What is personal information under Australian law?

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. This includes names, addresses, phone numbers, email addresses, tax file numbers, and health information.

What are the Australian Privacy Principles?

The 13 Australian Privacy Principles (APPs) regulate how organisations collect, use, disclose, and store personal information. APP 11 specifically requires organisations to protect personal information from misuse, interference, loss, and unauthorised access or disclosure.

What are the penalties for Privacy Act breaches?

Following 2022 reforms, maximum penalties increased to $50 million AUD for companies, three times the benefit obtained from the breach, or 30% of adjusted turnover—whichever is greater.

Does the Privacy Act apply to my organisation?

The Privacy Act applies to Australian Government agencies, businesses with annual turnover over $3 million, health service providers, and some small businesses that trade in personal information or are contractors to government.

🇦🇺 Privacy Act 1988 & Australian Privacy Principles

Australia Privacy Act Redaction

AI-powered redaction to protect personal information under Australian law. Meet your APP obligations and avoid OAIC enforcement.

Start Redacting Free APP Requirements →

$50M

Maximum OAIC Penalty (AUD)

1,113

Notifiable Breaches (2023-24)

30 Days

Access Request Deadline

What the Privacy Act Requires

The Privacy Act 1988 and the 13 Australian Privacy Principles (APPs) set out how organisations must handle personal information. Proper redaction is essential for meeting several APP obligations.

APP 12: Access Requests

Individuals can request access to their personal information. When providing access, you must redact information about other identifiable individuals unless they've consented.

APP 6: Use & Disclosure

Personal information can only be used or disclosed for the primary purpose it was collected, or a related secondary purpose. Redaction allows sharing documents while limiting disclosure.

APP 11: Security

Organisations must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. Redaction before sharing is a key protective measure.

APP 11.2: Destruction

When personal information is no longer needed, it must be destroyed or de-identified. Redaction can de-identify documents that must be retained for other purposes.

Personal Information to Redact

Standard Personal Information

Names and signatures
Residential addresses
Email addresses
Phone numbers
Tax File Numbers (TFN)
Medicare numbers
Driver licence numbers
Bank account details

Sensitive Information

Health information
Racial or ethnic origin
Political opinions
Religious beliefs
Sexual orientation
Criminal record
Trade union membership
Biometric data

2022-2024 Privacy Act Reforms

Australia significantly strengthened its privacy regime following major data breaches at Optus and Medibank. The reforms dramatically increased penalties and expanded enforcement powers.

Increased Maximum Penalties

Before 2022: $2.22 million maximum for serious or repeated breaches
After 2022: The greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover

The Medibank breach affected 9.7 million Australians and led to these reforms. OAIC enforcement is expected to increase.

Key Australian Privacy Principles for Redaction

APP 6 — Use or Disclosure

Personal information collected for one purpose must not be used for another unless an exception applies. When sharing documents with third parties, redact personal information not relevant to the new purpose.

APP 11 — Security of Personal Information

Organisations must take reasonable steps to protect personal information. Redacting unnecessary personal data before sharing documents externally is a "reasonable step" under this principle.

APP 12 — Access to Personal Information

Individuals can request access to their data. You must provide their information while redacting other individuals' details — similar to GDPR DSARs and Canadian access requests.

OAIC Penalties (Post-2022 Amendments)

A$50M

per serious/repeated breach

Bodies Corporate

Or three times the benefit obtained, or 30% of adjusted turnover — whichever is greatest. A 23x increase from the prior A$2.2M cap.

A$2.5M

per serious/repeated breach

Individuals

Directors and officers can be personally liable for failing to implement reasonable data protection measures.

Notifiable Data Breach (NDB) Scheme

Since February 2018, organisations must notify the OAIC and affected individuals of eligible data breaches.

Trigger

Unauthorised access to or disclosure of personal information where a reasonable person would conclude there is a likely risk of serious harm.

30-Day Window

Once aware of a suspected breach, you have 30 days to assess whether it is notifiable.

Prevention

Properly redacted documents may not constitute a notifiable breach — the redacted data cannot cause harm even if the document is compromised.

How SafeRedact Helps

AI Detection

Automatically identifies TFNs, Medicare numbers, addresses, and other personal information in your documents.

Permanent Removal

Data is permanently removed—not just covered. Meets APP 11.2 de-identification requirements.

Fast Processing

Meet 30-day access request deadlines with automated detection and batch processing.

Protect Personal Information. Meet APP Obligations.

AI-powered redaction for Australian Privacy Act compliance. Start free—no credit card required.

Start Redacting Free