TL;DR: The political party exemption in the Privacy Act leaves the door open for political parties, their contractors, subcontractors, and volunteers to access your personal information without following the same rules as everyone else. That needs to change.
Ever wondered how Clive Palmer got away with blowing up your phone last election?
Back in 2000, our parliamentarians gave themselves and their political parties an exemption from the Privacy Act! This means they have no obligation to respect your privacy, and no obligation to store the data they have freely collected securely. This was opposed by the Office of the Australian Information Commissioner at the time:
“The OAIC has opposed the political parties exemption since its introduction, on the grounds that there are still few well-articulated policy reasons why the exemption should apply to political parties … There is also a risk that the exemption’s effect on political transparency may damage Australia’s system of representative democracy, as well as the public’s trust in Australia’s privacy protections.” - OAIC
Being exempt from the Privacy Act 1988, political parties and representatives are also exempt from the Australian Privacy Principles (APPs) and the Notifiable Data Breach Scheme.
The APPs regulate when personal information can be collected, how it can be used, and under what circumstances it may be shared. While exempt bodies may choose to opt in and be subject to the APPs, no political parties or representatives have yet done so.
Political parties and representatives are exempt from the Notifiable Data Breach Scheme which requires entities to report data breaches to the OAIC. While some may choose to report data breaches to be investigated, they are under no obligation to do so. Furthermore, they have no obligation to inform the people affected by the data breach, depriving them of the chance to take precautionary measures such as changing passwords.
That’s particularly worrying, given the Australian Electoral Commission supplies political parties with the electoral roll for the use of political advertising under Commonwealth Electoral Act 1918.
What is on the electoral roll? The name, address, date of birth, and gender of every voter alongside additional personal information used to send you a postal vote or political messaging.
Political parties are not obliged to abide by the Do Not Call Register Act 2006 or the Spam Act 2003, or most spam and telemarketing rules. That’s how they’re able to send you emails and text messages without your consent.
If this cocktail of exemptions resulted in political parties blowing-up your phone last election, you are not alone. Thanks to this lack of oversight, spam texts and calls are now a feature of the Australian electoral cycle.
Are there restrictions on the sensitive information that political parties have?
Political parties and representatives may access our information in relation to:
- an election under an electoral law
- a referendum under a federal, state, or territory law
- another aspect of the political process that the political representative takes part in.
Which is incredibly broad, encompassing nearly everything that a political party might do.
The term “political party” applies to all registered political parties, their contractors, subcontractors and volunteers. “Political representative” refers to a member of parliament or councillor of a local government authority. On the plus side, Australian government ministers do have responsibilities under the Privacy Act for any personal information they handle in their role as minister.
Political parties hold very sensitive information, with very poor safeguards.
The major political parties are holding some very sensitive information on you. Labor has a voter database called “Campaign Central” which allocates constituents a “persuadability score” based on data collected in polling and robocalls. The results are then cross-referenced against demographic information such as income, age, and gender to produce statistical modelling which informs strategists if you should be targeted for political advertising.
In a statement to the ABC a Labor insider said,
“If they had a higher persuadability score you would find out what they are persuadable on … so health, education, defence … then you would tailor the messages to them, so it could be more calls from the MP … [or] bombard them with direct mail.”
The Liberal party has similar practices. In a statement to the ABC a Liberal strategist said,
“If you ever called your MP and complained about a specific issue, say about climate change or same-sex marriage, the person on the other side of the phone could look you up and add your thoughts in there,”
This data about us is incredibly valuable, making it a target for hackers and foreign governments. If they got access to this data and published individuals’ political affiliations and private beliefs, the consequences would be devastating.
This information should be rigorously and consistently protected and yet it is not.
This was demonstrated in the 2025 ‘Trumpet of Patriots’ data breach, whereby the party failed to protect a server from a ransomware attack, compromising voters’ banking records, employment history, and other personal information.
Trumpet of Patriots said, “We do not keep a record of all individuals who were on the server” and that it was “impracticable to notify individuals”. Something that would have been required if political parties were subject to the Privacy Act.
Poor data-handling practices are not unique to Clive Palmer’s party.
According to The Age, Brethren businesses and individuals volunteered financial resources and months of their time to support the Liberal Party’s 2025 federal campaign; the Brethren were given unrestrained access to ‘Feedback’ campaigning software. Here, they accessed detailed profiles of Australian voters and cold-called roughly a million people to campaign for the Dutton-lead Liberals. Voters were not given a say in whether they consent to the Plymouth Christian Brethren Church accessing their personal data regarding their political opinions.
In April of this year, the Liberal Party inadvertently exposed some of the data it had collected during the election campaign. When recipients of unsolicited emails tried to unsubscribe, they were taken to a partially-completed form displaying pre-populated personal data, including their name, birthday, gender, and email address.
Other fields were unfilled but accidentally visible, such as: “Strong Liberal”, “Predicted Chinese”, and “Predicted Jewish”.
Further fields labeled “TVT” may relate to voter targeting scores or tracking metrics, such as a likelihood to vote Liberal.
Such a monumental oversight raises serious concerns regarding the security of our sensitive data.
What is to be done?
Digital Rights Watch calls for all political exemptions to the Privacy Act 1988, Spam Act 2003 and Do Not Call Register act to be removed. Australian democracy did just fine prior to politicians having the sort of intrusive access to our personal information that they enjoy today.
The Privacy Act was first intended to regulate the actions of political groups, but our politicians’ focus shifted to commercial entities in 2000. In 2008, the Australian Law Reform Commission’s review of the Privacy Act recommended the removal of Privacy Act exemptions for parties, candidates, staffers, contractors and volunteers.
A 2023 survey by the OAIC found that a staggering 82% of Australians believe that political parties should be subject to the same privacy laws as corporations. Australia is one of the only countries in the OECD where political parties are exempt.
The removal of this exemption would ensure that Australian political parties adhere to the APPs. It would safeguard the management and use of our data to protect against misuse and data breaches, including mandatory data breach reporting to the OAIC.
The Albanese government has already committed to approximately 100 privacy reforms; it needs to implement them soon. This would help build trust in the political system, and give Australians more control over their data - even the right to delete it.