In 2007 Queensland made it a criminal offence to steal or forge the personal identification information of another person for the purpose of committing a crime. There is a maximum penalty of 3 years imprisonment and 5 years imprisonment if the information is provided to a member of a criminal organisation. The Commonwealth has recently followed Queensland’s lead by making similar laws.

Australia has seen a significant rise in identify theft because more people are providing personal information online. In 2014 the Australian Competition and Consumer Commission stated $16 million was lost that year alone to online dating scams, with many of these resulting from an offender obtaining the person’s identity information.

There is no established right of privacy in Australia. The law is still evolving to keep up with the rapid changes in society. Merely holding someone’s personal information is not a crime, there has to be some action taken or intention to commit a crime for it to be considered an offence. An example would be a person hacking into your computer and getting your credit card details to provide to a Russian crime syndicate.

The Australian Privacy Act has rules governing how agencies and organisations collect, store and deal with your personal information in order to prevent unauthorised people from accessing and using it. However there is no requirement for an agency or organisation to report when a data breach has occurred. Reporting of breaches is voluntary, thus you may never know your personal information has been taken.

Offenders often target not just individuals, instead hacking organisations to obtain personal information. Consider the recent hacking of the Ashley Madison social networking website where sensitive personal information of 32 million users was publicly exposed online. In that matter, the organisation Avid Life Media claimed to have highly secure facilities to protect user’s identities and personal information.

If you publicly disclose information in your personal capacity, such as on Facebook or in tweets, that information is generally not protected by the Privacy Act. People should be wary about what information they disclose online.

Incidents such as the Ashley Madison leaks highlight the need for governments to require organisations to report breaches of personal information to the regulator and also the individual. Consideration should be given to criminal and civil penalties where there are repeated failures and careless or negligent dealing with personal information. Such changes to the law should give the public greater confidence in using online services such as the growing e-commerce market.

Businesses and organisations engaging in e-commerce or collecting personal information of clients or employees should seek legal advice regarding compliance with privacy laws. To book a consultation, contact my office at or by calling (07) 5444 1022.

Shane Ulyatt