Your Guide To The 13 Australian Privacy Principles

Bella Duncan
byBella Duncan10 min read
Data & Privacy
Contents

If your business collects any personal information in Australia - even something as simple as a name and email address on your website - the Australian Privacy Principles (APPs) likely touch what you do.

Understanding the APPs helps you build trust with customers, reduce risk and avoid penalties under the Privacy Act 1988 (Cth). The good news is you don’t need to be a lawyer to grasp the basics. Once you translate each principle into plain-English actions, privacy compliance becomes part of your everyday operations.

In this guide, we’ll walk you through what the APPs are, when they apply and what each principle means in practice for a small or growing business in Australia. We’ll also share the documents and steps that make ongoing compliance manageable.

What Are The Australian Privacy Principles (And Do They Apply To You)?

The APPs are 13 rules in the Privacy Act that set out how organisations should collect, use, store, disclose and give access to personal information. They apply to most Australian Government agencies and many private sector businesses (“APP entities”).

As a rule of thumb, private businesses with an annual turnover of more than $3 million are covered. Some small businesses under that threshold are also covered - for example, those that provide health services, trade in personal information, operate certain employee records beyond the exemption, or are contractors to the Commonwealth.

Even where the Act doesn’t strictly apply, customers and partners increasingly expect APP-style safeguards. Many of the APP requirements are now seen as best practice. In fact, if you publish a Privacy Policy and handle customer data, you’re already on the path that the APPs describe.

If you’re unsure whether your business is an APP entity, treat this guide as a practical checklist. You’ll understand the core concepts and see what “good privacy” looks like day to day.

The 13 APPs Explained In Plain English

APP 1 - Open And Transparent Management Of Personal Information

Have a clear, accessible plan for how your business manages personal information. The cornerstone is a current, comprehensive Privacy Policy on your website that explains what you collect, why you collect it, how you use and disclose it, how you secure it, and how people can contact you, access or correct their data, or complain.

Make sure the policy reflects what actually happens in your business - not just a generic template.

APP 2 - Anonymity And Pseudonymity

Give people the option to interact with you anonymously or under a pseudonym where it’s reasonable and lawful to do so. For example, browsing your site or making a general enquiry may not require a full name. If you need identification for service delivery, say so and explain why.

APP 3 - Collection Of Solicited Personal Information

Only collect personal information that you genuinely need for your business functions. If you’re handling “sensitive information” (like health or biometric data), get explicit consent unless a specific exception applies. Collect directly from the individual where possible, and stick to the minimum necessary.

APP 4 - Dealing With Unsolicited Personal Information

Sometimes information lands in your inbox that you didn’t ask for. If you could not have lawfully collected it under APP 3, you should destroy or de‑identify it as soon as practicable (where lawful and reasonable). If you keep it, treat it under the APPs.

APP 5 - Notification Of The Collection Of Personal Information

When you collect personal information, you must take reasonable steps to notify people about what you’re collecting and why. This is often done through a short, timely notice at the point of collection - for instance, beside a web form or during onboarding - supported by your full Privacy Policy.

A dedicated Privacy Collection Notice helps you deliver the right information in the right moment, in plain English.

APP 6 - Use Or Disclosure Of Personal Information

Use or disclose personal information only for the purpose it was collected (the “primary purpose”), or for a related purpose the individual would reasonably expect (and, for sensitive information, only with consent unless an exception applies). If you want to use the data in new ways, update your notices and obtain consent where required.

APP 7 - Direct Marketing

Don’t send marketing using personal information unless you have permission or another lawful basis, and always provide a simple opt‑out. If you’re using sensitive information or information from third parties, extra restrictions apply. This sits alongside the Spam Act and other rules about commercial messaging.

If you run campaigns, make sure your approach aligns with Australia’s email marketing laws, including consent, identification and unsubscribe requirements.

APP 8 - Cross‑Border Disclosure Of Personal Information

If you disclose personal information overseas (for example, to a cloud provider, CRM or helpdesk tool hosted offshore), you must take reasonable steps to ensure the recipient complies with the APPs - or an equivalent standard - before you share. Document the countries involved and how you assessed the risk.

Contractual safeguards are key here. Where you use vendors or processors, include appropriate transfer and processing terms in a Data Processing Agreement.

You generally must not adopt, use or disclose government identifiers (like Medicare or Tax File Numbers) as your own customer identifiers, except in limited circumstances. Use your own unique IDs for your systems.

APP 10 - Quality Of Personal Information

Take reasonable steps to ensure personal information you collect, use or disclose is accurate, up‑to‑date and complete. Build basic checks into your processes (for example, confirmation screens or periodic prompts to update details).

