Australian Privacy Principles: Complete Guide (2026)
Understand the 13 Australian Privacy Principles, who they apply to, and how to comply with Australia's Privacy Act 1988 requirements.
The Australian Privacy Principles are the cornerstone of data protection law in Australia, governing how organisations handle personal information from collection through to destruction. Whether you operate a local business, run a website that serves Australian users, or manage an app available on Australian app stores, the APPs set the legal standard you must meet.
This guide is educational content and does not constitute legal advice. For specific compliance questions, consult a lawyer qualified in Australian privacy law. The information below covers the practical requirements that most businesses need to understand when operating under the Australian Privacy Principles framework.
Overview of the Australian Privacy Principles
The Australian Privacy Principles are contained in Schedule 1 of the Privacy Act 1988 (Cth). They replaced the former National Privacy Principles (for the private sector) and Information Privacy Principles (for government agencies) when the Privacy Amendment (Enhancing Privacy Protection) Act 2012 took effect on 12 March 2014.
The 13 APPs are organised into five groups:
- Consideration of personal information privacy (APPs 1 and 2)
- Collection of personal information (APPs 3, 4, and 5)
- Dealing with personal information (APPs 6, 7, 8, and 9)
- Integrity of personal information (APPs 10 and 11)
- Access to, and correction of, personal information (APPs 12 and 13)
The Office of the Australian Information Commissioner (OAIC) is the regulator responsible for enforcement. The OAIC publishes detailed APP Guidelines that provide authoritative interpretation of each principle.
Who Must Comply with the Australian Privacy Principles?
The Privacy Act 1988 applies to "APP entities," which include two categories: organisations and agencies.
Organisations covered by the APPs include:
- Private sector businesses with annual turnover above 3 million AUD
- All health service providers, regardless of turnover
- Businesses that trade in personal information (such as data brokers)
- Credit reporting bodies and credit providers
- Entities related to an organisation already covered by the Act
- Small businesses that have opted in to coverage
- Operators of residential tenancy databases
Government agencies at the Commonwealth level are also bound by the APPs, though some agencies have specific exemptions for law enforcement or national security functions.
A common misconception is that small businesses below the 3 million AUD threshold are automatically exempt. While many are, the exemptions do not apply if the business handles health information, sells personal data, provides services under a Commonwealth contract, or is a reporting entity under the AML/CTF Act.
Overseas businesses can also fall within scope. The Privacy Act applies extraterritorially to foreign organisations that have an "Australian link," meaning they are incorporated in Australia, carry on business in Australia, or collect personal information from individuals located in Australia.
The 13 Australian Privacy Principles Explained
APP 1: Open and Transparent Management of Personal Information
Organisations must manage personal information in an open and transparent way. This means maintaining a clearly expressed, up-to-date privacy policy that is available free of charge. The policy must describe the types of information collected, how it is held, purposes for collection and use, how individuals can access and correct their information, complaint mechanisms, and whether information is disclosed overseas.
A privacy policy generator can help you build the structural foundation, but you will need to tailor it to reflect Australian-specific requirements, including the APP-mandated disclosures about overseas transfers and complaint procedures through the OAIC.
APP 2: Anonymity and Pseudonymity
Individuals must have the option to deal with an organisation anonymously or under a pseudonym, unless it is impractical to do so or the organisation is required by law to deal with identified individuals. This applies to enquiries, transactions, and service access.
In practice, this means your website should allow browsing without mandatory account creation where possible, and forms should only require identification when genuinely necessary for the service being provided.
APP 3: Collection of Solicited Personal Information
APP 3 restricts what personal information you can collect and the methods you use. Organisations may only collect personal information that is reasonably necessary for their functions or activities. Government agencies have a slightly broader test: "directly related to" their functions.
For sensitive information, including health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal records, a higher threshold applies. Sensitive information can only be collected with consent and where reasonably necessary, or under specific exemptions.
Key requirements:
- Collect by lawful and fair means
- Collect directly from the individual unless it is unreasonable or impractical to do so
- Do not collect more than what is reasonably necessary
- Obtain consent for sensitive information collection
APP 4: Dealing with Unsolicited Personal Information
If an organisation receives personal information it did not ask for, APP 4 requires a prompt assessment. The organisation must determine whether it could have collected the information under APP 3. If it could not have, the information must be destroyed or de-identified as soon as practicable, provided it is lawful to do so.
This applies to information received through general enquiry forms, misdirected emails, unsolicited job applications, and third-party data sharing that was not requested.
