Data Privacy Governance: ESG Obligations Under the Australian Privacy Act

Data privacy is increasingly recognised as a material ESG governance issue. Organisations collect personal information from customers, employees, and other individuals, creating responsibility to protect that information. Privacy breaches damage trust, expose individuals to harm, trigger regulatory enforcement, and create operational and reputational damage. For Australian businesses, data privacy governance is both a legal obligation and an ESG governance imperative.

This article explores privacy governance under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), OAIC enforcement, and practical governance strategies. For broader governance context, see our article on ESG governance frameworks. For cybersecurity governance complementing privacy, see our article on cybersecurity governance and ESG risks.

The Privacy Act 1988 (Cth) and Australian Privacy Principles

Scope and Application

The Privacy Act applies to most private sector organisations (those with annual turnover exceeding AUD 3 million) and all Australian government agencies. The Act is enforced by the Office of the Australian Information Commissioner (OAIC).

Key amendments in recent years have expanded privacy expectations. The Privacy Act does not explicitly create rights to private information, but creates obligations for organisations to handle personal information responsibly.

The Australian Privacy Principles (APPs)

The Privacy Act establishes 13 Australian Privacy Principles governing how organisations manage personal information:

• APP 1: Open and transparent management of personal information (privacy policy requirements)
• APP 2: Collection of solicited personal information (limit collection to lawful and necessary purposes)
• APP 3: Collection of unsolicited personal information (determine whether information is held according to APPs)
• APP 4: Dealing with personal information (ensure information collected lawfully and for purpose disclosed)
• APP 5: Notification of collection of personal information (notify of collection, use, disclosure, access)
• APP 6: Use or disclosure of personal information (use for notified purposes, with limited exceptions)
• APP 7: Direct marketing (honour opt-out requests from direct marketing)
• APP 8: Credit eligibility information (specific obligations for credit information handling)
• APP 9: Government related identifiers (restrict use of tax file numbers, Medicare numbers)
• APP 10: Quality of personal information (ensure accuracy, completeness, up-to-dateness)
• APP 11: Security of personal information (take reasonable steps to protect information, destroy when no longer needed)
• APP 12: Access and correction of information (provide individuals access to information held, correct inaccurate information)
• APP 13: Complaints handling (have complaint procedures, respond to privacy complaints)

Organisations must comply with all APPs where applicable.

Privacy Governance Obligations

Privacy Policy (APP 1)

Organisations must have a clear privacy policy accessible to individuals. The policy must describe:

• Types of personal information collected and used
• Purposes of collection and use
• How to access personal information
• How to make complaints
• Whether information is disclosed to overseas recipients (and countries)
• How organisation manages personal information security
• How organisation handles sensitive information (health, biometric)

Privacy policies should be written in clear language accessible to individuals.

Consent and Legitimate Purpose (APP 2, 4, 6)

Organisations should:

• Collect personal information only for lawful and necessary purposes
• Inform individuals of purposes at collection
• Obtain consent where required (particularly for sensitive information)
• Use information only for disclosed purposes (or related purposes closely connected to originals)
• Not disclose information to third parties without consent (unless exception applies)

Information Security (APP 11)

Organisations must take reasonable steps to protect personal information from:

• Unauthorised access, use, disclosure
• Loss, theft, destruction
• Misuse by employees or third parties

Reasonable security steps may include:

• Encryption of personal information in transit and at rest
• Access controls limiting who can access information
• Employee training on privacy and information handling
• Incident response plans for privacy breaches
• Regular security audits and vulnerability assessments
• Vendor management ensuring service providers implement adequate security

Mandatory Data Breach Notification (Notifiable Data Breaches Scheme)

From February 2018, organisations must notify affected individuals and the OAIC if there is an eligible data breach—unauthorised access or disclosure of personal information likely to result in serious harm. Notification must:

• Occur as soon as practicable (typically within 30 days)
• Include identity of organisation, description of breach, type of information involved, likely consequences, steps individuals can take
• Include contact details for making complaints

Organisations should have breach response procedures enabling prompt notification.

Individual Rights: Access and Correction (APP 12)

Individuals have right to access personal information held about them and to request correction of inaccurate information. Organisations must:

• Provide access within 30 days (extendable to 60 days for complex requests)
• Charge only reasonable costs for access
• Correct inaccurate information within reasonable timeframe

OAIC Enforcement and Privacy Commissioner Role

OAIC Investigation Powers

The Office of the Australian Information Commissioner has authority to investigate privacy complaints and conduct compliance assessments. OAIC can:

• Investigate individual complaints about APP breaches
• Conduct voluntary compliance assessments
• Issue compliance notices requiring corrective action
• Conduct systemic reviews of privacy practices in sectors
• Report publicly on investigation findings

Compliance Notices

If OAIC finds an APP breach, it can issue compliance notices requiring organisations to:

• Stop engaging in conduct that breaches APPs
• Implement specified practices ensuring future compliance
• Report to OAIC on implementation of corrective actions

Failure to comply with compliance notices can result in court proceedings and civil penalties up to AUD 2.1 million (or higher if percentage of turnover).

