliefs, sexual orientation, or biometric data.

The Privacy Act applies to “APP Entities”, which include businesses or organisations that:

  • have an annual turnover greater than $3 million; or
  • fall within special categories,1 including (but not limited to) health service providers, entities that trade in personal information, and operators of residential tenancy databases.

The Australian Privacy Principles

The APPs set out the core obligations governing the collection, use, disclosure and management of personal information by APP Entities.

APP entities are required to comply with all 13 APPs. Set out below is an overview of the APPs most commonly engaged in practice:

APP 1 – Open and transparent management of personal information

App 1 requires that businesses are open and transparent with their management of personal information. In practice, compliance with this APP is most commonly achieved by a business having a public facing privacy policy setting out its practices, procedures and systems for dealing with personal information.

APP 3 – Collection of solicited personal information.

APP 3 governs the collection of solicited personal information and provides that an APP entity may only collect such information where it is reasonably necessary for one or more of its legitimate functions or activities.

Where sensitive information is involved, there is an additional step required- an entity must obtain the individual’s consent prior to collection. We note, however, there are exceptions to this requirement, for example, where authorised or required by law.

APP 4 – Dealing with unsolicited personal information:

APP 4 requires an APP Entity to assess whether unsolicited personal information could have been collected under APP 3. If so, the information may be retained and managed in accordance with the 13 APPs. If not, the entity must, as soon as practicable, destroy or de-identify the information (provided it is lawful and reasonable to do so).

Organisations should ensure processes are in place to promptly identify and appropriately handle unsolicited personal information to minimise compliance risks.

APP 5 – Notification of the collection of personal information

APP 5 requires an APP Entity to, at or before the time of collection of personal information, take reasonable steps to notify individuals of key matters including the purpose of collection, any usual disclosures, and how to access further information in the entity’s Privacy Policy.

APP 6 – Use or disclosure of personal information

APP 6 provides that personal information may only be used or disclosed for the primary purpose for which it was collected, unless an exception applies (such as consent, a related purpose reasonably expected by the individual, or where required or authorised by law).

Recent decisions highlight the importance of adhering strictly to this requirement. In ALI and ALJ (Privacy),2 for example, an employer circulated an email containing an employee’s health information to approximately 110 staff members. The Australian Privacy Commissioner found that the employee records exemption did not apply and that the disclosure breached APP 6.1, as the information had been collected for welfare and work health and safety purposes, not to update other staff.

APP 11 – Security of personal information

APP 11 requires an APP Entity to take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. It also requires entities to take reasonable steps to destroy or de-identify personal information once it is no longer needed for a permitted purpose.

Organisations should ensure that:

  • appropriate technical and organisational safeguards are in place, particularly where personal information is stored off-site, hosted on external servers (whether locally or overseas), or handled by third parties or subcontractors; and
  • retention and disposal practices are regularly reviewed to maintain compliance.

The increasing use and integration of AI across business systems, and by employees and contractors, heightens the risk of non-compliance with the APPS, and organisations should regularly review their systems and processes, and ensure appropriate employee training is in place, to support ongoing compliance.

Privacy Amendment Act

The Privacy Amendment Act strengthens and modernises the Privacy Act by introducing enhanced protections for personal information, expanding regulatory powers, and improving individuals’ privacy rights. Key changes expected to take effect from 10 December 2026 include:

  • amendments to several APPs;
  • additional obligations requiring APP entities to include specific information in their privacy policies where personal information is used by computer programs to make decisions that may significantly affect individuals’ rights or interests;
  • the introduction of anti-doxxing measures;
  • the creation of a statutory tort for serious invasions of privacy (not limited to APP entities); and
  • a requirement for the Information Commissioner to develop a Children’s Online Privacy Code.

For more on the above proposed changes as a result of the Privacy Amendment Act, please see our previous articles titled:

  • Reforms to Australian privacy law: What Australian businesses need to know (Link);
  • A new privacy tort, doxxing offence and more – What to expect from the Privacy and Other Legislation Amendment Bill 2024 (Link); and
  • Doxxing and privacy reform, the establishment of a new statutory tort (Link)

PRIS Act

The PRIS Act establishes a comprehensive framework for the responsible handling and sharing of personal information by Western Australian public sector agencies.

Its key purposes are to:

  • promote the safe, transparent and accountable management of personal information;
  • facilitate appropriate information sharing between agencies to improve service delivery and policy outcomes; and
  • strengthen privacy protections through the introduction of enforceable Information Privacy Principles (IPPs) and associated oversight mechanisms.

The IPPs are broadly comparable to the Privacy Act APPs, and are intended to regulate:

  • the handling of personal information that IPP entities must abide by;
  • the requirement to undertake mandatory privacy impact assessments for activities involving high privacy risks; and
  • the establishment of a compulsory notifiable information breach scheme, under which entities must notify the WA Information Commissioner and affected individuals of eligible data breaches (expected to commence on 1 January 2027).

With the exception of the abovementioned notifiable information breach scheme, the operative provisions of the PRIS Act will commence on 1 July 2026.

Lavan comment

In the current environment, characterised by legislative changes to Australian privacy law and the increasing integration of AI across business operations, it is essential that organisations take a proactive approach to reviewing their privacy obligations and privacy law compliance frameworks.

If you require assistance in navigating the evolving privacy landscape—whether as an APP entity or a Western Australian public sector agency— Lavan is well placed to provide tailored advice on privacy law compliance, including the preparation or review of privacy policies, delivery of employee training, and guidance on applicable legal obligations.

Please do not hesitate to contact Iain Freeman for any Australian privacy law guidance or advice.

 


Disclaimer

The information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.

Footnotes

  1. Privacy Act s 6D(4).
  2.  [2024] AICmr 131.
Authors
Iain Freeman
Partner
Valentine Pons
Associate

Related Publications

22 Apr 2026 Litigation, Disputes & Investigations

The interplay between parliamentary privilege and defamation in Western Australia

Cinzia Donald
Cinzia Donald Partner
The interplay between parliamentary privilege and defamation in Western Australia
13 Mar 2026 Litigation, Disputes & Investigations

Are you ready for the Anti-Money Laundering And Counter-Terrorism Financing Act 2006 reforms?

Iain Freeman
Iain Freeman Partner
Are you ready for the Anti-Money Laundering And Counter-Terrorism Financing Act 2006 reforms?
29 Oct 2025 Litigation, Disputes & Investigations

Defamation in politics – Deeming v Pesutto [2024] FCA 1430

Cinzia Donald
Cinzia Donald Partner
Defamation in politics – Deeming v Pesutto [2024] FCA 1430

Stay up to date with Lavan

Subscribe to Publications

"*" indicates required fields

Publications of Interest*
Select publications of interest
Fields marked with * are required.
Back to top