- What Are The Australian Privacy Principles (And Do They Apply To You)?
The 13 APPs Explained In Plain English
- APP 1 - Open And Transparent Management Of Personal Information
- APP 2 - Anonymity And Pseudonymity
- APP 3 - Collection Of Solicited Personal Information
- APP 4 - Dealing With Unsolicited Personal Information
- APP 5 - Notification Of The Collection Of Personal Information
- APP 6 - Use Or Disclosure Of Personal Information
- APP 7 - Direct Marketing
- APP 8 - Cross‑Border Disclosure Of Personal Information
- APP 9 - Adoption, Use Or Disclosure Of Government Related Identifiers
- APP 10 - Quality Of Personal Information
- APP 11 - Security Of Personal Information
- APP 12 - Access To Personal Information
- APP 13 - Correction Of Personal Information
- What Documents And Policies Will Help You Comply?
- Privacy And Your Broader Legal Compliance
- Key Takeaways
If your business collects any personal information in Australia - even something as simple as a name and email address on your website - the Australian Privacy Principles (APPs) likely touch what you do.
Understanding the APPs helps you build trust with customers, reduce risk and avoid penalties under the Privacy Act 1988 (Cth). The good news is you don’t need to be a lawyer to grasp the basics. Once you translate each principle into plain-English actions, privacy compliance becomes part of your everyday operations.
In this guide, we’ll walk you through what the APPs are, when they apply and what each principle means in practice for a small or growing business in Australia. We’ll also share the documents and steps that make ongoing compliance manageable.
What Are The Australian Privacy Principles (And Do They Apply To You)?
The APPs are 13 rules in the Privacy Act that set out how organisations should collect, use, store, disclose and give access to personal information. They apply to most Australian Government agencies and many private sector businesses (“APP entities”).
As a rule of thumb, private businesses with an annual turnover of more than $3 million are covered. Some small businesses under that threshold are also covered - for example, those that provide health services, trade in personal information, operate certain employee records beyond the exemption, or are contractors to the Commonwealth.
Even where the Act doesn’t strictly apply, customers and partners increasingly expect APP-style safeguards. Many of the APP requirements are now seen as best practice. In fact, if you publish a Privacy Policy and handle customer data, you’re already on the path that the APPs describe.
If you’re unsure whether your business is an APP entity, treat this guide as a practical checklist. You’ll understand the core concepts and see what “good privacy” looks like day to day.
The 13 APPs Explained In Plain English
APP 1 - Open And Transparent Management Of Personal Information
Have a clear, accessible plan for how your business manages personal information. The cornerstone is a current, comprehensive Privacy Policy on your website that explains what you collect, why you collect it, how you use and disclose it, how you secure it, and how people can contact you, access or correct their data, or complain.
Make sure the policy reflects what actually happens in your business - not just a generic template.
APP 2 - Anonymity And Pseudonymity
Give people the option to interact with you anonymously or under a pseudonym where it’s reasonable and lawful to do so. For example, browsing your site or making a general enquiry may not require a full name. If you need identification for service delivery, say so and explain why.
APP 3 - Collection Of Solicited Personal Information
Only collect personal information that you genuinely need for your business functions. If you’re handling “sensitive information” (like health or biometric data), get explicit consent unless a specific exception applies. Collect directly from the individual where possible, and stick to the minimum necessary.
APP 4 - Dealing With Unsolicited Personal Information
Sometimes information lands in your inbox that you didn’t ask for. If you could not have lawfully collected it under APP 3, you should destroy or de‑identify it as soon as practicable (where lawful and reasonable). If you keep it, treat it under the APPs.
APP 5 - Notification Of The Collection Of Personal Information
When you collect personal information, you must take reasonable steps to notify people about what you’re collecting and why. This is often done through a short, timely notice at the point of collection - for instance, beside a web form or during onboarding - supported by your full Privacy Policy.
A dedicated Privacy Collection Notice helps you deliver the right information in the right moment, in plain English.
APP 6 - Use Or Disclosure Of Personal Information
Use or disclose personal information only for the purpose it was collected (the “primary purpose”), or for a related purpose the individual would reasonably expect (and, for sensitive information, only with consent unless an exception applies). If you want to use the data in new ways, update your notices and obtain consent where required.
