Which Australian organisations must comply with the Privacy Act 1988 and the Australian Privacy Principles?

The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) apply to 'APP entities', which are broadly defined as: (1) Australian Government agencies; (2) private sector organisations and not-for-profit organisations with an annual turnover of more than $3 million; (3) health service providers, regardless of turnover; (4) credit reporting bodies; (5) organisations that trade in personal information; and (6) organisations that have opted in. Small businesses with turnover of $3 million or less are generally exempt, but this threshold may be removed by upcoming reforms to the Privacy Act. Importantly, all organisations — regardless of size — must comply with the Privacy Act if they are contracted to provide services to the Australian Government. The Office of the Australian Information Commissioner (OAIC) has the power to investigate complaints, conduct assessments, and seek civil penalties of up to $50 million for serious or repeated interferences with privacy.

What does APP 11 require in relation to data retention and destruction?

Australian Privacy Principle 11 (Security of personal information) imposes two key obligations on APP entities. APP 11.1 requires entities to take active measures to protect personal information they hold from misuse, interference, loss, and unauthorised access, modification, or disclosure — essentially a data security obligation. APP 11.2 requires an entity to take reasonable steps to destroy or permanently de-identify personal information if: (a) the entity no longer needs the information for any purpose for which it may be used or disclosed under the APPs; and (b) the information is not required to be retained by or under an Australian law or a court or tribunal order. 'Destroy' means to irreversibly eliminate the information. 'De-identify' means to remove or alter information so that the individual's identity is no longer reasonably identifiable. Failure to comply with APP 11.2 by retaining personal information longer than necessary is an interference with privacy that can result in regulatory action by the OAIC.

What are the minimum record-keeping periods required by Australian law?

Australian law prescribes mandatory minimum retention periods for many categories of business records. Under the Corporations Act 2001 (Cth) s 286, companies must retain financial records for at least seven years from the date the transactions are completed. The Fair Work Act 2009 (Cth) s 535 requires employers to retain employee records — including payroll records, leave records, and any other record required by the Fair Work Regulations 2009 — for seven years. Under the Tax Administration Act 1953 (Cth), entities must retain records relevant to their tax obligations for five years from the date the records are prepared, obtained, or the relevant transactions are completed. Pursuant to the Telecommunications (Interception and Access) Act 1979 (Cth) s 187AA, carriers and internet service providers must retain certain telecommunications data (metadata) for two years. For contracts, the applicable limitation periods under state and territory Limitation of Actions Acts (generally six years for simple contracts and twelve years for deeds) determine the prudent minimum retention period.

When must an organisation notify the OAIC and individuals of a data breach under the Notifiable Data Breaches scheme?

Under Part IIIC of the Privacy Act 1988 (Cth), APP entities must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable — and in any event within 30 days of becoming aware of an 'eligible data breach' (or of reasonable grounds to believe one has occurred). An eligible data breach is defined as one that: (a) involves unauthorised access to, unauthorised disclosure of, or loss of, personal information held by the entity; and (b) is likely to result in serious harm to any individual whose information is involved. Serious harm is determined by reference to factors including the nature and sensitivity of the information, the number of individuals affected, and whether the information could be used for fraud or identity theft. If the entity suspects a breach has occurred, it has 30 days to carry out an assessment of whether the incident constitutes an eligible data breach. The notification to affected individuals must include the name of the entity, a description of the breach, the kinds of information involved, and steps individuals should take to protect themselves.

How should businesses handle the secure destruction of personal information under Australian law?

The OAIC's guidance on APP 11.2 makes clear that 'reasonable steps' to destroy personal information require a method that is irreversible and that eliminates all copies of the information, including backups and data held by third-party processors. For digital records, reasonable methods include secure overwriting (for non-magnetic media), degaussing (for magnetic media), and physical destruction of storage devices — using a reputable certified destruction service that provides a certificate of destruction. For paper records, cross-cut or micro-cut shredding (to security level P-4 or above under ISO 15713) or incineration is appropriate. De-identification requires that any information remaining after the process cannot reasonably identify the individual, either directly or in combination with other data. The OAIC and the Australian Cyber Security Centre (ACSC) both publish guidance on acceptable destruction methods. Maintaining a destruction log — recording what was destroyed, when, by what method, and by whom — is strongly recommended as evidence of compliance.