APP 11 - Security Of Personal Information

Protect personal information from misuse, interference, loss, and from unauthorised access, modification or disclosure. That means technical measures (encryption, access controls, backups), as well as administrative steps (training, need‑to‑know access, clean desk practices). When you no longer need information, destroy or de‑identify it subject to legal retention duties.

Put your safeguards into a clear, practical Information Security Policy so your team knows what “good security” looks like every day.

APP 12 - Access To Personal Information

Individuals have a right to access their personal information. Create a process to verify identity, provide access within a reasonable time, and explain any lawful refusal. Keep it simple and helpful - it builds trust.

APP 13 - Correction Of Personal Information

People can ask you to correct their personal information. If you are satisfied it’s inaccurate, out‑of‑date, incomplete, irrelevant or misleading, take reasonable steps to correct it. If you refuse, explain why and how they can complain.

How Do You Turn The APPs Into Practical Steps?

Translating the APPs into simple actions makes privacy sustainable. Here’s a pragmatic roadmap you can adopt and tailor to your business.

1) Map Your Data And Decide What You Really Need

List the personal information you collect, where it flows (systems, vendors, locations), who can access it and why you need it. Then minimise. If you don’t need a field on a form, remove it. Fewer data types mean lower risk.

2) Update Your Privacy Notices

Draft or refresh your Privacy Policy so it covers your current practices, including any overseas disclosures, third‑party tools and how people can contact you. Pair it with a short collection notice wherever you gather data, such as website forms, checkout flows and staff onboarding.

Use clear, granular consents where needed (for example, separate marketing consent from service terms). Offer easy opt‑outs, visible at the point of contact and in every marketing message. Keep a record of consent and preferences.

4) Set Vendor And Cross‑Border Rules

Audit your software stack and suppliers. Where personal information is processed by a third party, put appropriate privacy and security obligations in place. For global tools or offshore support teams, document locations and safeguards in a Data Processing Agreement.

5) Strengthen Security Fundamentals

Implement access controls, MFA, encryption at rest/in transit, secure deletion, and device management. Train staff on phishing and data handling. Write these measures down so your team can follow them - your Information Security Policy is the anchor.

6) Prepare For A Data Breach Before It Happens

Under the Notifiable Data Breaches scheme, you may need to assess and notify serious breaches. Create a simple, step‑by‑step playbook so you can act fast: contain, assess, decide, notify, improve. A tailored Data Breach Response Plan will save time and stress.

7) Enable Access And Correction

Set a central contact point (often your privacy email) and a short process to verify identity and respond to APP 12/13 requests. Track requests so you can demonstrate responsiveness.

8) Keep It Current

Review your data inventory, policies and vendor list at least annually or when your business changes (new products, new markets, new tools). Privacy is not a “set and forget” task - but with a rhythm in place, it’s manageable.

Common Privacy Traps For Small Businesses

Most privacy issues arise from everyday tools and habits. Here are traps we see - and how to avoid them.

Collecting More Than You Need

Forms tend to grow over time. Challenge every field that asks for personal information. If it isn’t essential to your service or a legal requirement, remove it and reduce your risk.

Make sure you have consent or another lawful basis before sending marketing, especially if you sourced contacts from a partner or public list. Always provide an easy unsubscribe and honour it. Your processes should align with Australia’s email marketing laws.

Shadow IT And Unvetted Apps

Teams often sign up to new cloud tools without approvals. If any personal information is involved, you need to assess the vendor, set contractual privacy terms and make sure any overseas disclosures meet APP 8.

Payment Data And “Just Keeping Cards On File”

Storing card details yourself introduces significant risk and obligations. Use a reputable payment gateway and tokenisation rather than storing numbers on your systems. If you ever handle payment data, revisit your approach against the rules for storing credit card details.

Security Basics Missed

Many breaches come from weak passwords, shared logins, unpatched software or lost devices. Enforce MFA, unique logins, patching and device encryption. Put the do’s and don’ts in your Information Security Policy and train your team regularly.

Unclear Privacy Ownership

Decide who is accountable for privacy in your business - even if it’s a hat someone wears part‑time. Give them the tools and authority to keep your program moving.

What Documents And Policies Will Help You Comply?

The APPs are principles - your documents turn them into everyday practice. The right set depends on your business model, but most organisations will benefit from the following.