Enforcement Trends

OAIC enforcement has focused increasingly on:

• Data breach responses and notification compliance
• Adequacy of privacy and security systems
• Information security vulnerabilities
• Third-party data handling and vendor management
• Overseas disclosure of personal information
• Biometric and health information handling

Privacy Governance Framework Implementation

1. Privacy Impact Assessments

Organisations should conduct Privacy Impact Assessments (PIAs) for new projects, systems, or activities involving personal information. PIAs should assess:

• What personal information will be collected
• For what purposes
• Who will have access
• Security and retention arrangements
• Privacy risks and mitigation strategies
• APP compliance implications

PIAs identify privacy risks early, enabling design of systems with privacy protections built in.

2. Privacy Policies and Procedures

Organisations should document privacy policies and procedures addressing:

• Collection, use, disclosure, security, retention of personal information
• Individual rights and access/correction procedures
• Breach notification procedures
• Overseas disclosure requirements and safeguards
• Employee roles and responsibilities for privacy
• Vendor management and third-party information handling
• Complaints handling procedures

3. Privacy Training and Awareness

Organisations should provide mandatory privacy training to employees, particularly those accessing personal information. Training should cover:

• Importance of privacy and APPs
• Employee roles and responsibilities
• Handling of personal information securely
• Breach response procedures
• Individual rights and how to respond to access requests

4. Privacy by Design

Organisations should implement privacy by design—integrating privacy protections into systems and processes from inception. This includes:

• Minimising personal information collection (collect only necessary information)
• Limiting access to information (role-based access controls)
• Encrypting sensitive information
• Automated privacy controls in systems
• Regular security testing and vulnerability assessment

5. Breach Response Procedures

Organisations should have documented breach response procedures enabling:

• Prompt breach detection and assessment
• Containment of breach (stop unauthorised access)
• Investigation of breach (what happened, who was affected, why)
• Notification decisions (is notification required under notifiable breaches scheme?)
• Notification to affected individuals and OAIC
• Post-breach improvements to prevent recurrence

Privacy and Cybersecurity Integration

Privacy governance and cybersecurity governance are complementary. Strong cybersecurity protects personal information (supporting APP 11 obligations). Privacy governance informs cybersecurity priorities—protecting sensitive personal information requires higher security levels.

Key Takeaways

The Privacy Act establishes Australian Privacy Principles governing how organisations handle personal information. APP 1 requires privacy policies; APPs 2-6 govern collection and use; APP 11 requires security; APP 12 provides individual access rights; APP 13 requires complaints handling. The Notifiable Data Breaches Scheme requires prompt breach notification. OAIC enforces privacy compliance through complaints investigation and compliance notices. Organisations should implement privacy governance frameworks including impact assessments, policies, training, privacy by design, and breach response procedures.

Frequently Asked Questions

When is consent required for collection of personal information?

Consent is generally required for collection of sensitive information (health, biometric, racial/ethnic origin, political views, union membership, criminal record). For other personal information, consent is required unless collection is for legitimate purpose and consent was impractical or not reasonably expected.

How long should organisations retain personal information?

The Privacy Act does not specify retention periods. APP 11 requires destroying information no longer needed. Organisations should establish retention schedules considering business needs, legal requirements, and privacy principles.

What are overseas disclosure requirements?

If organisations disclose personal information to overseas recipients, APP 1 requires disclosure to individuals that this may occur. Organisations must take reasonable steps to ensure overseas recipients comply with APPs (or equivalent privacy laws). OAIC has found organisations liable for overseas recipient breaches where inadequate safeguards were in place.

What should organisations do if they suffer a data breach?

Organisations should investigate the breach, assess whether notification is required under notifiable breaches scheme (information accessed/disclosed without authorisation, likely serious harm), notify affected individuals if required, notify OAIC, and implement remedial measures to prevent recurrence.

How can organisations ensure third-party vendors comply with privacy?

Organisations should conduct due diligence on vendors, include privacy and security requirements in contracts, audit vendor compliance, restrict vendor use of information, and ensure vendors have appropriate insurance and incident response procedures.

What penalties apply for privacy breaches?

Civil penalties up to AUD 2.1 million can be imposed. OAIC can issue compliance notices. Organisations may also face costs of breach notification, remediation, and civil claims from affected individuals.