Navigating the GDPR: A compass for the Australian public sector

  • The GDPR applies to two categories of entities: ‘controllers’ and ‘processors’ of ‘personal data’.
  • It is likely that Australian federal, state and territory government agencies and departments, will fall within these categories.
  • All public sector entities should seek to understand the application and reach of the GDPR and assess whether it applies to their activities.


The European Union General Data Protection Regulation (GDPR) is leading a revolution in international privacy and data standards. Although a European law, the GDPR's broad extra-territorial reach is such that it is impacting many entities within Australia and around the globe. But while much ink has been spilled about the GDPR's application to the Australian private sector, comparably little has been written about its potential application to, and impact on, the Australian public sector. 

Accordingly, 12 months after the GDPR came into effect there still remains considerable uncertainty and complexity about how, and to what extent, it applies to the Australian public sector.

Ultimately, whether the GDPR applies must be carefully considered on a case-by-case basis and this article sets out some of the key areas of relevance for the Australian public sector.

But even where the GDPR does not apply, it is still helpful to understand it. The GDPR has become the new gold standard for the protection of personal data and public sector agencies should look to certain aspects of the GDPR to enhance how they handle and protect personal data.

How the GDPR might apply to the Australian public sector

The GDPR applies to two categories of entities: ‘controllers’ and ‘processors’ of ‘personal data’. Broadly stated, personal data is similar to the concept of ‘personal information’ that exists under the Privacy Act 1988 and under many Australian state and territory privacy laws that apply to the public sector.

Both ‘controller’ and ‘processor’ are broadly defined under the GDPR to include a ‘natural or legal person, public authority, agency or other body’. The GDPR does not define public authority, agency or body, nor whether these terms are restricted to bodies of EU member states. In the context of enforcement of the GDPR, it will likely then depend on the relevant implementing state as to how these terms are defined and applied.

This article is exclusive to Governance Institute members and subscribers.

To read the full article…

or Become a member