APP 7 - Direct Marketing
Don’t send marketing using personal information unless you have permission or another lawful basis, and always provide a simple opt‑out. If you’re using sensitive information or information from third parties, extra restrictions apply. This sits alongside the Spam Act and other rules about commercial messaging.
If you run campaigns, make sure your approach aligns with Australia’s email marketing laws, including consent, identification and unsubscribe requirements.
APP 8 - Cross‑Border Disclosure Of Personal Information
If you disclose personal information overseas (for example, to a cloud provider, CRM or helpdesk tool hosted offshore), you must take reasonable steps to ensure the recipient complies with the APPs - or an equivalent standard - before you share. Document the countries involved and how you assessed the risk.
Contractual safeguards are key here. Where you use vendors or processors, include appropriate transfer and processing terms in a Data Processing Agreement.
APP 9 - Adoption, Use Or Disclosure Of Government Related Identifiers
You generally must not adopt, use or disclose government identifiers (like Medicare or Tax File Numbers) as your own customer identifiers, except in limited circumstances. Use your own unique IDs for your systems.
APP 10 - Quality Of Personal Information
Take reasonable steps to ensure personal information you collect, use or disclose is accurate, up‑to‑date and complete. Build basic checks into your processes (for example, confirmation screens or periodic prompts to update details).
APP 11 - Security Of Personal Information
Protect personal information from misuse, interference, loss, and from unauthorised access, modification or disclosure. That means technical measures (encryption, access controls, backups), as well as administrative steps (training, need‑to‑know access, clean desk practices). When you no longer need information, destroy or de‑identify it subject to legal retention duties.
Put your safeguards into a clear, practical Information Security Policy so your team knows what “good security” looks like every day.
APP 12 - Access To Personal Information
Individuals have a right to access their personal information. Create a process to verify identity, provide access within a reasonable time, and explain any lawful refusal. Keep it simple and helpful - it builds trust.
APP 13 - Correction Of Personal Information
People can ask you to correct their personal information. If you are satisfied it’s inaccurate, out‑of‑date, incomplete, irrelevant or misleading, take reasonable steps to correct it. If you refuse, explain why and how they can complain.
How Do You Turn The APPs Into Practical Steps?
Translating the APPs into simple actions makes privacy sustainable. Here’s a pragmatic roadmap you can adopt and tailor to your business.
1) Map Your Data And Decide What You Really Need
List the personal information you collect, where it flows (systems, vendors, locations), who can access it and why you need it. Then minimise. If you don’t need a field on a form, remove it. Fewer data types mean lower risk.
2) Update Your Privacy Notices
Draft or refresh your Privacy Policy so it covers your current practices, including any overseas disclosures, third‑party tools and how people can contact you. Pair it with a short collection notice wherever you gather data, such as website forms, checkout flows and staff onboarding.
3) Bake In Consent And Choice
Use clear, granular consents where needed (for example, separate marketing consent from service terms). Offer easy opt‑outs, visible at the point of contact and in every marketing message. Keep a record of consent and preferences.
4) Set Vendor And Cross‑Border Rules
Audit your software stack and suppliers. Where personal information is processed by a third party, put appropriate privacy and security obligations in place. For global tools or offshore support teams, document locations and safeguards in a Data Processing Agreement.
5) Strengthen Security Fundamentals
Implement access controls, MFA, encryption at rest/in transit, secure deletion, and device management. Train staff on phishing and data handling. Write these measures down so your team can follow them - your Information Security Policy is the anchor.
6) Prepare For A Data Breach Before It Happens
Under the Notifiable Data Breaches scheme, you may need to assess and notify serious breaches. Create a simple, step‑by‑step playbook so you can act fast: contain, assess, decide, notify, improve. A tailored Data Breach Response Plan will save time and stress.
7) Enable Access And Correction
Set a central contact point (often your privacy email) and a short process to verify identity and respond to APP 12/13 requests. Track requests so you can demonstrate responsiveness.
8) Keep It Current
Review your data inventory, policies and vendor list at least annually or when your business changes (new products, new markets, new tools). Privacy is not a “set and forget” task - but with a rhythm in place, it’s manageable.
Common Privacy Traps For Small Businesses
Most privacy issues arise from everyday tools and habits. Here are traps we see - and how to avoid them.
Collecting More Than You Need
Forms tend to grow over time. Challenge every field that asks for personal information. If it isn’t essential to your service or a legal requirement, remove it and reduce your risk.
