As a small business owner, it is vital that you and your business comply with Australian privacy laws. The main thing you need to be aware of is the Australian Privacy Principles, which are 13 core elements of our privacy framework. Staying compliant with these principles is more critical than ever in 2025, as digital transformation and data security requirements continue to evolve.

Understanding the Australian Privacy Principles can be a bit tricky, so we’ve put together a simple, updated guide to help you and your business navigate the legal landscape confidently in 2025.

Read on to learn more and ensure your practices remain robust and up-to-date.

Does Your Business Come Under The Privacy Act 1988 (Cth)?

First you must determine if your business comes under the Privacy Act 1988 (Cth) (Privacy Act). While not all small businesses are covered, many are increasingly included under its requirements.

Some small businesses do come under the Privacy Act.

The Office of the Australian Information Commissioner (OAIC) defines a small business that must comply with the Privacy Act as any business that has an annual turnover of $3 million or more. It is important to note that as we move through 2025, businesses operating near this threshold should routinely review their financial figures to ensure ongoing compliance.

For the purposes of the Privacy Act, an annual turnover includes:

  • Assets held
  • Capital gains or
  • Capital sales

Further, the OAIC outlines that regardless of turnover, the Privacy Act covers any business that is:

The OAIC offers a privacy checklist for small businesses, featuring 15 questions to determine whether your business is subject to the Privacy Act. You can find it here.

If the Privacy Act does in fact cover your business, it is important to understand your obligations under the Australian Privacy Principles.

Complying With The Australian Privacy Principles

If your business is covered under the Privacy Act, there are 13 Australian Privacy Principles (APPs) that you must comply with. In 2025, with the increasing focus on digital innovation and cybersecurity, strict adherence to these principles is essential for maintaining customer trust and avoiding regulatory penalties.

It is critical to understand each APP thoroughly to ensure your business remains compliant. We break down each principle below for clarity.

Let’s consider each APP individually to help you understand your business’s obligations.

APP 1: Open and Transparent Management of Personal Information

Your business must manage all personal information in an open and transparent way. Personal information is any data or opinion about an identified or reasonably identifiable individual. This remains personal whether or not the information is accurate or recorded materially.

Clear procedures on how you collect, store, and use personal information can help achieve open and transparent management. Having an up-to-date Privacy Policy (and even considering supplementary guidance on handling sensitive data via our Privacy Policy – Sensitive Information page) is a current requirement under the Privacy Act.

Ensuring that your Privacy Policy is readily available—typically on your website—enhances transparency and builds trust with your customers.

APP 2: Anonymity and Pseudonymity

Your business must give individuals the option of not identifying themselves or using a pseudonym.

A pseudonym is a name, term, or description different from an individual’s real name. There are, however, exceptions to this requirement.

For example, you are not required to allow anonymity or pseudonymity if:

  1. Your business is otherwise required by Australian law to have the individual identify themselves, or
  2. It is impractical for your business to deal with an anonymous individual or one using a pseudonym.

APP 3: Collection of Solicited Personal Information

This APP outlines when it is appropriate for your business to collect personal information that individuals have provided to you. Solicited personal information is data that your business actively requests.

For instance, if you request a client’s financial details to facilitate a transaction, that information is considered solicited. Ensure that any collection of such data is done lawfully, fairly, and is reasonably necessary for your business activities. Exercise particular caution when collecting sensitive information, which includes:

  • Health information
  • Racial or ethnic origin
  • Sexual orientation
  • Criminal record
  • Political opinion
  • Religious beliefs

When collecting sensitive information, it is imperative to obtain the individual’s explicit consent.

APP 4: Dealing With Unsolicited Personal Information

Unsolicited personal information is any personal data received without having actively requested it. For example, you may receive a forwarded email containing someone’s personal details.

Upon receiving unsolicited information, your options are:

  1. Determine if the information could have been lawfully collected as ‘solicited personal information’ under APP 3, or if it falls within another permitted category (for further guidance, you might review our privacy compliance resources).
  2. If not, destroy or de-identify the personal information as soon as practically possible, provided that doing so is both lawful and reasonable.
  • For example, removing the email chain from your servers can be an effective way to eliminate unsolicited information.

APP 5: Notification of the Collection of Personal Information

When your business collects personal information, you must take reasonable steps to notify the individual about several important details, including:

These details include:

  • Your business’s contact details
  • The purpose for collecting their personal information
  • Information about your business’s Privacy Policy
  • Whether their information might be disclosed to overseas recipients

APP 6: Use or Disclosure of Personal Information

When your business collects personal information, it is expected that you only use that information in ways that the individual would reasonably anticipate. Typically, data is collected for a ‘primary purpose’ (for example, collecting financial details to complete a transaction). In such cases, you must provide a Privacy Collection Notice.

You may only use or disclose personal information for a secondary purpose if an exception applies. Exceptions include:

  • The individual has consented to the secondary use or disclosure
  • The individual would reasonably expect such secondary use or disclosure
  • The use or disclosure is required or authorised under law

More specifically, personal information may only be disclosed when it is ‘reasonably necessary for the establishment, exercise or defence of a legal or equitable claim’. It is also permitted where you reasonably believe that disclosure is ‘reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body.’ Make sure to document such disclosures in writing.

APP 7: Direct Marketing

Direct marketing involves using an individual’s personal information to directly promote goods and services. Generally, you should avoid using personal data for direct marketing unless an exception applies.

The primary exception is if the individual, at the time of providing their information, reasonably expected it to be used for direct marketing purposes.

Even if this exception applies, you must:

  • Provide a clear ‘opt out’ or ‘unsubscribe’ option
  • Respect any request to opt out or unsubscribe promptly

Additionally, ensure you remain compliant with the Spam Act 2003 (Cth) by taking proactive steps to prevent the sending of spam. For more on avoiding spam, click here.

