Australia Rights Guide

Your Data Privacy Rights in Australia — Privacy Act 1988

The Privacy Act 1988 gives you the right to access, correct, and complain about misuse of your personal data. File complaints with the OAIC — free.

FreeAustralian Law3 related guides

Direct Answer

The Privacy Act 1988 and its 13 Australian Privacy Principles (APPs) give every person the right to access personal data held about them by government agencies and large businesses, to have inaccurate data corrected, and to complain about misuse. File complaints with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au — free.

What the Law Says

Your Legal Foundation

Privacy Act 1988 (Cth)

APP 12

“An APP entity must, on request, give an individual access to the personal information it holds about the individual.”

Privacy Act 1988 (Cth)

APP 13

“An APP entity must take reasonable steps to correct personal information it holds about an individual that is inaccurate, out of date, incomplete, irrelevant, or misleading.”

Privacy Act 1988 (Cth)

Section 36

“An individual may complain to the Commissioner about an act or practice that may be an interference with the privacy of the individual.”

What to Do

Step-by-Step Guide

1Identify the breach. Common breaches: your data was shared without consent, used for a purpose you didn't agree to, you were denied access to your own data, or your data was not secured adequately in a breach.
2Request action from the organisation in writing — ask to access, correct, or delete your data. Organisations have 30 days to respond to access requests.
3If refused or ignored, file a complaint with the OAIC at oaic.gov.au/privacy/privacy-complaints. Free.
4State privacy laws also apply for organisations not covered by the federal Privacy Act — health records in VIC and NSW have their own acts with broader coverage.

What to Say

Exact Words to Use

“"Under APP 12 of the Privacy Act 1988, I am requesting access to all personal information you hold about me. Please provide this within 30 days."”

Tone: Written — to any organisation covered by the Privacy Act

Common Questions

Frequently Asked Questions

Does the Privacy Act cover small businesses?

Generally no — the federal Privacy Act applies to businesses with annual turnover over $3 million, and to health service providers regardless of size. Small businesses under $3 million may not be covered federally, but state privacy laws may still apply, especially for health records.

I received spam from a company that bought my data — what can I do?

File a complaint with the OAIC for the data sale, and a spam complaint with the Australian Communications and Media Authority (ACMA) at acma.gov.au. Sending commercial electronic messages without consent violates the Spam Act 2003.

A data breach exposed my information — what must the organisation do?

Under the Notifiable Data Breaches scheme, organisations must notify the OAIC and affected individuals of a breach likely to result in serious harm within 30 days of becoming aware. If they fail to notify you, report to the OAIC.

Can I request deletion of my data?

Unlike GDPR, Australian law does not have an explicit "right to erasure." However, you can request correction of inaccurate data, and organisations must destroy or de-identify data they no longer need. Privacy Act reform proposals may add a deletion right — check oaic.gov.au for updates.

Get Help Now

Resources & Helplines

Office of the Australian Information Commissioner (OAIC)
oaic.gov.au / 1300 363 992
File privacy complaints. Free.
ACMA (spam and electronic privacy)
acma.gov.au
Complaints about spam and unsolicited electronic marketing.
State Privacy Commissioners
Varies by state
VIC, NSW, QLD, WA, SA and ACT have state privacy commissioners for state sector entities.

Continue Learning

Practice Your Rights Out Loud

The Advocate gives you exact rebuttals, law references, and Scripture for real-life scenarios. Free to try.

Open The Advocate — Free

No credit card needed · Know Your Rights. Know Your Word.