APP 5: Notification of Collection
At or before the time of collection (or as soon as practicable afterward), you must notify individuals about specific matters. These include your identity and contact details, the facts and circumstances of collection, whether the collection is required or authorised by law, the purposes of collection, consequences of not providing the information, usual disclosures, the privacy policy, and whether information will be transferred overseas.
For websites, this typically means placing clear notice on forms and sign-up pages, linking to your privacy policy, and providing specific disclosures in your cookie policy if you use tracking technologies.
APP 6: Use or Disclosure of Personal Information
Personal information can only be used or disclosed for the primary purpose for which it was collected, or for a secondary purpose where the individual would reasonably expect the use and it is related (or directly related for sensitive information) to the primary purpose. Consent, legal requirements, and enforcement needs provide additional permitted uses.
Direct marketing has specific rules. You must provide a simple opt-out mechanism, and each marketing communication must include an option to unsubscribe. For sensitive information, direct marketing generally requires explicit consent.
APP 7: Direct Marketing
APP 7 sets out when organisations may use personal information for direct marketing. The rules vary depending on whether the information was collected directly from the individual, whether the individual would reasonably expect direct marketing, and whether a simple opt-out mechanism is provided.
Sensitive information must not be used for direct marketing unless the individual has consented. For all direct marketing, you must include a way for the individual to opt out or request that their information not be used, and you must action opt-out requests within a reasonable period.
APP 8: Cross-Border Disclosure
Before disclosing personal information to an overseas recipient, you must take reasonable steps to ensure the recipient does not breach the APPs. Alternatively, you can rely on an exception, such as the individual's informed consent, a binding scheme substantially similar to the APPs, or a prescribed law or binding agreement.
The disclosing organisation remains accountable for breaches by the overseas recipient, unless an exception applies. This accountability model makes it critical to assess your cloud providers, analytics platforms, and SaaS tools for their data handling locations.
APP 9: Adoption, Use, or Disclosure of Government-Related Identifiers
Organisations generally cannot adopt, use, or disclose government-related identifiers (such as tax file numbers, Medicare numbers, or driver's licence numbers) as their own identifiers for individuals. Exceptions exist when required by law or for verification of identity.
APP 10: Quality of Personal Information
Organisations must take reasonable steps to ensure the personal information they collect, use, or disclose is accurate, up-to-date, complete, and relevant. This is an ongoing obligation that requires periodic data quality reviews, especially for information used in decision-making that affects individuals.
APP 11: Security of Personal Information
APP 11 requires organisations to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. When information is no longer needed for any purpose permitted under the APPs, it must be destroyed or de-identified.
"Reasonable steps" depends on the sensitivity of the information, the consequences of a breach, the organisation's size and resources, and the practicability of implementing security measures. The OAIC expects, at minimum, encryption, access controls, staff training, and incident response procedures.
APP 12: Access to Personal Information
Individuals have the right to request access to their personal information held by an organisation. You must respond within 30 days and provide access in the manner requested by the individual if reasonable and practicable. Access can be refused on specific grounds, including serious threats to life or health, unreasonable impact on the privacy of others, or if the request is frivolous or vexatious.
APP 13: Correction of Personal Information
If an organisation holds personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading, it must take reasonable steps to correct it. Individuals can request corrections, and the organisation must respond within 30 days. If correction is refused, the individual can request a statement be associated with the information noting that they believe it is inaccurate.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowSensitive Information under the Australian Privacy Principles
The APPs impose higher requirements for sensitive information. Under the Privacy Act, sensitive information includes:
- Health information (physical, mental, or psychological condition)
- Genetic and biometric information
- Information about racial or ethnic origin
- Political opinions and membership of political associations
- Religious beliefs or affiliations
- Philosophical beliefs
- Membership of professional or trade associations and trade unions
- Sexual orientation or practices
- Criminal record
- Biometric templates
Collection of sensitive information requires consent and must be reasonably necessary. Additional safeguards apply to use, disclosure, and storage. If your website or application collects any of these categories, your privacy policy must specifically address them.
Penalties and Enforcement of the Australian Privacy Principles
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 significantly increased penalties for serious or repeated privacy breaches. The maximum penalty for a body corporate is now the greatest of:
- 50 million AUD
- Three times the value of the benefit obtained from the breach
- 30% of the organisation's adjusted turnover during the relevant breach period
For individuals, the maximum penalty is 2.5 million AUD.