Data Retention Policy (Australia)

Create a comprehensive Australian Data Retention Policy that complies with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Telecommunications (Interception and Access) Act 1979 (Cth), the Corporations Act 2001 (Cth), and the Fair Work Act 2009 (Cth). Covers data categories, retention schedules for employee records, financial records, customer records, communications, and contracts, approved destruction and de-identification methods, breach notification obligations under the Notifiable Data Breaches scheme, and accountability procedures. Suitable for businesses, charities, government contractors, and any organisation that holds personal information about customers, employees, or other individuals in Australia.

What Is a Data Retention Policy (Australia)?

An Australian Data Retention Policy is an internal governance document that specifies how an organisation collects, stores, retains, and ultimately destroys or de-identifies personal information and business records. It is not merely a best-practice document — for organisations covered by the Privacy Act 1988 (Cth), a data retention policy is a practical compliance requirement that directly implements the obligations in Australian Privacy Principle 11 (APP 11) relating to the security and destruction of personal information.

The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) apply to Australian Government agencies, private sector organisations with an annual turnover of more than $3 million, all health service providers, credit reporting bodies, and certain other entities. APP 11.1 requires these organisations to take active measures to protect personal information from misuse, interference, loss, and unauthorised access. APP 11.2 goes further, requiring organisations to take reasonable steps to destroy or permanently de-identify personal information that is no longer needed for any purpose for which it may lawfully be used, and that is not required to be retained by law.

The Notifiable Data Breaches (NDB) scheme, established under Part IIIC of the Privacy Act, requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of an eligible data breach — one likely to result in serious harm — within 30 days. A sound data retention policy directly reduces the organisation's risk under the NDB scheme by ensuring personal information is destroyed when no longer required, minimising the number of individuals who could be affected by a breach.

Australian law also imposes specific statutory minimum retention periods for many categories of records. The Corporations Act 2001 (Cth) requires companies to retain financial records for at least seven years. The Fair Work Act 2009 (Cth) requires employers to retain employee and payroll records for seven years. The Tax Administration Act 1953 (Cth) requires tax records to be kept for five years. The Telecommunications (Interception and Access) Act 1979 (Cth) requires carriers and internet service providers to retain certain telecommunications metadata for two years. A data retention policy must reconcile these mandatory minimum retention periods with the APP 11.2 obligation to destroy personal information when no longer needed.

The Privacy Act reforms currently before the Australian Parliament — implementing recommendations of the 2022 Privacy Act Review — are expected to introduce significant changes, including removal of the small business exemption, enhanced individual rights, a direct right of action, and mandatory privacy impact assessments for high-risk activities. Organisations that establish robust data retention policies now will be better positioned to comply with these reforms when they take effect.

When Do You Need a Data Retention Policy (Australia)?

Every organisation that holds personal information about customers, employees, or other individuals in Australia should have a written Data Retention Policy. The policy is particularly critical in the following circumstances.

Any organisation covered by the Privacy Act 1988 (Cth) — including businesses with a turnover exceeding $3 million, all health service providers, and any organisation contracted to the Australian Government — is legally required by APP 11 to take reasonable steps to destroy or de-identify personal information when it is no longer needed. A documented retention policy is strong evidence that the organisation has taken such steps. Without a policy, an organisation may retain personal information indefinitely, which increases both the risk of a data breach and regulatory exposure to the OAIC.

Businesses that handle sensitive personal information — such as health records, financial information, government identifiers, or information about children — face heightened obligations because a breach involving sensitive information is more likely to cause serious harm and therefore more likely to trigger notification obligations under the NDB scheme. A rigorous data retention policy that limits retention to what is strictly necessary directly reduces the scope of exposure.

