ACAPS 2026: What Australians are saying about privacy and what your organisation needs to know
In May 2026, the Office of the Australian Information Commis... ...
Australia’s Privacy Act treats political information oddly: information about your political beliefs is sensitive data entitled to higher protection, yet information collected and used by political parties themselves is exempt from the Act altogether.
Although political parties increasingly use data to target and drive campaigns, the proposal to remove this exemption from the Privacy Act has not been actioned. The ransomware attack involving Clive Palmer’s United Australia Party and Trumpet of Patriots is a striking case study of the exemption’s impact on the privacy of everyday Australians.
If the government is serious about our privacy, surely it is time to tighten this exemption.
Clive Palmer has established two political parties, the United Australia Party and Trumpet of Patriots, neither of which holds a seat in parliament. In the course of their campaigns they no doubt collected and retained a large amount of data, although Mr Palmer appears to have little understanding of what that data was.
In June 2025, a ransomware attack was detected. The attack affected “all emails to and from the political parties (including their attachments) and documents and records created and or held electronically by the political parties at any time”. Reports say it included banking records, employment history and other personal information.
Both the political parties said they would not notify affected individuals because it would be “impractical”. More tellingly, Clive Palmer said “We do not know comprehensively what information of yours was on the server but you should assume that any information you have provided would have been stored on the server.”
Despite that position, a notice of the breach was posted on the UAP website on 17 July 2025.
The parties also claimed at the time that they had reported the breach to the OAIC and the Australian Signals Directorate. However, Crikey reports that it was told by the OAIC in July that it had no record of any such report. (More information about the data breach is here and here.)
Under Section 7C of the Privacy Act, registered political parties, their subcontractors and their volunteers are exempt from the act’s provisions (including the data breach notification obligations) when carrying out exempt political activities.
This is a significant carve-out, criticised by privacy and legal experts.
Modern political campaigns have become data-driven, aimed at consolidating existing support and targeting new voters and donors. Some campaigns create detailed profiles of individual voters to micro-target increasingly precise messages to increasingly refined segments of the electorate. Yet those activities sit entirely outside the protections Australians otherwise enjoy.
The OAIC has opposed the political parties exemption since its introduction, on the grounds that there are few well-articulated policy reasons why a blanket exemption should apply to political parties and political acts and practices. OAIC
The concern is not merely theoretical: political parties likely hold quite a bit of sensitive information about constituents and prospective voters, and the lack of legislative obligations to ensure the security of that voter data is “pretty troubling,” according to researchers. SBS
The OAIC’s 2026 Australian Community Attitudes to Privacy Survey (ACAPS) shows that the gap between public expectation and legal reality around political parties is stark and growing: 88% of Australians believe political parties and representatives should be subject to the same privacy standards as government agencies and larger businesses, up from 82% in 2023 and 74% in 2020.
This is a clear and strengthening majority. Support for extending Privacy Act obligations to currently exempt sectors has grown across the board since 2020, but political parties consistently rank near the top of the list, alongside businesses collecting employee surveillance data (89%). Women are slightly more likely than men to support the change (91% vs 86%), but the sentiment is broadly shared.
We have covered the ACAPS in more detail here.
Whatever justification the political parties exemption once had, it no longer reflects community expectations. Australians increasingly expect consistent, enforceable privacy standards across the economy, and see no reason why the parties seeking their votes should be exempt from rules that apply to everyone else.
Given these views, it is no surprise that calls to reform the exemption have been raised many times over the last nearly 20 years.
In their 2007 and 2010 reviews of Australian privacy law, the Australian Law Reform Comm ission recommended the removal of the political exemption.
In 2006, Senator Natasha Stott Despoja introduced a private members bill to remove it, though it lapsed at the end of the parliamentary term. SBS
The 2022 Attorney-General’s Department Privacy Act Review Report revisited the issue with specific proposals. These included requiring political entities to publish a privacy policy, prohibiting targeting based on sensitive information (with a carve-out for political opinions), giving individuals the right to opt out of direct marketing and targeted advertising by political entities, and requiring political entities to take reasonable steps to protect and destroy or de-identify personal information. (See Appendix 1 for more detail on the proposed reforms to the exemption).
The Report also proposed bringing political entities within the Notifiable Data Breaches scheme.
This is where the reform story stalls.
In its response to the report, the government merely “noted” the political exemption proposals, the category least likely to result in legislative action. This noting extended even to the proposals that political entities take reasonable steps to protect, destroy or de-identify personal information and comply with the Notifiable Data Breaches scheme.
The exemption was not addressed in the Tranche 1 reforms introduced in 2024. In a February 2026 Senate estimates hearing, the Attorney-General confirmed the government is “now progressing a second tranche of privacy reforms to ensure the Privacy Act is fit for purpose in the digital age,” though no timeline has been given. There is little indication, however, that the political parties exemption will be included in Tranche 2, if and when that bill arrives.
For now, registered political parties, their contractors and volunteers remain entirely outside the Privacy Act’s reach when conducting political activities, a position that community attitudes surveys suggest most Australians neither expect nor support.
Crikey has reported that the OAIC’s preliminary inquiry into the United Australia Party (UAP) and Trumpet of Patriots has concluded, and that neither party will face penalties over the June 2025 breach.
The OAIC decided that the Privacy Act’s carve-out for political parties applied, even though the UAP was voluntarily de-registered after the 2022 election, up until last month, when the AEC approved its re-registration. This period includes the time when the breach occurred.
An OAIC spokesperson told Crikey the regulator was satisfied after careful consideration of the incident that the Section 7C exemption applied to both parties, as well as their subcontractors and volunteers.
Privacy reform is challenging, and there are legitimate reasons for political parties to access Australians’ personal information. But this incident reveals the very low level of care taken by at least some parties. It is not good enough to say you cannot notify people because your records are too poor to know what information you hold about them. Australians should expect more.
At the very least, political parties should be obliged to secure the personal data they hold. Is that really too much to ask?
The following recommended Privacy Act reforms were noted by the Australian Government and are unlikely to proceed at this time:
| Proposal 8.1 Amend the definition of ‘organisation’ under the Act so that it includes a ‘registered political party’ and include registered political parties within the scope of the exemption in section 7C. |
| Proposal 8.2 Political entities should be required to publish a privacy policy which provides transparency in relation to acts or practices covered by the exemption. |
| Proposal 8.3 The political exemption should be subject to the following requirements: (a) Political acts and practices covered by the exemption must be fair and reasonable. (b) Political entities must not engage in targeting based on sensitive information or traits which relates to an individual, with an exception for political opinions, membership of a political association, or membership of a trade union. The political exemption should include a savings clause as per Recommendation 41-2 of ALRC Report 108. |
| Proposal 8.4 The political exemption should be subject to a requirement that individuals must be provided with the means to: (a) opt-out of their personal information being used or disclosed for direct marketing by a political entity, and (b) opt-out of receiving targeted advertising from a political entity. |
| Proposal 8.5 The political exemption should be subject to a requirement that political entities must: (a) take reasonable steps to protect personal information held for the purpose of the exemption from misuse, interference and loss, as well as unauthorised access, modification or disclosure (b) take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for a purpose covered by the political exemption, and (c) comply with the NDB scheme in relation to an eligible data breach involving personal information held for a purpose covered by the political exemption. |
| Proposal 8.6 The OAIC should develop further guidance materials to assist political entities to understand and meet their obligations. |
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.