Guides compliance with Australia's Privacy Act 1988 and 2024 reforms. Covers Australian Privacy Principles (APPs), automated decision-making transparency, children's privacy code, individual rights, and enforcement.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Australia's Privacy Act 1988 (Cth) is the primary federal data protection legislation, administered and enforced by the Office of the Australian Information Commissioner (OAIC). The Privacy Act applies to Australian Government agencies, private sector organisations with an annual turnover of more than AUD 3 million, and certain other organisations regardless of turnover (health service provider...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Australia's Privacy Act 1988 (Cth) is the primary federal data protection legislation, administered and enforced by the Office of the Australian Information Commissioner (OAIC). The Privacy Act applies to Australian Government agencies, private sector organisations with an annual turnover of more than AUD 3 million, and certain other organisations regardless of turnover (health service providers, organisations trading in personal information, credit reporting bodies).
The Australian Government's 2024 Privacy Act Reform Amendments (building on the Attorney-General's Department Privacy Act Review Report of February 2023) introduced significant reforms including a statutory tort for serious invasions of privacy, enhanced individual rights, automated decision-making transparency obligations, a children's privacy code, and strengthened enforcement powers.
| APP | Subject | Key Requirement |
|---|---|---|
| APP 1 | Open and transparent management | Maintain a clear privacy policy; take reasonable steps to implement practices that ensure compliance |
| APP 2 | Anonymity and pseudonymity | Give individuals the option of dealing anonymously or under a pseudonym where practicable |
| APP 3 | Collection of solicited personal information | Collect only information reasonably necessary for functions/activities; collect sensitive information only with consent |
| APP 4 | Dealing with unsolicited personal information | If unsolicited information could not have been collected under APP 3, destroy or de-identify it |
| APP 5 | Notification of collection | Notify individuals of: identity, purpose, third-party disclosures, overseas disclosures, access/correction rights, complaint mechanism |
| APP 6 | Use or disclosure | Use or disclose only for the purpose of collection or a directly related secondary purpose within reasonable expectations |
| APP 7 | Direct marketing | May use for direct marketing if individual would reasonably expect it and opt-out is provided; sensitive information requires consent |
| APP 8 | Cross-border disclosure | Before disclosing overseas, take reasonable steps to ensure the overseas recipient complies with the APPs |
| APP 9 | Adoption, use, or disclosure of government identifiers | Must not adopt a government identifier as own identifier; limited use and disclosure |
| APP 10 | Quality of personal information | Take reasonable steps to ensure information is accurate, up-to-date, complete, and relevant |
| APP 11 | Security of personal information | Take reasonable steps to protect from misuse, interference, loss, and unauthorised access; destroy or de-identify when no longer needed |
| APP 12 | Access to personal information | On request, give individuals access to their personal information |
| APP 13 | Correction of personal information | Take reasonable steps to correct if inaccurate, out-of-date, incomplete, irrelevant, or misleading |
| Element | Detail |
|---|---|
| Scope | Organisations using personal information in substantially automated decisions that significantly affect individual rights or interests |
| Transparency obligation | Must provide meaningful information about the automated decision-making process including: the fact that an automated decision has been made, the types of personal information used, and how the decision was reached |
| Right to human review | Individuals may request human review of automated decisions that significantly affect them |
| Impact assessment | Organisations must assess the impact of automated decision-making systems on privacy before deployment |
| Record-keeping | Maintain records of automated decision-making systems, including the logic involved and data inputs |
| Element | Detail |
|---|---|
| Scope | Social media services, online platforms, and other services likely to be accessed by children |
| Definition of child | Under 18 years (aligned with the definition in the Online Safety Act 2021) |
| Best interests principle | The best interests of the child must be a primary consideration in all actions concerning children's personal information |
| Age assurance | Organisations must implement appropriate age assurance mechanisms |
| Restrictions | Prohibition on using children's personal information for targeted advertising; restrictions on profiling; data minimisation requirements specific to children |
| Code development | OAIC to develop and register the code; industry consultation required |
| Right | 2024 Status | Detail |
|---|---|---|
| Right of access | Enhanced (APP 12) | Clarified scope; reduced grounds for refusal |
| Right to correction | Enhanced (APP 13) | Strengthened obligation to correct upon request |
| Right to erasure | New | Right to request deletion of personal information where it is no longer necessary for the purpose of collection, consent is withdrawn, or information was unlawfully collected |
| Right to de-identification | New | Alternative to erasure where deletion is impracticable |
| Right to object to direct marketing | Strengthened | Clearer opt-out obligations; unsubscribe must be actioned within 5 business days |
| Right to request explanation | New | Right to request explanation of how personal information was used in an automated decision |
| Element | Detail |
|---|---|
| Cause of action | Individual may bring proceedings for a serious invasion of privacy |
| Threshold | Invasion must be serious; court considers the nature of the privacy and the means of invasion |
| Remedies | Damages (including for emotional distress), injunctions, account of profits, apology orders |
| Limitation period | 1 year from when the individual became aware (or ought to have become aware) of the invasion |
| Defence | The invasion was in the public interest |
| Enhancement | Detail |
|---|---|
| Civil penalty increase | Maximum civil penalty increased to the greater of: AUD 50 million, three times the value of the benefit obtained, or 30% of adjusted turnover in the relevant period |
| Infringement notices | OAIC may issue infringement notices for specified contraventions |
| Enforceable undertakings | Strengthened regime for enforceable undertakings |
| Public interest determinations | Enhanced OAIC power to make public interest determinations |
Before disclosing personal information to an overseas recipient, the organisation must:
The reforms strengthen APP 8 by:
| Transfer Flow | Destination | APP 8 Compliance | Mechanism |
|---|---|---|---|
| Customer data → EU HQ | Germany | Reasonable steps (contractual safeguards) | Data processing agreement with APP-equivalent obligations |
| Employee data → Regional HR | Singapore | Reasonable steps (contractual safeguards) | Intra-group data sharing agreement |
| Logistics data → APAC | Japan | Reasonable steps (contractual safeguards) | Service agreement with privacy schedule |
A breach is eligible (notifiable) if:
| Element | Requirement |
|---|---|
| OAIC notification | As soon as practicable (not later than 30 days after the entity becomes aware) |
| Individual notification | As soon as practicable after preparing the statement |
| Statement content | Description of breach, information involved, recommended steps for individuals |
| Assessment period | 30 days from reasonable grounds to suspect a breach |
| Component | Detail |
|---|---|
| Privacy Officer (Australia) | Sarah Mitchell, Privacy and Compliance Lead — Sydney office |
| APP 1 privacy policy | Published at zenithglobal.com.au/privacy |
| APP 3 collection | Minimal collection; consent for sensitive information |
| APP 7 direct marketing | Opt-out mechanism; 5 business day unsubscribe processing |
| APP 8 cross-border | Contractual safeguards with all overseas recipients |
| APP 11 security | ISO 27001 certification; annual penetration testing |
| APP 12-13 access/correction | Privacy portal with 30-day response target |
| Part IIIC breach notification | 30-day assessment + notification workflow |
| Automated decision-making | Impact assessment conducted for credit scoring; human review available |
| Children's code readiness | Monitoring OAIC code development; no direct child services |