Marketing Without A Proper Legal Basis
Make sure you have consent or another lawful basis before sending marketing, especially if you sourced contacts from a partner or public list. Always provide an easy unsubscribe and honour it. Your processes should align with Australia’s email marketing laws.
Shadow IT And Unvetted Apps
Teams often sign up to new cloud tools without approvals. If any personal information is involved, you need to assess the vendor, set contractual privacy terms and make sure any overseas disclosures meet APP 8.
Payment Data And “Just Keeping Cards On File”
Storing card details yourself introduces significant risk and obligations. Use a reputable payment gateway and tokenisation rather than storing numbers on your systems. If you ever handle payment data, revisit your approach against the rules for storing credit card details.
Security Basics Missed
Many breaches come from weak passwords, shared logins, unpatched software or lost devices. Enforce MFA, unique logins, patching and device encryption. Put the do’s and don’ts in your Information Security Policy and train your team regularly.
Unclear Privacy Ownership
Decide who is accountable for privacy in your business - even if it’s a hat someone wears part‑time. Give them the tools and authority to keep your program moving.
What Documents And Policies Will Help You Comply?
The APPs are principles - your documents turn them into everyday practice. The right set depends on your business model, but most organisations will benefit from the following.
- Privacy Policy: A clear statement of what you collect, why, how you use/disclose it, security measures, and how people can access or complain. Keep it accurate and publish it online. Link: Privacy Policy.
- Privacy Collection Notice: A short notice delivered at the point of collection (e.g. web forms, onboarding, customer intake) that supports APP 5. Link: Privacy Collection Notice.
- Information Security Policy: Practical rules and controls for protecting personal information across your systems, devices and staff practices. Link: Information Security Policy.
- Data Processing Agreement (DPA): Contractual privacy and security terms with vendors who process personal information on your behalf, including cross‑border protections for APP 8. Link: Data Processing Agreement.
- Data Breach Response Plan: Roles, steps and templates to assess and notify under the Notifiable Data Breaches scheme, so you can act quickly and consistently. Link: Data Breach Response Plan.
- Internal Data Map And Retention Rules: A simple register of what you hold, where it lives, who has access and how long you keep it. Align retention periods with legal requirements and business needs.
- Consent Records And Preference Management: A lightweight way to capture when/how consent was given and track opt‑outs, especially for marketing channels.
Depending on your operations, you might also use targeted forms and notices (such as health intake, parental consent or employee privacy materials), and align your web stack with cookies and tracking disclosures. If your product relies on cookies or analytics, add a clear cookie layer and keep it consistent with your Privacy Policy and (where relevant) your cookie practices.
Privacy And Your Broader Legal Compliance
Privacy doesn’t sit in a silo. It connects with other obligations your business already manages:
- Consumer Protection: If your privacy statements over‑promise and under‑deliver, you could also face issues under the Australian Consumer Law (ACL) for misleading or deceptive conduct.
- Marketing Rules: Direct marketing must follow APP 7 and Australia’s spam and telemarketing rules. Review your processes against the email marketing laws to stay aligned.
- Payment And Financial Data: Use secure, compliant gateways rather than self‑storing card data. Ensure your approach reflects the expectations for storing credit card details securely.
- Contracts And Procurement: Your vendor agreements should reflect the APPs, particularly APP 8 (cross‑border) and APP 11 (security). This is where a robust Data Processing Agreement pays off.
- Governance And Training: Even great policies fail without people who know what to do. Make privacy part of onboarding and refresh it annually.
Key Takeaways
- The Australian Privacy Principles are practical rules for collecting, using, securing and sharing personal information in Australia - and most growing businesses should apply them.
- Start with a clear Privacy Policy and timely collection notices, then back them up with data minimisation, consent, vendor controls and security by design.
- Cross‑border disclosures require extra care: document where data goes and use contractual protections such as a Data Processing Agreement.
- Security under APP 11 is about people and technology - write it down in an Information Security Policy and train your team.
- Prepare for incidents with a Data Breach Response Plan so you can assess, decide and notify quickly under the Notifiable Data Breaches scheme.
- Treat privacy as an ongoing program: review when your business changes, keep your records tidy and update your notices and contracts as you grow.
If you’d like a consultation on applying the Australian Privacy Principles to your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.
