Due to resource constraints, this old resource is no longer being maintained.

See the master version of this resource,
which is being maintained in its original location.

This document contains information about the various agencies throughout Australia that have some form of regulatory responsibility in relation to privacy:

You may find others in the membership list of the Asia Pacific Privacy Authorities (APPA) and the WorldLII index of Privacy Protection Agencies worldwide.

If you're aware of a relevant agency that isn't listed here, or of a material error in the content, please tell us!

Commonwealth of Australia

The appointment of Privacy Commissioner was established in 1989. The first Commissioner was a Sydney resident, and the office has always been located there. From 1989 until 2010, the office was referred to variously as the Office of the Privacy Commissioner (OPC – which risked confusion with the other Offices with similar names in other jurisdictions), the Office of the Federal Privacy Commissioner (OFPC), or – particularly after the Howard Government changed the style of federal government agencies in about 2000 – the Office of the Australian Privacy Commissioner (OAPC). Some aspects of privacy also came within the ambit of the Australian Human Rights Commission (HRC) – with which the Privacy Commissioner had varying relationships 1989-2010.

In November 2010, the OAPC was disestablished, and absorbed into the new Office of the Australian Information Commissioner (OAIC). This encompassed information policy generally, including new FOI supervisory functions and the existing privacy functions. The Privacy Commissioner retained a few powers, but most were ceded to the more senior Information Commissioner. The Privacy Commissioner role operated as a first-level report to the Information Commissioner, with privacy subjugated to information policy more generally. The Privacy Commissioner's resources were also pillaged (although doubtless the term 'rationalised' would be preferred in bureaucratic hallways), as a result of the new Information Commissioner and the new FOI Commissioner being given fewer resources than they'd been promised, and the Privacy Commissioner being the junior player.

The Information Commissioner was the immediate past Ombudsman 2003-10, John McMillan (2010-2015). The first (and only ever?) FOI Commissioner was James Popple (2010-2014). (Because of the very low quality of the web-managers that the public service outsources to, the URLs may well break, again). See below for the attempted disestablishment of OAIC by the new government in 2014, and the forced departures of McMillan and Popple.

On at least some occasions the position of Privacy Commissioner has been advertised. However, a small selection committee of senior public servants recommends the successful applicant to the relevant Minister, who accepts it. There has never been any form of public involvement or consultation. The Privacy Commissioners have been:

From early 2014, Attorney-General Brandis tried to disestablish OAIC. Faced with a hostile Senate, he was unable to the get the Bill passed, so he withdrew funding for the Information and FoI functions – probably illegally.

From mid-2015, Pilgrim was forced to act as all of Information, FoI and Privacy Commissioners, on successive 3-monthly appointments, each made around the time the previous one ended. It's as strong a guarantee of 'loyalty' as a Minister can impose on an appointee. Greater disregard for convention, not to mention arrogance, hath no Attorney-General.

After the 2016 double-dissolution election failed to provide the Coalition with control of the Senate, Brandis gave up on his plans to disestablish the OAIC. In late 2016, Pilgrim was appointed as both Information and Privacy Commissioners. The role also carries not-inconsequential responsibilities for FoI. The number of senior executives at the end of 2016 was half what it had been 3 years earlier, with only marginal decreases in responsibilities, and considerable increases in the interim. Both the AG's and the PC'er's announcements were silent about the term(s) of the appointments – constituting yet another breach by Brandis, at least of norms, and quite possibly of law.

Particularly since 2004, the Privacy Commissioner's role has been anything but a privacy watchdog. The Office functions as a protection device for government and business, and it is unclear whether any benefits to the public arise from its expstence.

From the time that the Office established a web-site in the mid-1990s, it used the domain privacy.gov.au. By early 2011, the content of the web-site was to be shifted to a sub-site within http://www.oaic.gov.au. Assurance was provided by OAIC on 15 November 2010 that "current deep links to the www.privacy.gov.au site will be maintained through a redirect function to the relevant documents after it's migrated to the new site". That turned out not to be a 'core promise', and many links were broken when the privacy.gov.au site was eventually closed down in 2013.

Here are relevant laws.


After the State led the world in the late 1970s, the intransigence of the NSW public service, combined with the deep pit that is NSW politics, has ensured that the State's privacy protection regime has been a complete basket case for decades. A small privacy role exists within the Information and Privacy Commission (NSW IPC), with no specialist staff, and a Privacy Commissioner appointed from within the public service's own ranks, working part-time, as a minor player to an Acting Information Commissioner. Details are provided at the end of this section.

The Privacy Commission's scope extends to the health care sector, although a separate Health Care Complaints Commission also exists. It too has never earned much credibility.

Here are relevant laws.


An oversight agency operated 1975-1998 as a Committee, and since 1999 as a Commission. The Commissioner has only ever been part-time, and for long periods there has be an Acting Commissioner, including 2003-07 and 2009-2011.

The history of the Office is a thorough mess, indicative of the power of the public service to protect itself against nuisances.

The powers of the original Committee were (quite properly, for the time) limited to research and complaint-investigation and conciliation, although some Executive Members, particularly the first, made effective use of the media, including 'naming and shaming' privacy-invaders. The Committee had been intended as a short-term agency, to lay foundations and gather experience; but it remained in its original form for 24 years. The first Executive Member of the Committee was Bill Orme (1975-82), followed by Jim Nolan (1982-87?), ..., Maureen Tangney (1990?-93?), ..., and Catherine Riordan (1996?-1998).