Employers should adopt a data retention policy to manage employee records in accordance with the Fair Work Act 2009 (Cth), the Privacy Act 1988 (Cth), and state long service leave legislation. Employee records — which typically include payslips, leave records, performance reviews, and disciplinary records — must be retained for seven years under the Fair Work Act, but should generally be destroyed promptly after that period to comply with APP 11.2 and to limit the organisation's liability in the event of a breach.

Companies that engage third-party cloud providers, software-as-a-service (SaaS) platforms, or other data processors must ensure those processors handle and destroy personal information in accordance with the organisation's data retention policy. Under APP 8, an organisation that discloses personal information to an overseas recipient remains accountable for that recipient's compliance with the APPs. Including data retention and destruction requirements in contracts with third-party processors is essential.

Government contractors and entities bidding for government work at federal, state, or territory level must comply with the Privacy Act regardless of their turnover. The Australian Government's procurement guidelines increasingly require suppliers to demonstrate privacy and data governance frameworks, including documented retention policies, as a condition of contract.

What to Include in Your Data Retention Policy (Australia)

A comprehensive Australian Data Retention Policy should include the following key elements to achieve effective legal compliance and operational clarity.

Purpose and Scope — Clearly identify the organisation's name, ABN, and the categories of personal information and business records covered by the policy. The policy should apply to all employees, contractors, and third parties who handle personal information on behalf of the organisation, whether in digital or physical form.

Legal Framework — Reference the specific legislative obligations that underpin the policy, including the Privacy Act 1988 (Cth), the APPs, the Notifiable Data Breaches scheme (Part IIIC), the Corporations Act 2001 (Cth), the Fair Work Act 2009 (Cth), the Tax Administration Act 1953 (Cth), and the Telecommunications (Interception and Access) Act 1979 (Cth). This demonstrates that the retention periods specified in the policy are grounded in law, not arbitrary choices.

Retention Schedule — Specify minimum retention periods for each category of records, aligned with the applicable mandatory minimum periods. The schedule should address employee records (7 years under the Fair Work Act), financial records (7 years under the Corporations Act), tax records (5 years), telecommunications metadata (2 years), contracts (6 years from expiry for simple contracts, 12 years for deeds), and customer and marketing data (as long as commercially necessary and proportionate, then destroy).

Retention Exceptions — Document the circumstances in which personal information must not be destroyed notwithstanding the retention schedule. These include records subject to a legal hold (pending or anticipated litigation, regulatory investigation, or subpoena), records subject to an outstanding access request under the Privacy Act, and records whose retention is required by law or court order.

Approved Destruction and De-identification Methods — Specify the methods that may be used to destroy or de-identify records, with reference to the OAIC's APP guidelines and the ACSC's advice on secure data destruction. For digital records, specify secure overwriting, degaussing, or physical destruction. For paper records, specify cross-cut shredding or incineration by a certified destruction service. The policy should require a destruction log to be maintained.

Notifiable Data Breaches Response — Reference the organisation's data breach response plan and the obligation under Part IIIC of the Privacy Act to notify the OAIC and affected individuals within 30 days of an eligible data breach. Provide the privacy officer's contact details for reporting suspected breaches.

Accountability and Review — Designate a Privacy Officer responsible for administering the policy, maintaining the retention schedule, overseeing destruction activities, and reporting to senior management. Specify a review date (at minimum annually) and commit to updating the policy to reflect changes in law, technology, or business operations.

Frequently Asked Questions

Related Documents

You may also find these documents useful:

Privacy Policy (Australia)

Create a compliant Australian Privacy Policy for your business or website. Our template is drafted in accordance with the Privacy Act 1988 (Cth) and covers all 13 Australian Privacy Principles (APPs), including APP 1 (open management), APP 5 (notification), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 11 (security), APP 12 (access), and APP 13 (correction). Includes the Notifiable Data Breaches scheme, OAIC complaint process, and the $3 million turnover threshold explanation.

