University of Melbourne · S1 2026 · FACULTY OF LAW

LAWS70082 · Privacy Law

- one subject, every graph, every model, every mark
50% final exam · hurdle14 Chapters3-page Bible
Our own words - no uploaded lecturer files
Built to mirror S1 2026 · updated this semester
Chapter 4 of 7 · LAWS70082

The Privacy Act

The Privacy Act 1988 (Cth) is the spine of Australian data protection and the black-letter engine of any take-home problem. It binds APP entities (Commonwealth agencies + private-sector organisations) to the 13 Australian Privacy Principles in Schedule 1; defines the gateway concepts personal information and sensitive information (s 6, with health information at s 6FA/6FB); is enforced by the OAIC through the “interference with privacy” gateway (s 13) and the serious/repeated civil-penalty trigger (s 13G); and sits inside a wider patchwork with State (Victorian PDP Act / IPPs, Health Records Act / HPPs), surveillance and consumer law. The drill for a problem is fixed: is the Act engaged? — is there personal (or sensitive/health) information, is the actor an APP entity, and does an exemption apply (small business s 6D, employee records / journalism s 7B, political s 7C)? Wrong section numbers or the wrong jurisdiction (Cth vs Vic) are fatal, so this chapter pins each provision to its jurisdiction. The leading definition case is Privacy Commissioner v Telstra (“about an individual”), and the Act is beneficial legislation construed liberally (Re McComb).

In this chapter

What this chapter covers

  • 01Scope & objects: ICCPR Art 17; s 2; the balance the Act strikes
  • 02Who is bound: APP entities = agencies + organisations (s 6C)
  • 03Extra-territorial reach: the “Australian link” (s 5B)
  • 04Personal vs sensitive vs health information (s 6, s 6FA/6FB)
  • 05Privacy Commissioner v Telstra — “about an individual”
  • 06The exemptions: small business (s 6D), employee records/journalism (s 7B), political (s 7C)
  • 07The enforcement spine: s 13 interference; s 13G civil penalty
  • 08The patchwork: Cth vs Vic (PDP Act / IPPs; Health Records Act / HPPs)
Worked example · free

Worked example: is the Privacy Act engaged?

Q [5 marks]. A national retail chain (annual turnover A$40m) records customers’ loyalty-card purchase histories and links them to names and emails. A customer complains the data was shared with a marketing partner. Is the Privacy Act engaged, and on what gateway?
  • +1Personal information? Purchase histories linked to names and emails are information ‘about’ identified individuals (s 6; Telstra) — yes.
  • +1APP entity? The chain is an organisation under s 6C; with turnover A$40m it is not a small-business operator (s 6D threshold is A$3m), so no small-business exemption.
  • +1Any other exemption? This is not employee records or journalism (s 7B) and not a political act (s 7C) — the Act applies in full.
  • +1Jurisdiction: this is the Privacy Act 1988 (Cth) regime, not the Victorian PDP Act — mark it Cth.
  • +1Gateway: a sharing in breach of an APP (e.g. APP 6) would be an interference with privacy under s 13, opening the OAIC enforcement route.
The Act is engaged: the loyalty data is personal information about identified individuals, the chain is an APP-entity organisation above the small-business threshold with no applicable exemption, the regime is the Privacy Act 1988 (Cth), and a non-compliant disclosure is an interference with privacy under s 13.
Glossary

Key terms

APP entity
Who the Act binds: a Commonwealth agency or a private-sector organisation (Privacy Act 1988 (Cth) s 6C). The gateway actor — if the actor is not an APP entity (or is exempt), the APPs do not bite.
Personal information
Information or an opinion about an identified, or reasonably identifiable, individual (s 6); it must be ‘about’ the individual (Privacy Commissioner v Telstra). The threshold concept for the whole regime.
Sensitive information
A protected sub-category (race, health, sexuality, biometrics, etc.; health at s 6FA) that attracts heightened collection and use rules under the APPs — flag it whenever it appears, because the bar is higher.
The small-business exemption
s 6D: an organisation with annual turnover ≤ A$3m is generally exempt from the Act — a controversial gap flagged as a live reform target. Always check the threshold before assuming the Act applies.
Interference with privacy (s 13)
The enforcement gateway: an act or practice that breaches an APP (or other specified obligation) is an ‘interference with the privacy’ of an individual, which is what the OAIC acts on; serious or repeated interferences trigger s 13G civil penalties.
FAQ

The Privacy Act FAQ

What is the very first thing to check in a Privacy Act problem?

The two gates: (1) is there personal information (s 6; Telstra — is it ‘about’ an individual?), and (2) is the actor an APP entity (s 6C) that is not exempt (s 6D small business; s 7B employee records / journalism; s 7C political)? If a gate fails, the APPs never apply — say so and stop.

Why does Cth vs Vic matter so much?

Because citing the wrong jurisdiction is treated as a fatal error. The Commonwealth Privacy Act 1988 and its APPs govern federal agencies and private organisations; Victoria has its own PDP Act 2014 (IPPs) and Health Records Act 2001 (HPPs) for Victorian public-sector and health data. Mark every provision ‘(Cth)’ or ‘(Vic)’.

Is the small-business exemption really that broad?

Yes — organisations under A$3m turnover (s 6D) are generally outside the Act, which is one of the most criticised gaps and a staple reform-paper target. In a problem, check turnover before assuming coverage; in an essay, the exemption is ready ammunition.

How does the Act get enforced?

Through s 13: a breach of an APP is an ‘interference with privacy’, which the OAIC can investigate and determine (Topic 6). Serious or repeated interferences (s 13G) expose the entity to civil penalties in the Federal Court — penalties materially raised by the 2022 Enforcement Act.

Study strategy

Exam move

Treat this chapter as the gatekeeper: every problem opens by asking ‘is the Act engaged?’, so drill the two gates (personal/sensitive information; APP entity not exempt) and the three exemptions (s 6D, s 7B, s 7C) until they are automatic. Keep a Cth-vs-Vic column in your head and mark every section with its jurisdiction — the wrong one is fatal. Memorise the anchor sections (s 6 definitions, s 6C entity, s 6D small business, s 13 interference, s 13G penalty) and the one definition case (Telstra). Once the Act is engaged you hand off to the APPs (Topic 5) and enforcement (Topic 6); the reform debate over the exemptions and definitions is prime research-paper material.

A+Everything unlocked
Unlocks this Bible + all 29 of your University of Melbourne subjects - and 1,000+ Bibles across every Australian university.
Sia - your LAWS70082 tutor, unlimited, worked the way the exam marks it
The full 3-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full LAWS70082 Bible + 29 University of Melbourne subjects解锁完整 LAWS70082 Bible + University of Melbourne 29 门科目
$25/mo