Privacy Act Compliance (Australia)

Configure your forms for the Australian Privacy Act and Australian Privacy Principles.

What is the Privacy Act?

The Privacy Act 1988 (Cth) is Australia's primary federal privacy law. It has been amended numerous times since its introduction, most significantly by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which dramatically increased penalties and expanded enforcement powers. The law is governed by 13 Australian Privacy Principles (APPs) that set out standards for handling personal information.

The Office of the Australian Information Commissioner (OAIC) is the independent regulator responsible for enforcing the Privacy Act and investigating complaints.

The Privacy Act applies to:

Australian Government agencies — all federal agencies are covered regardless of size.
Organizations with annual turnover exceeding AUD 3 million — most medium and large businesses.
Certain smaller organizations — even those under the AUD 3 million threshold are covered if they handle health records, trade in personal information, are a contracted service provider to the Commonwealth, or operate a residential tenancy database.

If your organization falls outside these categories (a small business under AUD 3 million with no special data handling), you are technically exempt. However, the Australian Government has signaled its intention to remove the small business exemption in future reforms. Implementing privacy-compliant practices now is a practical safeguard.

Lighter consent model

The Privacy Act takes a fundamentally different approach to consent compared to the GDPR or DPDPA. For the collection of non-sensitive personal information — which includes the kind of data typically collected via contact forms (name, email address, phone number, message content) — explicit opt-in consent is not required.

Instead, the Privacy Act relies on implied consent. When a person fills out and submits a web form, they are implicitly consenting to their information being collected for the purpose that is apparent from the context. A contact form on a business website, for example, implies that the data will be used to respond to the inquiry.

This means you do not need a mandatory consent checkbox for standard contact forms under the Privacy Act. The act of submitting the form constitutes implied consent.

However, there are two important caveats:

APP 5 notice requirement — even though explicit consent is not needed, you must still provide a notice at or before the time of collection that tells people who you are, why you are collecting their data, and who you might disclose it to. A link to your privacy policy near the submit button satisfies this.
Sensitive information requires explicit consent — if your form collects health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records, biometric data, or trade union membership, you must obtain express consent before collection. For forms that collect sensitive information, enable the consent checkbox.

Key difference from GDPR: Under the GDPR, you need a legal basis (often consent or legitimate interest) and an explicit opt-in mechanism for most form data collection. Under the Privacy Act, implied consent is sufficient for non-sensitive personal information. This makes compliance simpler for standard contact and inquiry forms.

What the Privacy Act preset configures

Setting	Value	Why
Consent checkbox	Not required	The Privacy Act allows implied consent for non-sensitive personal information. Submitting the form itself constitutes consent. Enable the checkbox manually if your form collects sensitive information.
IP anonymization	No	The Privacy Act does not specifically require IP anonymization. Full IPs are retained for security and fraud detection purposes.
User-agent storage	Enabled	Browser information is useful for troubleshooting and is not singled out for special treatment under the Privacy Act.
Data retention	730 days	The Privacy Act requires deletion or de-identification when personal information is no longer needed (APP 11.2). Two years is a reasonable default for form submissions; adjust to match your actual business need.
Privacy policy URL	Required	APP 1 requires organizations to have a clearly expressed and up-to-date privacy policy. APP 5 requires notification at the time of collection. A linked privacy policy satisfies both.

Set up the Privacy Act preset

Account level

Go to Account Settings in the sidebar.
Scroll to Compliance.
Select Privacy Act (Australia) from the dropdown.
Click Save.

Per form

Open the form in your dashboard.
Go to the Compliance tab.
Select Privacy Act (Australia) from the preset buttons or region dropdown.
Click Save.

Australian Privacy Principles relevant to forms

Of the 13 APPs, five are directly relevant to operating web forms:

APP 1 — Open and transparent management — you must have a clearly expressed, up-to-date privacy policy that describes the kinds of personal information you collect, how you collect and hold it, the purposes of collection, how individuals can access and correct their information, and how they can complain. The policy must be freely available (e.g., published on your website).
APP 3 — Collection of solicited personal information — only collect personal information that is reasonably necessary for your functions or activities. Do not add form fields for data you do not genuinely need. Sensitive information requires explicit consent and must be reasonably necessary.
APP 5 — Notification of the collection of personal information — at or before the time of collection, you must notify the individual of your identity and contact details, the purposes of collection, whether the collection is required by law, the consequences of not providing the information, your usual disclosures of that kind of information, your privacy policy and how to access it, and whether you are likely to disclose the information overseas (and if so, which countries).
APP 6 — Use or disclosure of personal information — you may only use or disclose personal information for the primary purpose for which it was collected, or for a secondary purpose that the individual would reasonably expect. You cannot repurpose contact form data for unrelated marketing without separate consent.
APP 11 — Security of personal information — you must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure. You must also destroy or de-identify personal information when it is no longer needed for any purpose for which it may be used or disclosed under the APPs.

