Privacy Regulations 2025 (Cth)

Case
No judgment structure available for this case.
Privacy Regulations 2025

I, the Honourable Sam Mostyn AC, Governor‑General of the Commonwealth of Australia, acting with the advice of the Federal Executive Council, make the following regulations.

Dated 13 November 2025

Sam Mostyn AC

Governor‑General

By Her Excellency’s Command

Michelle Rowland

Attorney‑General

Contents

Part 1Preliminary1Name

This instrument is the Privacy Regulations 2025.

2Commencement
  1. (1)

    Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information

Column 1

Column 2

Column 3

Provisions

Commencement

Date/Details

1.

The whole of this instrument

1 April 2026.

1 April 2026

Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.

  1. (2)

    Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3Authority

This instrument is made under the Privacy Act 1988.

4Schedules

Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

5Definitions

Note: A number of expressions used in this instrument are defined in the Act, including the following:

(a) agency;

(b) contracted service provider;

(c) government related identifier;

(d) organisation;

(e) small business operator.

In this instrument:

Act means the Privacy Act 1988.

Australian Retirement Trust means:

  1. (a)

    the Trustee for Australian Retirement Trust Pty Ltd (ABN 60 905 115 063); or

  2. (b)

    a payroll contractor of that entity, acting in that capacity.

AustralianSuper means:

  1. (a)

    the Trustee for AustralianSuper (ABN 65 714 394 898); or

  2. (b)

    a payroll contractor of that entity, acting in that capacity.

AvSuper means:

  1. (a)

    the trustee for AvSuper Fund (ABN 84 421 446 069); or

  2. (b)

    a payroll contractor of that trustee, acting in that capacity.

Centrelink Confirmation eServices scheme means the scheme of that name that is administered by Services Australia.

Centrelink program has the same meaning as in the Human Services (Centrelink) Act 1997.

Customer Reference Number, for an individual, means the number assigned to the individual, in relation to a Centrelink program, by the Department administered by the Minister who administers the Human Services (Centrelink) Act 1997.

Note: A Customer Reference Number is a government related identifier.

DVA File Number, for an individual, means a file number assigned to the individual by the Department administered by the Minister who administers the Veterans’ Entitlements Act 1986.

Note: A DVA File Number is a government related identifier.

DVA unique identification number, for an individual, means the unique identification number assigned to the individual by the Department administered by the Minister who administers the Veterans’ Entitlements Act 1986.

Note: A DVA unique identification number is a government related identifier.

HomeStart Finance means the body with that name established by regulation 4 of the Housing and Urban Development (Administrative Arrangements) (HomeStart Finance) Regulations 1995 (SA).

Indigenous person means a person who is:

  1. (a)

    a member of the Aboriginal race of Australia; or

  2. (b)

    a descendant of an Indigenous inhabitant of the Torres Strait Islands.

NT Home Ownership means:

  1. (a)

    NT Home Ownership (ABN 85 169 745 141); or

  2. (b)

    an agent of that entity, acting in its capacity as agent.

payroll contractor, of an organisation (the principal organisation), means an organisation that is responsible, under a contract, for processing, on behalf of the principal organisation, any payments that are:

  1. (a)

    received by, or on behalf of, the principal organisation; and

  2. (b)

    made by:

    1. (i)

      an agency; or

    2. (ii)

      an agent of an agency, acting in its capacity as agent; or

    3. (iii)

      a contracted service provider for a Commonwealth contract, acting for the purposes of the provision of services to an agency under the Commonwealth contract; and

  3. (c)

    made for the benefit of an individual employed, or formerly employed, by the agency.

payroll number, for an individual, means an identifier that is:

  1. (a)

    assigned to the individual by:

    1. (i)

      an agency; or

    2. (ii)

      an agent of an agency, acting in its capacity as agent; or

    3. (iii)

      a contracted service provider for a Commonwealth contract, acting for the purposes of the provision of services to an agency under the Commonwealth contract; and

  2. (b)

    assigned for the purpose of providing salary and other employment benefits to the individual.

Note: A payroll number is a government related identifier.

residential tenancy database means a database that:

  1. (a)

    stores personal information in relation to an individual’s occupation of residential premises as a tenant; and

  2. (b)

    can be accessed by a person other than the operator of the database or a person acting for the operator.