The OAIC can also accept enforceable undertakings, issue infringement notices, conduct investigations (Commissioner-initiated or complaint-driven), and seek civil penalty orders through the Federal Court or Federal Circuit Court.
Recent enforcement activity has focused on data breach response failures, inadequate security measures, and transparency shortcomings in privacy policies. The Optus and Medibank data breaches in 2022 prompted both the penalty increases and heightened regulatory attention.
Notifiable Data Breaches Scheme
Since February 2018, the Notifiable Data Breaches (NDB) scheme requires APP entities to notify affected individuals and the OAIC when a data breach is likely to result in serious harm. The notification must occur as soon as practicable after the entity becomes aware of or completes an assessment of the breach.
The notification must include a description of the breach, the kinds of information involved, and recommendations for individuals to take. Entities have 30 days to complete a reasonable assessment of whether a breach is likely to result in serious harm.
Failure to comply with the NDB scheme is an interference with privacy and can result in the penalties described above. Tools such as TermsBox can help you maintain up-to-date privacy policies and cookie consent banners that accurately reflect your data handling practices, which forms part of the transparency foundation the OAIC evaluates when assessing breach responses.
How to Comply with the Australian Privacy Principles
Building compliance is an ongoing process, not a one-time task. Here is a practical framework:
Conduct a privacy impact assessment. Map all personal information your organisation collects, stores, uses, and discloses. Identify sensitive information flows and cross-border transfers.
Draft or update your privacy policy. Ensure it covers all APP 1 requirements, including collection purposes, disclosure practices, overseas transfers, access and correction rights, and complaint mechanisms. Use a privacy policy generator as a starting point and customise for Australian requirements.
Implement collection notices. Add clear notices at every collection point, including website forms, checkout pages, and account registration. Link to your full privacy policy.
Review consent mechanisms. For sensitive information, ensure you obtain informed, voluntary, current, and specific consent. Document consent records with timestamps and the exact notice provided.
Assess cross-border data flows. Identify every overseas recipient of personal information, assess their privacy practices, and establish contractual protections. Document your due diligence.
Implement security controls. Deploy encryption, access controls, monitoring, and incident response procedures proportionate to the sensitivity and volume of information you handle.
Establish access and correction processes. Create internal procedures to respond to access and correction requests within the 30-day timeframe. Train staff on handling requests.
Set up breach response procedures. Prepare a data breach response plan that covers assessment, containment, notification to the OAIC, and notification to affected individuals.
Train staff. Ensure everyone who handles personal information understands the APPs and your organisation's specific policies and procedures.
Review regularly. Privacy compliance is not static. Review your practices when you introduce new services, change vendors, expand to new markets, or when law reforms take effect.
Upcoming Reforms to Australian Privacy Law
The Australian Government's response to the Attorney-General's Privacy Act Review (released in September 2023) signalled significant changes ahead. Proposed reforms include a statutory tort for serious invasions of privacy, a children's online privacy code, stronger requirements for automated decision-making transparency, and expanded individual rights including a right to erasure.
The Online Privacy Bill, though delayed, would introduce an online privacy code for social media, data brokerage, and large online platforms. These reforms will add obligations on top of the existing APPs, making it important for businesses to build flexible compliance frameworks that can adapt to new requirements.
Organisations that invest in solid APP compliance now will be better positioned when these reforms take effect, since the APPs will remain the foundation of Australian privacy law.
Frequently Asked Questions
What are the Australian Privacy Principles?
The Australian Privacy Principles (APPs) are 13 legally binding principles set out in Schedule 1 of the Privacy Act 1988. They regulate how organisations and Australian Government agencies collect, use, store, disclose, and manage personal information.
Who must comply with the Australian Privacy Principles?
The APPs apply to Australian Government agencies, private sector organisations with annual turnover above 3 million AUD, health service providers, businesses that trade in personal information, and certain small business operators who opt in or are prescribed by regulations.
What is the maximum penalty for breaching the Australian Privacy Principles?
Following the Privacy Legislation Amendment Act 2022, the maximum penalty for serious or repeated interferences with privacy is the greater of 50 million AUD, three times the value of the benefit obtained from the breach, or 30% of the organisation's adjusted turnover during the relevant period.
Do the Australian Privacy Principles apply to overseas businesses?
Yes. If an overseas organisation collects or holds personal information of Australian individuals and has an Australian link, the APPs can apply under the extraterritorial provisions of the Privacy Act 1988. This includes organisations with operations in Australia or that collect data from Australian residents.