Data Protection Laws in Australia and New Zealand

Australia and New Zealand have comprehensive data protection laws that serve a similar function to the U.S.’s HIPAA and the EU’s GDPR, particularly when it comes to the protection of sensitive health information.

While they are structured differently from HIPAA and the GDPR, they impose strict requirements on how personal health information must be collected, stored, used, and disclosed.

The main law in Australia is the Privacy Act 1988, which is overseen by the Office of the Australian Information Commissioner (OAIC). The Privacy Act is centered around 13 Australian Privacy Principles (APPs), which apply to most Australian government agencies and private-sector organizations with an annual turnover of over AU$3 million. However, private-sector health service providers (including doctors, hospitals, pharmacists, etc.) must comply with the APPs regardless of their annual turnover.

[Related Case Study: Jackson-Madison County General Hospital: Utilizing Secure Messaging for Efficient HIPAA-Compliant Communications]

Health information is considered “sensitive information” under the Privacy Act, which triggers a higher standard of protection and stricter rules for collection and use compared to general personal information.

The APPs cover key areas similar to HIPAA, such as:

• Collection and notification of the collection of personal information.
• Data security and retention.
• Individual rights to access and correct their information.

New Zealand’s Privacy Act and Health Information Privacy Code system is highly effective because it has a specific code dedicated entirely to health information privacy. The core legislation is The Privacy Act 2020, and the health-specific law (similar to HIPAA), the Health Information Privacy Code (HIPC) 2020, which is overseen by the Office of the Privacy Commissioner.

The HIPC is a Code of Practice issued under the Privacy Act that sets specific, stricter rules for all health agencies (including doctors, nurses, hospitals, insurers, etc.) regarding the collection, use, holding, and disclosure of personal health information.

The HIPC essentially takes the general Information Privacy Principles (IPPs) of the main Act and tailors them to the unique, sensitive nature of the health sector, such as:

• When and how health information can be collected.
• Storage and security safeguards (similar to HIPAA’s Security Rule)
• The individual’s right to access and correct their health records (similar to HIPAA’s Privacy Rule).

The specific penalties for non-compliance with these laws in Australia and New Zealand can sometimes be less well-known than those of GDPR or HIPAA. Both Australia and New Zealand have significantly strengthened their penalty regimes, particularly for serious data breaches involving sensitive information, such as health data.

Below is a breakdown of the current specific penalties for non-compliance in each country:

Australia: Privacy Act Penalties (OAIC)

In Australia, the penalties for organizations that commit a “serious or repeated interference with privacy” were dramatically increased in late 2022. This new tiered structure is often compared to the financial scale of GDPR penalties.

For serious breaches (Tier 3), the penalty is either a fixed A$50 million fine, three times the value of the benefit obtained from the breach, or 30% of the company’s adjusted turnover during the relevant period – whichever amount is greater. Other penalties include up to A$3.3 million for mid-tier contraventions and up to A$330,000 for administrative failures, with the possibility of a civil penalty.

[Related White Paper: Secure Messaging Helps Protect Your Organization from Incurring HIPAA Violations]

For interferences with privacy that are not deemed “serious” (Tier 2), the maximum penalty is A$3.3 million for corporations. Tier 1 is reserved for administrative failures (e.g., failure to update a privacy policy or promptly act on an access request), for which the OAIC can issue an infringement notice of up to A$330,000 for corporations.

However, the OAIC can pursue legal proceedings in the Federal Court. In a landmark 2025 case, the Australian Clinical Labs was ordered to pay a penalty of A$5.8 million for privacy breaches related to health information.

New Zealand: Privacy Act and HIPC Penalties (OPC)

New Zealand’s regime is generally less punitive in terms of direct fines compared to Australia and the GDPR, focusing instead on remediation and compensatory damages for affected individuals. The Office of the Privacy Commissioner (OPC) is the main enforcement body.

The Human Rights Review Tribunal can award damages of up to NZ$350,000 to an individual who suffered harm (loss, injury, humiliation, etc.) due to a privacy breach. This is the main financial mechanism for redress.

Specific criminal offences, such as failing to notify the Privacy Commissioner of a notifiable data breach without a reasonable excuse, or destroying personal information after an access request has been made, result in a fine not exceeding NZ$10,000.

The Commissioner can issue a Compliance Notice requiring an agency to stop an activity or take specific steps to comply with the Privacy Act/HIPC. Failure to comply with a Compliance Notice can result in a fine of up to NZ$10,000 in the Human Rights Review Tribunal.

Additionally, the Privacy Commissioner has the authority to publicly “name and shame” an agency that has breached the law, which can lead to significant reputational damage. If you have questions related to how communication software and apps help keep patient data secure in your hospital call centre or switchboard, please don’t hesitate to contact Nick Evans at +61 2 5017 9925 or nevans@amtelco.com.