Part 2Interpretation6Consumer credit liability information

For the purposes of paragraph (e) of the definition of consumer credit liability information in subsection 6(1) of the Act, the following terms or conditions of the consumer credit are prescribed:

  1. (a)

    how the principal and interest on the consumer credit are to be paid, namely whether:

    1. (i)

      the principal and interest are to be paid in full; or

    2. (ii)

      the principal and interest are to be paid, leaving a residual unpaid amount of principal and interest at the end of the term of the consumer credit; or

    3. (iii)

      only the interest is to be paid;

  2. (b)

    whether the term of the consumer credit is fixed or revolving;

  3. (c)

    if the term of the consumer credit is fixed—the length of the term;

  4. (d)

    whether the individual is a guarantor to another individual in relation to the other individual’s credit;

  5. (e)

    whether the consumer credit is secured or unsecured;

  6. (f)

    any variation to any of the terms or conditions mentioned in any of paragraphs (a) to (e) of this section.

7Small business operators treated as organisations

Small business operators that operate residential tenancy databases

  1. (1)

    For the purposes of subsection 6E(2) of the Act, a small business operator that operates a residential tenancy database is prescribed.

  2. (2)

    For the purposes of subsection 6E(2) of the Act, the following acts or practices of a small business operator of the kind mentioned in subsection (1) of this section are prescribed:

    1. (a)

      an act done, or a practice engaged in, in connection with collecting personal information for the purpose of establishing or maintaining a residential tenancy database;

    2. (b)

      an act done, or a practice engaged in, in connection with maintaining personal information on a residential tenancy database;

    3. (c)

      an act done, or a practice engaged in, in connection with using or disclosing personal information that is stored on a residential tenancy database.

8State authorities treated as organisations

New South Wales

  1. (1)

    For the purposes of subsection 6F(1) of the Act, the body known as Essential Energy established under the Energy Services Corporations Act 1995 (NSW) is prescribed.

Western Australia

  1. (2)

    For the purposes of subsection 6F(1) of the Act, the body known as Keystart established under the Keystart Act 2024 (WA) is prescribed.

South Australia

  1. (3)

    For the purposes of subsection 6F(1) of the Act, the Office of the National Rail Safety Regulator established under the Rail Safety National Law (South Australia) Act 2012 (SA)is prescribed.

Northern Territory

  1. (4)

    For the purposes of subsection 6F(1) of the Act:

    1. (a)

      NT Home Ownership is prescribed; and

    2. (b)

      the modification of the Act set out in subsection (5) of this section is prescribed.

  2. (5)

    The Act applies in relation to NT Home Ownership as if subsection 7B(5) of the Act were modified by adding, at the end of the subsection:

    1. “; and (c)

      the organisation is not a contracted service provider for a Statecontract to which NT Home Ownership is party.”.

9State instrumentality treated as an organisation
  1. (1)

    For the purposes of subsection 6F(1) of the Act:

    1. (a)

      HomeStart Finance is prescribed; and

    2. (b)

      the modification of the Act set out in subsection (2) of this section is prescribed.

  2. (2)

    The Act applies in relation to HomeStart Finance as if Australian Privacy Principle 11.2 did not apply in relation HomeStart Finance.

10Meaning of credit provider
  1. (1)

    For the purposes of subparagraph 6G(1)(d)(ii) of the Act, the following agencies, organisations or small business operators are prescribed:

    1. (a)

      Indigenous Business Australia;

    2. (b)

      the Export Finance and Insurance Corporation;

    3. (c)

      the Regional Investment Corporation;

    4. (d)

      NT Home Ownership.

  2. (2)

    For the purposes of subsection 6G(6) of the Act, an organisation or small business operator is not a credit provider in relation to an individual if the organisation or small business operator acts in the capacity of a current or prospective landlord of the individual.

11Meaning of credit reporting business
  1. (1)

    For the purposes of subsection 6P(4) of the Act, a business or undertaking is not a credit reporting business if the business or undertaking is in a class of businesses or undertakings that:

    1. (a)

      provides personal information to a credit provider; and

    2. (b)

      provides the information to:

      1. (i)

        verify an individual’s identity; or

      2. (ii)

        validate other information relating to the individual’s financial position (such as real property assets) that the individual provides to the credit provider.

