13 Australian Privacy Principles: What Are They?

Table of Contents

Data laws and principles change from country to country. Australia is no different. All Australian residents benefit from the 13 Australian Privacy principles that the nation provides to all its people.

Under these principles, Australian residents benefit from laws and regulations that pertain to data protection and management of personal data, which affects the landscape of how businesses must operate in order to be compliant towards data subjects (their customers).

This article will go over all 13 of the APP principles, explain how to comply with them with some best practices, and also explain what could happen to a business that fails to follow the guidelines that are established.

Let’s dive in.

Key Takeaways

The Australian Privacy Act was established in 1988. Its goals are to create regulatory standards for businesses to follow regarding data protection and privacy for their clients.

The 13 principles of the Australian Privacy Act are all made to provide data subject rights and business guidelines to ensure safe and fair data privacy practices.

If a business fails to follow any of these guidelines, it could result in major fines and penalties that can harm the business financially.

Australian Privacy Act Explained

Australian Privacy Act Explained.jpg

Australian Privacy Act Explained.jpg

The Australian Privacy Act is a legislation that was established in 1988. It established guidelines for businesses on how all personal data should be handled and protected. Over the years, the Privacy Act has been significantly amended in order to stay relevant to society as the landscape changes in the world of data privacy.

Implementation of the Australian Privacy Act was made so that the Australian government could set the regulation standards for the collection, use, and management of personal information from Australian data subjects. Thus creating the 13 Privacy Act principles.

Under these 13 principles, Australian data subjects can feel safer in securing their personal information processing that is set and regulated by their government. It provides Australians with the right to control the management of their data and the right to receive compliance services to correct issues and concerns.

The scope of the Australian Privacy Act applies to businesses that deal with Australian residents and make over AUD 3 million ($2 million) or deal with sensitive data like health data. A business that operates outside the country must still comply with Australian Privacy Act principles whenever they do business with customers who live in the jurisdiction of Australia.

13 Australian Privacy Principles

13 Australian Privacy Principles (1).png

13 Australian Privacy Principles (1).png

The 13 Australian Privacy Principles give their residents all the rights necessary for them to exercise freedom and control of their own data privacy. Below, we will cover all 13 of the principles and explain what each one means for business and data subjects:

APP 1: Open and Transparency

APP 1 explains that all businesses that operate and collect data from their data subjects must be open and transparent about how the data will be used and managed.

Businesses are required to be open and transparent at all times. They must explain the reasoning behind the collection of data and ask the data subject for their consent in order to continue.

In addition, businesses must also be up to date with APP privacy policy to ensure that they are following current laws and regulations.

APP 2: Anonymity and Psuemonomity

This principle explains that all business entities that fall under the APP must give the choice to data subjects of choice whether or not they want to identify themselves. In addition, businesses must also give the choice of the data subject to choose to identify with a pseudonym if it is practical.

Anonymity means that the individual who is dealing with a business can choose to be modified and have their data collected. The pseudonym allows a person to use a different name

However, APP 2 does have its limitations. If the business is authorized by Australian law to refuse to provide anonymity to the data subject, such as the events of a criminal investigation or court hearing, or if the business proves that the request is too impractical it does not need to provide anonymity.

APP 3: Collection of Solicited Personal Information

APP 3 states that due to the nature of some businesses, gathering personal information is important to the nature of how the business operates. This principle allows for a business to collect only what is necessary for it to carry out its functions.

General information about a data subject does not need to receive consent from the data subject. However, sensitive information, such as medical records, must receive permission from the subject in order to be collected.

Some exemptions to sensitive information can be given to a business. For example, if the data subject is in a medical emergency and they are in a condition where they can not give consent, then the business can intervene to assess it in favor of trying to benefit of trying to save the data subject’s life.

APP 4: Dealing With Unsolicited Personal Information

Principle 4 states if a business receives unsolicited personal information, then it can be legally collected if it falls under the criteria given in APP 3.

Sensitive unsolicited information must not be collected and used. If in possession, the business should destroy it immediately to avoid legal troubles. Non-sensitive unsolicited information can be decided upon by the business if it wishes to collect it.

APP 5: Notification of the Collection of Personal Information

APP 5 states that any business that collects personal information about an individual must make an effort to reach out to the individual and notify them.

The business must present the following to the individual:

The APP entity’s identity and contact details.

The facts and circumstances of the collection.

Whether the collection is required or authorized by law.

The purposes of the collection.

The consequences if personal information is not collected.

The entity’s usual disclosures of personal information of the kind collected by the entity

Information about the entity’s APP Privacy Policy.

Whether the entity is likely to disclose personal information to overseas recipients, and, if practicable, the countries where they are located.

In some cases where it is impractical for the business to reach out to the person, then the business must try again in the near future to attempt to inform the data subject with proof of attempts made.

APP 6: Use or Disclosure of Personal Information

APP 6 states outlines circumstances in which a business can use or disclose the personal information of data subjects.

Personal data can only be used or disclosed for the primary purpose for which it was collected. A secondary purpose can be applied for certain exemptions, such as if the person consents to the secondary use of their data or if the Australian government requires access for an investigation.