  • Privacy Policy: A clear statement of what you collect, why, how you use/disclose it, security measures, and how people can access or complain. Keep it accurate and publish it online. Link: Privacy Policy.
  • Privacy Collection Notice: A short notice delivered at the point of collection (e.g. web forms, onboarding, customer intake) that supports APP 5. Link: Privacy Collection Notice.
  • Information Security Policy: Practical rules and controls for protecting personal information across your systems, devices and staff practices. Link: Information Security Policy.
  • Data Processing Agreement (DPA): Contractual privacy and security terms with vendors who process personal information on your behalf, including cross‑border protections for APP 8. Link: Data Processing Agreement.
  • Data Breach Response Plan: Roles, steps and templates to assess and notify under the Notifiable Data Breaches scheme, so you can act quickly and consistently. Link: Data Breach Response Plan.
  • Internal Data Map And Retention Rules: A simple register of what you hold, where it lives, who has access and how long you keep it. Align retention periods with legal requirements and business needs.
  • Consent Records And Preference Management: A lightweight way to capture when/how consent was given and track opt‑outs, especially for marketing channels.

Depending on your operations, you might also use targeted forms and notices (such as health intake, parental consent or employee privacy materials), and align your web stack with cookies and tracking disclosures. If your product relies on cookies or analytics, add a clear cookie layer and keep it consistent with your Privacy Policy and (where relevant) your cookie practices.

Privacy doesn’t sit in a silo. It connects with other obligations your business already manages:

  • Consumer Protection: If your privacy statements over‑promise and under‑deliver, you could also face issues under the Australian Consumer Law (ACL) for misleading or deceptive conduct.
  • Marketing Rules: Direct marketing must follow APP 7 and Australia’s spam and telemarketing rules. Review your processes against the email marketing laws to stay aligned.
  • Payment And Financial Data: Use secure, compliant gateways rather than self‑storing card data. Ensure your approach reflects the expectations for storing credit card details securely.
  • Contracts And Procurement: Your vendor agreements should reflect the APPs, particularly APP 8 (cross‑border) and APP 11 (security). This is where a robust Data Processing Agreement pays off.
  • Governance And Training: Even great policies fail without people who know what to do. Make privacy part of onboarding and refresh it annually.

Key Takeaways

  • The Australian Privacy Principles are practical rules for collecting, using, securing and sharing personal information in Australia - and most growing businesses should apply them.
  • Start with a clear Privacy Policy and timely collection notices, then back them up with data minimisation, consent, vendor controls and security by design.
  • Cross‑border disclosures require extra care: document where data goes and use contractual protections such as a Data Processing Agreement.
  • Security under APP 11 is about people and technology - write it down in an Information Security Policy and train your team.
  • Prepare for incidents with a Data Breach Response Plan so you can assess, decide and notify quickly under the Notifiable Data Breaches scheme.
  • Treat privacy as an ongoing program: review when your business changes, keep your records tidy and update your notices and contracts as you grow.

If you’d like a consultation on applying the Australian Privacy Principles to your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.

Bella Duncan
Bella DuncanContent Writer

Bella has experience in boutique and large law firms with particular interest in privacy and business law. She is currently studying a double degree in Law and Psychology at Macquarie University.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Company Privacy Policy Requirements For Australian Startups And SMEs

Company Privacy Policy Requirements For Australian Startups And SMEs

If you’re building a startup or small business in Australia, there’s a good chance you’re collecting personal information - often earlier than you realise. Maybe you’re taking customer enquiries through your website,...

7 May 2026
Read more
Privacy Policy Template NSW: What Your Business Needs To Include

Privacy Policy Template NSW: What Your Business Needs To Include

If you run a small business or startup in New South Wales, chances are you collect personal information in more ways than you realise. It might be through an online enquiry form,...

6 May 2026
Read more
Small Business Lead Generation: Legal, Privacy And Contract Tips For Startups

Small Business Lead Generation: Legal, Privacy And Contract Tips For Startups

Small business lead generation is one of those “make or break” parts of running a startup. You can have an excellent product, a sharp website and a great team - but if...

5 May 2026
Read more
Privacy Policies for Australian Startups and Small Businesses

Privacy Policies for Australian Startups and Small Businesses

If you’re building a startup or small business, you’ll almost certainly handle customer data at some point. It might be as simple as taking online enquiries, collecting email addresses for a newsletter,...

5 May 2026
Read more
Privacy Policy Template for Queensland Small Businesses

Privacy Policy Template for Queensland Small Businesses

If you run a Queensland small business or startup, chances are you collect personal information in some form - even if you don’t think you do. Online enquiries, email newsletters, bookings, staff...

4 May 2026
Read more
Using A VPN: Legal, Privacy And Compliance Considerations In Australia

Using A VPN: Legal, Privacy And Compliance Considerations In Australia

If you run a small business or a fast-growing startup, you’ve probably seen VPNs come up in conversations about cybersecurity, remote work, and protecting confidential business information. But once you move from...

1 May 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call