Georgia Hunt
Georgia is an experienced commercial lawyer advising government, professional services and education organisations.
View profileThere have been some significant reforms in relation to privacy and data security at the Commonwealth level, but how do they apply to Victorian local government?’

The Commonwealth Privacy Act 1988 (Cth) (Commonwealth Privacy Act) was subject to some significant amendment by operation of the Privacy and Other Legislation Amendment Act 2024 (Cth). An overview of the key changes can be found in our previous eAlerts Navigating Privacy Reforms: Challenges and opportunities for government in 2025 and Privacy reforms - what now? Our top 3 tips for Australian Government agencies.
In summary, the Commonwealth Privacy Act has been amended to:
While the Commonwealth Privacy Act generally does not apply to other levels of government, including councils, some of these changes do have some implications for local government.
A tort is a civil wrong which gives a person the right to sue another person or organisation for damages. For example, negligence is a common tort. In Australia, up until June 2025, there was no tort for invasion of privacy. People in Australia have had some limited rights to sue people for disclosing their confidential information, although these rights have generally only been exercised for commercially-sensitive information and trade secrets.
For example, in the Victorian Supreme Court case of Giller v Procopets [2004] VSC 113, the court found that a man who shared sexually-explicit images of a woman he had been in a relationship with breached her confidence, but also found that she had no right to recover damages.
Courts in Australia have considered recognising a tort for invasion of privacy (including in Giller v Procopets), but have always held that there has not been sufficient precedent for it.
Under the change, any individual (the plaintiff) may sue another individual or organisation (the defendant) where:
There are some defences, for example if the invasion of privacy was required or authorised by law, or was necessary to protect a person’s life, health or safety. The court may respond to the invasion of privacy by issuing an injunction restraining the defendant or awarding damages to the plaintiff.
As the tort is new, there is no case law on it. However, there is case law from the UK dealing with questions of reasonable expectation of privacy and public interest.
Councils and their employees will have some protections under sections 16 and 16A of Schedule 2 of the Commonwealth Privacy Act. An individual will not have a cause of action against a council or a council employee who invades an individual’s privacy in good faith when performing or purporting to perform an official function or exercising or purporting to exercise a power.
The change will, however, apply in other cases. Victorian councils, as well as state government entities, are covered by the Privacy and Data Protection Act 2014 (PDPA). This means that they must only collect, hold, use and disclose personal information as permitted by the Information Privacy Principles (IPPs). Individuals who believe that a council has improperly collected, held, used or disclosed their personal information may make a complaint to the Office of the Victorian Information Commissioner (OVIC) and can now attempt to sue them for serious invasions of privacy under the Commonwealth Privacy Act. Previously, individuals did not have this express right to sue the council.
While the risk of a council being liable for a serious invasion of privacy is not high, it is important to keep in mind that:
Alongside the tort of serious invasion of privacy, the Commonwealth Parliament has also made doxxing an offence in the Commonwealth Criminal Code.
Doxxing refers to releasing personally-identifiable information about an individual online without their consent, usually for a malicious purpose. It is now an offence in Australia to release personal data of individuals in a way which is “in all the circumstances, menacing or harassing towards those individuals”.
Councils are already bound by the IPPs regarding the disclosure of personal information, but the change could make individuals, including Councillors, criminally liable for releasing personal information online. It will also mean that Councillors and officers who are subject to doxxing, something which is becoming increasingly common, will have recourse to these new offence provisions, although they will be reliant on the Australian Federal Police being prepared to take up their case.
Companies and government agencies in Australia need to be careful about disclosing personal information to overseas recipients. Under Australian Privacy Principle (APP) 8, entities bound by the Commonwealth Privacy Act have been able to send personal information to an overseas recipient where they are in a jurisdiction subject to a substantially similar law or binding scheme. Prior to this year, it was up to entities to make this assessment themselves and bear the risk of being incorrect.
The recent privacy reforms allow the Commonwealth Government to release a “white list” of jurisdictions considered safe for overseas disclosure of personal information for the purposes of APP 8.
Councils are not bound by the APPs, but under IPP 9.1(a), they too are permitted to disclose personal information outside of Victoria if they reasonably believe that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the IPPs. Councils will be able to draw on the white list when assessing if it is safe for them to disclose personal information to overseas recipients.
There have been some significant reforms from a data security perspective, such as the Cyber Security Act 2024 (Cth), which is the Commonwealth’s first stand-alone law in relation to cyber security. Some of the key measures implemented by this Act include:
However, these reforms are targeted at the corporate sector and to government entities that are responsible entities of critical assets under the Security of Critical Infrastructure Act 2018 (Cth). As such, the Act is unlikely to directly apply to councils. Councils that have concerns that they may be facing a cyber security breach should raise their concerns with OVIC.
While the reforms to the Commonwealth Privacy Act and the Cyber Security Act 2024 (Cth) are only likely to apply to local government in limited circumstances, councils should be aware of these reforms, the renewed focus of the Commonwealth on privacy and data security, and the resulting potential impacts for them.
For advice or support with managing these reforms, please get in touch with our Privacy and FOI team.
Georgia is an experienced commercial lawyer advising government, professional services and education organisations.
View profileKeep up to date with our legal insights and events
Sign upTargeted changes are now in place for approvals, strategic assessments, information sharing and advisory processes.
The Court addressed the proper approach to assessing both economic and cultural loss.
In June, the Attorney-General tabled the Australian Law Reform Commission’s Final Report...
Changes to employment arrangements for Council CEOs and the framework provided for the Local Government Fair Jobs Code.
Partner
Sector Leader - Education
Melbourne