Australia

A company is using my personal information for a purpose different from what they told me. Is this a breach?

APP 6.1
Key privacy principle
30 days
Response time for complaints
$2.5M
Max penalty for serious breaches
13 APPs
Australian Privacy Principles
The Short Answer

Yes, it is likely a breach of the Privacy Act 1988 (Cth) if a company uses your personal information for a purpose different from the one they disclosed at collection, unless an exception applies.

What the Law Says

Australia’s privacy framework is governed by the Privacy Act 1988 (Cth), which sets out the Australian Privacy Principles (APPs). APP 6 specifically regulates how organisations may use and disclose personal information.

Under APP 6, an organisation must not use or disclose your personal information for a purpose other than the primary purpose for which it was collected — unless you consent, or an exception in APP 6.2 applies (e.g., related secondary purpose, required by law, or serious threat to life or health).

The organisation must have notified you of the purposes of collection at the time of collection (APP 5), and any new use must align with those stated purposes or meet a lawful exception.

If they fail to comply, it may constitute an 'interference with privacy', giving you rights to complain to the Office of the Australian Information Commissioner (OAIC).

Statutory Text

An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the purpose for which it was collected (the primary purpose)…

Privacy Act 1988 (Cth), Sch 1, APP 6.1 — Use or disclosure of personal information
Statutory Text

An organisation may use or disclose personal information about an individual for a secondary purpose if… the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose…

Privacy Act 1988 (Cth), Sch 1, APP 6.2(b) — Use or disclosure of personal information

What to Do

1

Check the organisation’s privacy policy or collection notice to confirm what purpose(s) were stated when your information was collected.

2

Contact the organisation in writing to ask why they used your information differently and request correction or deletion.

3

If unsatisfied, lodge a formal complaint with the OAIC within 12 months of becoming aware of the issue.

4

The OAIC will assess your complaint and may investigate, conciliate, or make a determination — including requiring the organisation to apologise, correct records, or pay compensation.

Sources

statutePrivacy Act 1988 (Cth), Schedule 1, APP 6 — Use or disclosure of personal informationregulator guidanceOffice of the Australian Information Commissioner (OAIC) — Make a privacy complaint

Same Question, Other Jurisdictions

CanadaIrelandSingaporeEuropean UnionIndiaSouth KoreaUKCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.