  2. (2)

    A class of businesses or undertakings complies with paragraph (1)(b) if the class of businesses or undertakings:

    1. (a)

      compiles information about the individual from sources, including publicly available sources; and

    2. (b)

      provides the information to the credit provider to assist the credit provider to:

      1. (i)

        verify the individual’s identity; or

      2. (ii)

        verify that the individual owns real estate or other assets that the individual claims to own; or

      3. (iii)

        validate the individual’s claimed financial position (in relation to the value of the individual’s assets).

12Meaning of repayment history information

For the purposes of paragraph 6V(2)(a) of the Act, an individual is taken not to have met an obligation to make a monthly payment that is due and payable in relation to consumer credit if the individual misses any or all repayments due in a month, irrespective of the actual payment cycle for that obligation.

Part 3Credit reporting13Use or disclosure of credit reporting information

For the purposes of paragraph 20E(4)(a) of the Act, the following credit providers are prescribed:

  1. (a)

    Indigenous Business Australia;

  2. (b)

    the Regional Investment Corporation;

  3. (c)

    NT Home Ownership.

14Permitted disclosure of credit information to a credit reporting body
  1. (1)

    For the purposes of subparagraph 21D(2)(a)(i) of the Act, a credit provider is prescribed if the credit provider discloses the credit information in connection with the provision of commercial credit.

  2. (2)

    For the purposes of subparagraph 21D(2)(a)(i) of the Act, the following credit providers are prescribed:

    1. (a)

      Indigenous Business Australia;

    2. (b)

      if the Regional Investment Corporation is not a member of, or subject to, a recognised external dispute resolution scheme—the Regional Investment Corporation;

    3. (c)

      NT Home Ownership.

  3. (3)

    For the purposes of subparagraph 21D(3)(c)(i) of the Act, the following credit providers are prescribed:

    1. (a)

      Indigenous Business Australia;

    2. (b)

      the Regional Investment Corporation;

    3. (c)

      NT Home Ownership.

Part 4Dealing with personal information in emergencies and disasters15Designated secrecy provisions

For the purposes of paragraph (d) of the definition of designated secrecy provision in subsection 80P(7) of the Act, the following provisions of the Census and Statistics Act 1905 are prescribed:

  1. (a)

    section 19;

  2. (b)

    section 19A.

Part 5Australian Privacy Principles16Exceptions to Australian Privacy Principle 9.1 – adopting payroll numbers for the provision of superannuation services

For the purposes of Australian Privacy Principle 9.3:

  1. (a)

    a payroll number for an individual is a prescribed government related identifier if the payroll number is assigned to the individual by:

    1. (i)

      Airservices Australia; or

    2. (ii)

      an agent of Airservices Australia, acting in its capacity as agent; or

    3. (iii)

      a contracted service provider for a Commonwealth contract, acting for the purposes of the provision of services to Airservices Australia under the Commonwealth contract; and

  2. (b)

    AvSuper is a prescribed organisation; and

  3. (c)

    a prescribed circumstance is that a payroll number for an individual that is a prescribed government related identifier under paragraph (a) of this section is adopted by AvSuper for the purposes of the provision of a superannuation service to the individual.

17Exceptions to Australian Privacy Principle 9.2 – using and disclosing payroll numbers for the provision of superannuation services

For the purposes of Australian Privacy Principle 9.3:

  1. (a)

    a payroll number for an individual is a prescribed government related identifier; and

  2. (b)

    each of the following are prescribed organisations:

    1. (i)

      Australian Retirement Trust;

    2. (ii)

      AustralianSuper;

    3. (iii)

      AvSuper; and

  3. (c)

    a prescribed circumstance is that a payroll number for an individual is used or disclosed, by an organisation prescribed by paragraph (b) of this section, for the purposes of the provision of a superannuation service to the individual.

