AU: Privacy Act 1988
|
|
| Regulator |
APRA |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
The Privacy Act 1988 and the 13 Australian Privacy Principles (APPs) govern how APP entities —
including banks — collect, use, disclose, and store personal information. The Act has been amended
significantly over time, most recently by the Privacy and Other Legislation Amendment Act 2024 which
implements priority recommendations from the 2022 Privacy Act Review. The Notifiable Data Breaches
(NDB) scheme (Part IIIC) requires entities to notify the Office of the Australian Information
Commissioner (OAIC) and affected individuals of eligible data breaches.
The APPs address the full information lifecycle: open and transparent management of information
(APP1), anonymity and pseudonymity (APP2), collection of solicited personal information (APP3),
dealing with unsolicited personal information (APP4), notification of collection (APP5), use and
disclosure (APP6), direct marketing (APP7), cross-border disclosure (APP8), adoption and disclosure
of government related identifiers (APP9), quality (APP10), security (APP11), access (APP12), and
correction (APP13). Data subject access requests must be fulfilled within 30 days.
Compliance register
This register maps every material obligation under the Act to the platform control or institutional
process that satisfies it. It is the static traceability layer for the Totara compliance report —
dynamic data (module build status, test evidence, control test dates) is overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
APP1–5 — Collection and transparency
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| APP1 |
Have a clearly expressed, up-to-date Privacy Policy that is freely available |
🏛 Institutional |
PRI-001 |
Privacy Policy is a public-facing legal document maintained by the Privacy Officer; platform surfaces it at onboarding and in-app settings |
— |
| APP3 |
Collect personal information only where reasonably necessary for one or more of the entity's functions |
🤖 Automated |
PRI-001, DT-004 |
MOD-052 (AUTO) — role-scoped data access enforces minimum necessary at the API; collection scope validated against data register |
🔨 |
| APP4 |
If unsolicited personal information is received and could not have been collected under APP3, it must be destroyed or de-identified |
🏛 Institutional |
PRI-003 |
Unsolicited information handling is an institutional process governed by the Privacy Officer; platform retention schedules support destruction |
— |
| APP5 |
Notify individuals at or before collection of the purposes for which information is collected |
🤖 Automated |
PRI-001 |
MOD-072 (AUTO) — privacy notice presented at onboarding and at each subsequent data collection point; acknowledgement recorded against the customer record |
🔨 |
APP6–7 — Use, disclosure, and direct marketing
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| APP6 |
Use or disclose personal information only for the primary purpose of collection, a directly related secondary purpose, or with consent |
🤖 Automated |
PRI-001, DT-004 |
MOD-052 (AUTO) — purpose is tied to role and enforced at API layer; no bulk disclosure pathway without a defined data sharing control |
🔨 |
| APP7 |
Do not use or disclose sensitive information for direct marketing; provide a simple opt-out mechanism for other direct marketing |
🤖 Automated |
PRI-001 |
MOD-072 (AUTO) — customer marketing consent preferences stored and enforced; opt-out applied immediately to all outbound channels via notification orchestration |
🔨 |
APP8 — Cross-border disclosure
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| APP8 |
Before disclosing personal information to an overseas recipient, take reasonable steps to ensure the recipient will handle it consistently with the APPs |
🏛 Institutional |
PRI-001 |
Cloud provider data processing agreements and cross-border transfer assessments are institutional (Legal / Privacy Officer); platform data residency is enforced by MOD-103 (AWS region configuration) |
— |
APP10–11 — Quality and security
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| APP10 |
Take reasonable steps to ensure personal information is accurate, up-to-date, and complete before use or disclosure |
🤖 Automated |
PRI-003 |
MOD-010 (AUTO) — CDD periodic review updates customer records; MOD-072 (AUTO) — customer-initiated corrections update the authoritative record in real time |
🔨 |
| APP11 |
Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure |
🤖 Automated |
PRI-001, DT-004 |
MOD-046 (GATE) — no standing production access; every session approved, time-limited, and logged; MOD-052 (AUTO) — role-scoped access; MOD-044 (GATE) — JWT RBAC at API gateway; MOD-104 (GATE) — encryption at rest via KMS |
🔨 |
| APP11(2) |
Destroy or de-identify personal information when no longer needed for any purpose |
🤖 Automated |
PRI-003 |
MOD-103 (AUTO) — retention schedules configured at database bootstrap; automated expiry and deletion enforced against the schedule |
🔨 |
APP12–13 — Access and correction
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| APP12 / S.26W |
Give access to personal information held on request; respond within 30 days |
🤖 Automated |
PRI-006 |
MOD-148 (AUTO) — DSAR workflow receives, triages, and fulfils access requests; 30-day SLA enforced with automated escalation if at risk; MOD-071 (AUTO) — customer self-service access to transaction history and statements in-app |
🔨 |
| APP13 |
Take reasonable steps to correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading |
🤖 Automated |
PRI-006 |
MOD-072 (AUTO) — self-service correction of contact and preference data; regulated identity field corrections trigger re-verification via MOD-010; MOD-148 (AUTO) — formal correction requests handled via DSAR workflow |
🔨 |
Notifiable Data Breaches (Part IIIC)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.26WK |
Notify OAIC and affected individuals if an eligible data breach occurs (likely serious harm test) |
🤖 Automated |
PRI-002 |
MOD-150 (AUTO) — security anomalies are auto-classified as potential eligible breaches; notification timer starts automatically on detection; regulator API submission automated where available |
🔨 |
| S.26WK(2) |
Notify as soon as practicable and within 30 days of becoming aware |
🤖 Automated |
PRI-002 |
MOD-150 (AUTO) — breach response SLA (30 days for NDB, 72-hour OPC guidance for serious cases) monitored automatically; breach severity classification gates the notification pathway |
🔨 |
Privacy Impact Assessments
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Conduct PIAs for new processing activities with significant privacy implications (recommended by OAIC; best practice for regulated entities) |
🏛 Institutional |
PRI-005 |
PIA process owned by the Privacy Officer; platform design artefacts provide the technical input; the PIA itself is institutional |
— |
| Obligation |
Owner |
Platform evidence input |
| Maintain and publish an up-to-date Privacy Policy |
Privacy Officer |
— |
| Designation of privacy lead |
Board / CEO |
Institutional HR record |
| Privacy training programme |
Privacy Officer / Chief People Officer |
Access acknowledgement logs |
| Response to OAIC investigations and determinations |
Privacy Officer / Legal |
MOD-148 provides audit evidence extracts |
| Assessment of cross-border data sharing arrangements |
Privacy Officer / Legal |
Data residency configuration in MOD-103 |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Collection and transparency (APP1–5) |
4 |
2 |
0 |
2 |
0 |
| Use, disclosure, direct marketing (APP6–7) |
2 |
2 |
0 |
0 |
0 |
| Cross-border disclosure (APP8) |
1 |
0 |
0 |
1 |
0 |
| Quality and security (APP10–11) |
3 |
3 |
0 |
0 |
0 |
| Access and correction (APP12–13) |
2 |
2 |
0 |
0 |
0 |
| Notifiable Data Breaches |
2 |
2 |
0 |
0 |
0 |
| Privacy Impact Assessments |
1 |
0 |
0 |
1 |
0 |
| Total |
15 |
11 (73%) |
0 |
4 (27%) |
0 |
All attributed modules are currently build_status: Not started — the compliance position will
update as modules are built and deployed.
| Policy |
Title |
| PRI-001 |
Privacy Policy |
| PRI-002 |
Data Breach Response Policy |
| PRI-003 |
Personal Information Retention & Destruction Policy |
| PRI-005 |
Privacy Impact Assessment Policy |
| PRI-006 |
Customer Data Access & Correction Policy |
| DT-004 |
Data Governance Policy |
| DT-009 |
AI & Algorithm Policy |
| REP-010 |
Credit Reporting & Bureau Submission |
Official documentation
Policies referencing this standard
- DT-004 — Data Governance Policy
- DT-009 — AI & algorithm policy
- PRI-001 — Privacy Policy
- PRI-002 — Data Breach Response Policy
- PRI-003 — Personal Information Retention & Destruction Policy
- PRI-005 — Privacy Impact Assessment Policy
- PRI-006 — Customer Data Access & Correction Policy
- REP-010 — Credit reporting & bureau submission
Compiled 2026-05-22 from source/entities/regulations/au-privacy-act.yaml