AU Privacy Act
Australia's Privacy Act 1988 governs how Australian government agencies and private sector organizations handle personal information — and is undergoing its most significant reform in decades.
The Privacy Act 1988 is Australia's primary personal data protection legislation. It applies to Australian Government agencies and private sector organizations with annual turnover exceeding AUD 3 million (with certain exceptions regardless of turnover size). The Act establishes thirteen Australian Privacy Principles (APPs) that govern the collection, use, disclosure, storage, and disposal of personal information. The Office of the Australian Information Commissioner (OAIC) is the national privacy regulator with investigation, mediation, and enforcement powers.
The Privacy Act is undergoing significant reform following the 2022 review by the Attorney-General's Department. Proposed changes include: removing the small business exemption (extending the Act to most private sector organizations), creating a direct right of action for individuals (allowing individuals to sue organizations directly for serious privacy breaches without first going through the OAIC), introducing a statutory tort for serious invasions of privacy, and strengthening breach notification and enforcement powers. Organizations should architect for the reformed Privacy Act now, even before the legislation is finalized.
The Privacy Act's Notifiable Data Breaches (NDB) scheme requires organizations to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. The notification must occur "as soon as practicable" after the organization becomes aware of the breach — and recent OAIC enforcement actions have made clear that delays in breach detection or assessment are themselves compliance failures. This creates engineering requirements around breach detection, automated assessment, and notification workflow capabilities.
We architect Australian Privacy Act compliance into systems serving Australian markets — implementing the thirteen APPs at the data architecture level, building Notifiable Data Breaches detection and notification workflows, designing for the proposed Privacy Act reforms so systems do not require architectural rework when the legislation passes, and satisfying the OAIC's increasingly assertive enforcement expectations.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.