Automatic deletion: FormBlade's retention purge system automatically deletes submissions after the configured retention period. This directly supports APP 11.2's requirement to destroy or de-identify personal information that is no longer needed.

Notifiable Data Breaches (NDB) scheme

Since February 2018, Australia has had a mandatory data breach notification scheme. If you experience an "eligible data breach" — one that is likely to result in serious harm to any individual whose personal information is involved — you must:

Assess the breach — you have 30 days from the time you become aware of a suspected breach to assess whether it meets the threshold of "likely to result in serious harm."
Notify the OAIC — if the breach meets the threshold, notify the OAIC as soon as practicable using their Notifiable Data Breaches portal.
Notify affected individuals — inform the individuals whose data was involved, describing the breach, the kind of information involved, and recommended steps they should take.

"Serious harm" is assessed by considering factors such as the kind and sensitivity of the information, whether it is protected by security measures (e.g., encryption), the person or entity that has obtained the information, and whether it could be used for identity fraud, financial loss, or damage to reputation.

For form submissions, a breach involving names and email addresses may not meet the serious harm threshold if no sensitive information was exposed. A breach involving health information, financial details, or identity documents almost certainly would.

Cross-border disclosure

APP 8 governs the disclosure of personal information to overseas recipients. Before disclosing personal information to an entity outside Australia, you must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information.

This is a "reasonable steps" test, not an adequacy framework like the GDPR. There is no list of approved countries. Instead, the accountability falls on you: if the overseas recipient mishandles the data, you are deemed to have breached the Privacy Act yourself. The overseas recipient's actions are treated as your own.

Practical implications for form backends:

If your form data is processed on servers outside Australia, you need to be satisfied that the hosting provider protects the data to APP standards.
If you forward form submissions to third-party services (e.g., webhooks, integrations), consider whether those services are based overseas and whether they offer adequate data protection.
Document your assessment of overseas recipients and the steps you have taken to ensure compliance.

Practical impact: FormBlade servers are located in the EU, which has strong data protection standards under the GDPR. Using FormBlade to process Australian users' data is a reasonable approach under APP 8, as EU data protection standards generally meet or exceed APP requirements.

Penalties

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 dramatically increased the maximum penalties for serious or repeated interferences with privacy. The new maximums are:

AUD 50 million, or
Three times the value of the benefit obtained from the contravention, or
30% of the organization's adjusted turnover during the relevant period

— whichever is greater.

These penalties are among the highest in the world for privacy violations, comparable to the GDPR's maximum of 4% of global annual turnover. Prior to the 2022 amendments, the maximum penalty was AUD 2.22 million — the increase represents a more than twentyfold escalation.

The OAIC also has expanded enforcement powers, including the ability to issue infringement notices for lesser violations and to conduct assessments of an organization's privacy practices without needing a complaint.

Practical recommendations

The Privacy Act's implied consent model makes compliance relatively straightforward for standard web forms. Here is what to focus on:

You do not need a consent checkbox for basic contact forms collecting names, emails, and messages. The act of submitting the form is sufficient implied consent for non-sensitive data.
Always have a privacy policy. APP 1 requires it, and APP 5 requires that you notify people about your data practices at or before collection. Link your privacy policy near the form or in the footer of any page containing a form.
Minimize data collection. APP 3 requires that you only collect information that is reasonably necessary. Remove form fields you do not genuinely need. Do not collect phone numbers, addresses, or other details unless they serve a clear purpose for your response.
Consider the small business exemption. If your organization has annual turnover under AUD 3 million and does not handle health records, trade in personal information, or contract with the Commonwealth, you are currently exempt. However, the exemption is expected to be removed in upcoming reforms, so implementing privacy practices now is prudent.
Enable the consent checkbox for sensitive data. If your form collects health information, political opinions, religious beliefs, or other sensitive categories defined in section 6 of the Privacy Act, you must obtain explicit consent. Enable the consent checkbox in FormBlade's compliance settings for those forms.
Set a realistic retention period. APP 11.2 requires destruction or de-identification when data is no longer needed. If 90 days is sufficient for your purposes, use 90 days rather than the 730-day default.