Data Processing Agreement (Australia)

As Australian businesses increasingly outsource data-intensive functions to third-party service providers — cloud platforms, payroll processors, CRM vendors, IT support companies, and analytics firms — the need for a formal Data Processing Agreement (DPA) has become critical. An Australian Data Processing Agreement is a contract that governs how a service provider (the Processor) handles personal information on behalf of an APP entity (the organisation responsible for that information), ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australia does not have a regulation precisely equivalent to the European Union's GDPR Article 28, which mandates a written data processing agreement between controllers and processors. However, the Privacy Act 1988 (Cth) imposes obligations on APP entities that effectively require them to ensure service providers handling personal information on their behalf are contractually bound to appropriate privacy standards. Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. APP 2.1 provides that an individual must have the option of not identifying themselves or of using a pseudonym where lawful and practicable. The OAIC's Guide to Securing Personal Information identifies contractual arrangements with third parties as a key technical and organisational measure that APP entities should implement. The Notifiable Data Breaches (NDB) scheme, introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and now in Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an Eligible Data Breach occurs — that is, a breach likely to result in serious harm to one or more individuals. Where personal information is held by a service provider on behalf of an APP entity, the service provider may discover the breach first. A DPA should establish clear contractual obligations on the service provider to notify the APP entity promptly (the DPA should specify a timeframe shorter than the OAIC notification deadline) so the APP entity can assess whether the breach is notifiable and take required action. Cross-border disclosure of personal information is governed by Australian Privacy Principle 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the overseas recipient will handle the information in a manner consistent with the APPs. This is a particularly important consideration for Australian businesses using US-based cloud services (such as AWS, Azure, Google Cloud, or Salesforce), as the United States does not have a national privacy law equivalent to the APPs. A DPA should address whether the Processor may transfer or disclose personal information to overseas sub-processors and what safeguards must be in place. Under APP 8.2(b), an alternative is for the individual to consent to the overseas disclosure, but this is not always practicable. The Privacy Act 1988 (Cth) distinguishes between 'personal information' (broadly defined in s 6(1) as information or an opinion about an identified individual or an individual who is reasonably identifiable) and 'sensitive information' (a subset defined in s 6(1) to include health information, biometric information, genetic information, information about racial or ethnic origin, criminal records, religious beliefs, and other specified categories). Sensitive information attracts heightened protection under the APPs, particularly APP 3 (which requires consent for collection in most circumstances) and APP 6 (which restricts secondary use and disclosure). Where a Processor will handle sensitive information, the DPA should expressly acknowledge this and require enhanced security measures. The Australian Government released a revised Privacy Act Review Report in 2023, recommending significant reforms to the Privacy Act 1988 (Cth), including the introduction of a statutory tort of serious invasion of privacy, enhanced individual rights, and stronger enforcement powers for the OAIC. Businesses should monitor developments in Australian privacy law, as some of the recommended reforms may require updates to existing DPAs when legislation is enacted. Best practice for an Australian DPA — informed by the OAIC's guidance and aligned with international standards — includes: documented handling instructions from the APP entity to the Processor; restrictions on using personal information for the Processor's own purposes; security obligations aligned with APP 11 and the OAIC's Guide to Securing Personal Information; sub-processor controls; cross-border disclosure restrictions consistent with APP 8; breach notification obligations that dovetail with the NDB scheme; access and correction assistance for APPs 12 and 13; data destruction or de-identification obligations under APP 11.2 on termination; and audit rights for the APP entity. This Australian Data Processing Agreement template addresses all of these requirements. It uses Australian legal terminology (APP Entity rather than Controller, personal information rather than personal data, OAIC rather than ICO), references to the Privacy Act 1988 (Cth) and APPs, the NDB scheme under Part IIIC, and Australian business conventions including ABN identification and AUD pricing.

Non-Disclosure Agreement (NDA) (Australia)

Protect your confidential business information under Australian common law with a legally sound Non-Disclosure Agreement (NDA). Whether you are sharing trade secrets with a prospective partner, disclosing proprietary technology to a developer, or presenting financial projections to a potential investor, a properly drafted Australian NDA keeps your sensitive information under strict legal protection. Our template complies with Australian contract law principles and includes provisions addressing the Privacy Act 1988 (Cth) and the Australian Privacy Principles.