In 1998, a (very weak) data protection law, commonly called PPIPA, was passed. Among other things, it disestablished the Privacy Committee. The part-time Chair at the time became the part-time Privacy Commissioner, and the full-time Executive Member became the full-time Deputy Privacy Commissioner. The Commission has very limited powers, and has been very poorly resourced throughout its life, but particularly since 2004.

During 2010, the Office of the Information Commissioner was established, with oversight responsibilities in relation to FOI and open government. Deirdre O'Donnell held that position July 2010 to May 2013.

With effect from 1 Jan 2011, the Information and Privacy Commission (NSW IPC) was formed, Privacy NSW was disestablished, its functions absorbed within NSW IPC, and the Information Commissioner functions swamped the privacy role. Kathrina Lo was Acting Information Commissioner from July 2013 to December 2013. Elizabeth Tydd, a career bureaucrat, was appointed with effect from (curiously) 23 December 2013.

During 1999 to 2013, the (often very) part-time Commissioners have been:

The full-time Deputy Privacy Commissioner post was held by:


From 1999 until 2013/14, the Office of the Victorian Privacy Commissioner (OVPC, or Privacy Victoria) was the most credible Office in the country.

On 17 September 2014, the Commissioner for Law Enforcement Data Security was disestablished, and his responsibilities merged into a replacement Commissioner for Privacy and Data Protection, with more work to do and fewer resources to do them with.

The Privacy Commissioners have been:

In contrast to NSW, Privacy Victoria has been regarded reasonably seriously by agencies, and has had good standing with privacy advocates for much of its life. The resources provided – although small in comparison with European norms – have been significantly greater than those in NSW, and the effectiveness of the Office has been proportionately much higher throughout its life. The government has seriously wounded it, and may have reduced it to the level of the other ineffectual offices in NSW and Queensland.

Privacy in the health care sector is partly within the jurisdiction of the Office of the Health Services Commissioner. In common with its equivalent in NSW, it is held in very low regard. It has successfully avoided doing anything of consequence in the privacy area.

From 2005 until 2014, some aspects of privacy in the law enforcement arena were under the purview of the Commissioner for Law Enforcement Data Security. This was created because of the continual leaks of sensitive personal data that occur from law enforcement databases. The Office was then disestablished and its functions merged into the weakened Office of Privacy and Data Protection.

Some aspects of privacy may also come within the ambit of the Victorian Equal Opportunity and Human Rights Commission.

Here are relevant laws.


Privacy Commissioner, within the OQIC

Here are relevant laws.

Until mid-2010, there was no oversight agency in Queensland, and the post of Privacy Commissioner has been problematic, even chaotic, throughout its life. The Privacy Commissioner had a mere 3 EFTS within the 35-strong Office of the Queensland Information Commissioner (OQIC) (4 of 33 in late 2016). The Office's primary functions are Information Policy and FOI (Right To Information – RTI). The level of interest by successive governments, particularly the LNP, is amply demonstrated by the long delays in creating the role, in making an initial appointment, and in appointing a successor to the first and to date only Commissioner. During the role's first 5-1/2 years of its existence, it was formally filled only 20% of the time:

The history of the post of Information Commissioner is also chequered:

Privacy in the health care sector is partly within the jurisdiction of the Health Quality and Complaints Commission.

Western Australia

There is no privacy oversight agency.

After years of promises, an Information Privacy Bill was finally introduced into the Parliament in March 2007. It did not progress. It would have created a (very) part-time Privacy and Information Commissioner, but the function was to be very limited, and instead of being assigned to the Information Commissioner, it was to be assigned to the the Ombudsman (aka the Parliamentary Commissioner for Administrative Investigations), where it would have paled into insignificance.

Privacy in the health care sector is partly within the jurisdiction of the Office of Health Review.

Here are relevant laws.

South Australia

There is no privacy oversight agency.

There is a Privacy Committee of South Australia, run out of the State Records Office, but it is unclear whether it has ever actually done anything that could be reasonably regarded as being privacy-protective. An unenforceable set of Principles exists, but the primary function of the Committee is to exempt agencies from complying with it.

Privacy in the health care sector is partly within the jurisdiction of the Health and Community Services Complaints Commissioner.

Here are relevant laws


There is no privacy oversight agency.

The Tasmanian Ombudsman is empowered to receive and investigate complaints, but the scope of the powers is extremely limited, and it is unclear whether the incumbent, Simon Allston, has done anything in relation to privacy since his office had the responsibility imposed on it in September 2005. Privacy barely warrants a mention on the web-site or in his Annual Reports.

Privacy in the health care sector is partly within the jurisdiction of the Health Complaints Commissioner.

Here are relevant laws.


The A.C.T. adopted the Privacy Act (Cth) 1994-2014.
In 2014, it passed its own Information Privacy Act.
This adopted (the relevant parts of) the Commonwealth's approach and of the Clth APPs.
The A.C.T. government has an MOU with the Australian Privacy Commissioner.

The Act is administered by the ACT Justice and Community Safety Directorate.
Yet it appears that the agency's web-site has absolutuely nothing on it about privacy, even under human rights.
It appears that very little has ever happened. For example, Personal Information Digests were nominally published
by the ACT Dept of Justice, but when checked in August 2010, the site failed to provide access to them.

The Privacy Commissioner provides an information page

Privacy in the health care sector is partly within the jurisdiction of the Community & Health Services Complaints Commissioner.

Some aspects of privacy may also come within the ambit of the A.C.T. Human Rights Commission (HRC).

Some aspects of privacy may also come within the ambit of the A.C.T. Public Advocate.

Here are relevant laws.


Office of the Northern Territory Information Commissioner

The Privacy Commissioners have been:

Privacy in the health care sector is partly within the jurisdiction of the Health and Community Services Complaints Commission.

Here are relevant laws.