APP 7: Direct Marketing

Businesses can use personal information for direct marketing purposes under certain conditions.

For example, the data subject must give consent to be sent marketing material. Marketing materials that APP 7 applies to direct marketing calls and mail. It also applies to methods such as online and mobile phone application targeting methods.

APP 7, however, will not apply to driving marketing to data subjects that put themselves on the DNCR list. It also does not apply to direct targeting methods such as email or any other form of instant messaging.

APP 8: Cross-Border Disclosure of Personal Information

Principle 8 ensures that business entities within Australia must take extra precautions when sending personal data overseas.

A business that shares personal information overseas is accountable for the damages an untrustworthy recipient could do. In order to prevent this, the business must make sure that the recipient understands the APP and demonstrates corporate compliance with the regulations.

The business must be cautious about the data it shares overseas. The business must also develop a data breach strategy with the recipient in order to minimize the chances of risk management.

This principle limits the adoption of government-related identifiers a business can use to track or label a person or place in relation to the Australian government.

A government-related identifier can be anything that is a number, letter, or symbol that is attached to anything that is government-related, such as an agent, state, or service. It is to prevent businesses from developing communication codes in which they can do illegal matters behind the government’s back.

APP 10: Quality of Personal Information

A business must take responsibility and implement steps to ensure that the personal information gathered is accurate and up to date.

In order to be compliant, a business should develop handling cycles. The first cycle is the time the information is collected, and the second is the time the information is used and disclosed.

Businesses could also develop communication methods to help ensure that all personal information is up to date.

APP 11: Security of Personal Information

A business is required to take responsibility for protecting the personal data it collects from being misused, manipulated, or receiving unauthorized access.

The business is expected to take reasonable steps to protect personal information and have tight security protocols when it comes to protecting the personal data of its subjects.

The reasonable steps will depend on the amount of data, the sensitiy of data, the possible consequences of a breach, and other reasons.

A business must also destroy or de-identify data that is no longer necessary. There are some exceptions like with the Commonwealth record, or if an Australian law or order requires it to be kept in your hands.

APP 12: Access to Personal Information

This principle states that all individuals under the APP have the data subject rights to request access to personal information about them collected from a business.

All businesses that the APP applies to must be ready to comply with requests for access to personal data. APP 12 gives businesses a time period in order to prepare to go through the safety checks in order to give the data subject tier access.

In some situations, a business can refuse access under certain conditions. These conditions can range from public safety reasons to suspicions of unlawful intent. A business will have to provide evidence for their reasoning not to allow access.

APP 13: Correction of Personal Information

APP 13 provides an outline in which businesses are obligated to offer compliance in allowing data subjects to make corrections to their personal data on file.

If a data subject believes that the personal data on file is out of date, incomplete, irrelevant or misleading, then they have the right to request to make a correction. A business must be able to provide the services in order to make the corrections needed and be free of charge.

Penalties for Non-Compliance with the Australian Privacy Act

Failing to abide by the the principles established by the Australian Privacy Act can lead to major fines and penalties for the business. These fines can range anywhere from AUD 2.22 million to AUD 50 million.

In some cases, the penalties can be more extreme, depending on the violation. The fine could be multiplied three times the value of the information obtained from the violation, which could potentially make the fine over $100 million depending on your case. In addition, a business could have 30% of its breach period revenue taken from it.

With the fines and penalties in mind, it is very important for a business to stay up to date with APP laws. Ensuring that their employees are well-trained in compliance will also reduce the chances of a mistake occurring that could result in these fees.


In the world of data privacy, nothing is ever static. Laws and regulations can change over time; the Australian Privacy Act is an example of that through its recent amendments.

Having access to skilled compliance experts can help a business stay up to date on the current laws and regulations that affect how business operates in Australia. Here at Captain Compliance, we are outsourcing compliance services to businesses in need of help.

If you’re in need of an expert who is up to date on all things data privacy-related, then click here to get in touch with one of our specialists today.


How can businesses ensure compliance with the Australian Privacy Act?

Businesses can ensure compliance with the APP by staying up to date with the current laws and regulations. With an understanding of the principles of the APP, the business can train and inform employees of policies that must be followed in order to be compliant.

Learn more about Compliance Training Programs in our detailed article.

Is my small business exempt from the Privacy Act?

Businesses that make an annual turnover of AUD 3 million ($2 million) or less are not covered under the Australia Privacy Act. However, there are some businesses that are covered under the APP despite turnover. Some examples of that business are health service providers and credit reporting establishments.

Read more about Pharmaceutical business compliance solutions here.

Is my online business required to comply with the Privacy Act, even if it doesn’t have a physical presence in Australia?

Yes, if you do business with any data subjects located in Australia and make over AUD 3 million ($2 million), then you will have to follow the APP guidelines. Failure to do so may result in your business being banned from selling goods and services to Australia.

Read more about the Australia Privacy Act here in our detailed article.

Is there a limit to the amount of personal information an organization can collect about me under the Privacy Act?

Yes. APP 3 states that a business must collect and only use personal information that is needed for a business to conduct its primary operations. Sensitive personal information must not be collected unless the business operates in the healthcare industry and gives consent.

Read more about the nature of sensitive personal information here.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a free 30-day trial now.