18Exceptions to Australian Privacy Principle 9.2 – accessing Centrelink Confirmation eServices (entitlement to concessions, services or assistance)
  1. (1)

    For the purposes of Australian Privacy Principle 9.3:

    1. (a)

      each of the following numbers for an individual is a prescribed government related identifier:

      1. (i)

        a Customer Reference Number;

      2. (ii)

        a DVA file number;

      3. (iii)

        a DVA unique identification number; and

    2. (b)

      an organisation is a prescribed organisation if the organisation:

      1. (i)

        is a participant in the Centrelink Confirmation eServices scheme; and

      2. (ii)

        is included in a class of organisations set out in the table in subsection (2) of this section; and

    3. (c)

      a prescribed circumstance is that a number for an individual that is a prescribed government related identifier under paragraph (a) of this subsection is, with the individual’s consent, used or disclosed by an organisation prescribed by paragraph (b) of this subsection to access services provided under the Centrelink Confirmation eServices scheme to enquire whether the individual is entitled to receive a concession, service or assistance.

  2. (2)

    The classes of organisations are set out in the following table:

Classes of organisations that can use or disclose Customer Reference Numbers, DVA File Numbers and DVA unique identification numbers

Item

Class of organisation

1

Organisations that provide healthcare services or healthcare products, including any of the following:

(a) hospitals;

(b) providers of hearing products and hearing services;

(c) providers of disability support services;

(d) providers of counselling and mental health services;

(e) providers of drug treatment and rehabilitation services.

2

Organisations that are education providers, including any of the following:

(a) pre‑schools, primary schools and secondary schools;

(b) providers of childcare services;

(c) universities, TAFE, community colleges and other tertiary education providers;

(d) adult education providers;

(e) organisations that provide administrative services to education providers.

3

Organisations that provide any of the following:

(a) electricity;

(b) gas;

(c) water;

(d) telecommunications services;

(e) broadband internet services.

4

Organisations that provide passenger rail services.

5

Organisations that provide motor vehicle roadside assistance services.

6

Organisations that provide trustee services.

7

Organisations that provide welfare services, including any of the following:

(a) advocacy organisations;

(b) organisations that provide assistance to:

(i) elderly persons; or

(ii) disabled persons; or

(iii) immigrants and refugees; or

(iv) Indigenous persons; or

(v) families; or

(vi) children; or

(vii) persons impacted by domestic violence; or

(viii) homeless persons; or

(ix) prisoners.

8

Organisations that provide free or subsidised social housing, facilities management services, mortgages or accommodation services to any of the following:

(a) socially or economically disadvantaged persons;

(b) elderly persons;

(c) disabled persons;

(d) Indigenous persons.

9

Organisations that provide legal aid services, including any of the following:

(a) legal aid organisations operated by the Commonwealth government, or the government of a State or Territory;

(b) legal practitioners who provide services for or on behalf of legal aid organisations;

(c) a court of the Commonwealth, a State or a Territory.

10

Organisations that provide services on behalf of local government.

11

Organisations that provide any of the following:

(a) financial planning services;

(b) financial products and services (including brokers);

(c) insurance products and services;

(d) banking services and loans as a credit union;

(e) subsidised or reduced interest loans.

19Exceptions to Australian Privacy Principle 9.2 – accessing Centrelink Confirmation eServices (entitlement to early release of superannuation)

For the purposes of Australian Privacy Principle 9.3:

  1. (a)

    a Customer Reference Number for an individual is a prescribed government related identifier; and

  2. (b)

    an organisation is a prescribed organisation if the organisation:

    1. (i)

      is a participant in the Centrelink Confirmation eServices scheme; and

    2. (ii)

      provides superannuation products and services; and

  3. (c)

    a prescribed circumstance is that a Customer Reference Number for an individual is, with the individual’s consent, used or disclosed by an organisation prescribed by paragraph (b) of this section to access services provided under the Centrelink Confirmation eServices scheme to enquire whether the individual is entitled to the early release of superannuation on the ground of financial hardship.

Part 6Application provisions20Application of this instrument as originally made

Sections 16, 17, 18 and 19 (which provide for exceptions to Australian Privacy Principles) apply in relation to a government related identifier that is assigned to an individual before, on or after the commencement of this instrument.

Schedule 1Repeals

Privacy Regulation 2013

1

The whole of the instrument

Repeal the instrument.

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

0

Cases Cited

0

Statutory Material Cited

0