16.1 An act or practice ‘required or authorised by or under law’ is an exception to a number of the limits on the handling of personal information under the Privacy Act 1988 (Cth). This chapter first considers what is meant by the phrase ‘required or authorised by or under law’, and considers whether the model Unified Privacy Principles (UPPs) should include a new exception for acts and practices that are ‘specifically authorised by or under law’. The chapter then considers a number of federal Acts that require or authorise acts and practices for the purposes of the Privacy Act. These include the Census and Statistics Act 1905 (Cth), the Corporations Act 2001 (Cth), the Commonwealth Electoral Act 1918 (Cth) and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act).