APP 8: Cross-Border Disclosure of Personal Information

If your business engages with overseas businesses or contractors—common in today’s globalised market—it is vital that you take all reasonable steps to ensure that overseas recipients do not breach the APPs. For example, when engaging an overseas marketing firm, ensure their practices align with APP 7.

Should an overseas recipient breach the APPs, your business will be held accountable for the breach, so robust contractual safeguards and regular compliance checks are recommended.

APP 9: Adoption, Use or Disclosure of Government Related Identifiers

APP 9 restricts the adoption, use, and disclosure of government-related identifiers unless an exception applies. Examples of government-related identifiers include:

  • Passport number
  • Medicare number
  • Driver’s licence number
  • Centrelink reference number

Exceptions include using a government-related identifier if it is necessary to identify an individual for your business activities or if authorised by Australian law.

APP 10: Quality of Personal Information

Your business must take all necessary steps to ensure that the personal information it collects is accurate, up-to-date, complete, and relevant. In 2025, many businesses are leveraging automated data verification systems to help maintain the quality of their data.

Here are some practical steps to ensure your data quality remains high:

  • Prompt individuals to update their information whenever they engage with your business
  • Regularly contact customers to confirm their details are current
  • Consistently monitor and refresh records, utilising digital tools such as our Privacy Impact Assessment Plan for ongoing compliance

APP 11: Security of Personal Information

It is your business’s responsibility to protect the personal information it holds. This means ensuring that such information is not misused, interfered with, or lost. In 2025, with heightened cyber threats, upgrading both physical and digital security measures is non-negotiable.

Key steps to secure personal information include:

  • Regularly updating both physical and technological security measures
  • Monitoring for and responding promptly to data breaches (consider reviewing our Data Breach Response Plan)
  • Ensuring procedures and training are up-to-date
  • Maintaining rigorous security standards across all business activities

APP 12: Access to Personal Information

If your business holds personal information about an individual and that individual requests access, you are generally required to provide that access. It is important to verify the individual’s identity before granting access, ensuring that the information is only released to the appropriate party—such as the individual themselves or an authorised representative (for further guidance, visit our Access Request Form page).

There are certain circumstances when you can refuse access, for example, if providing access would unreasonably impact another individual’s privacy, be unlawful, or pose a serious threat to health and safety. In such cases, you must provide written notice outlining your reasons and inform the individual of their right to lodge a complaint.

APP 13: Correction of Personal Information

Your business is required to correct personal information to ensure it is accurate, up-to-date, complete, relevant, and not misleading. This may involve:

  • Actively initiating corrections when you identify inaccuracies, or
  • Correcting personal information upon a valid request by the individual

Taking all reasonable steps to maintain the accuracy of the personal information you hold not only helps you comply with the Privacy Act but also reinforces the trust and confidence your customers have in your business.

Need More Help?

The APPs can seem like a lot to absorb, but it’s vital that your business complies with them. The above guide is a great starting point for understanding your obligations under the APPs.

If you’re feeling overwhelmed by the details or concerned about how these principles apply to your business in today’s fast-changing digital landscape, it may be a good idea to speak with a lawyer. Our team is here to provide expert advice and support to ensure your business remains fully compliant.

If you need any further help, reach out to our team for a free, no-obligation chat at team@sprintlaw.com.au or call us on 1800 730 617.

As we progress through 2025, regulatory updates and heightened cyber security standards require ongoing vigilance. Regularly reviewing your internal policies and compliance procedures—perhaps utilising our Legal Health Check service—can help ensure that your business stays ahead of changes and continues to uphold best practices in handling personal information.

  • All income from all sources.

An annual turnover does not include:

  • Assets held
  • Capital gains or
  • Capital sales

Further, the OAIC outlines that regardless of turnover, the Privacy Act covers any business that is:

The OAIC offers a privacy checklist for small businesses, featuring 15 questions to determine whether your business is subject to the Privacy Act. You can find it here.

If the Privacy Act does in fact cover your business, it is important to understand your obligations under the Australian Privacy Principles.

Complying With The Australian Privacy Principles

If your business is covered under the Privacy Act, there are 13 Australian Privacy Principles (APPs) that you must comply with. In 2025, with the increasing focus on digital innovation and cybersecurity, strict adherence to these principles is essential for maintaining customer trust and avoiding regulatory penalties.

It is critical to understand each APP thoroughly to ensure your business remains compliant. We break down each principle below for clarity.

Let’s consider each APP individually to help you understand your business’s obligations.

APP 1: Open and Transparent Management of Personal Information

Your business must manage all personal information in an open and transparent way. Personal information is any data or opinion about an identified or reasonably identifiable individual. This remains personal whether or not the information is accurate or recorded materially.

Clear procedures on how you collect, store, and use personal information can help achieve open and transparent management. Having an up-to-date Privacy Policy (and even considering supplementary guidance on handling sensitive data via our Privacy Policy – Sensitive Information page) is a current requirement under the Privacy Act.

Ensuring that your Privacy Policy is readily available—typically on your website—enhances transparency and builds trust with your customers.

APP 2: Anonymity and Pseudonymity

Your business must give individuals the option of not identifying themselves or using a pseudonym.

A pseudonym is a name, term, or description different from an individual’s real name. There are, however, exceptions to this requirement.

For example, you are not required to allow anonymity or pseudonymity if:

  1. Your business is otherwise required by Australian law to have the individual identify themselves, or
  2. It is impractical for your business to deal with an anonymous individual or one using a pseudonym.

APP 3: Collection of Solicited Personal Information

This APP outlines when it is appropriate for your business to collect personal information that individuals have provided to you. Solicited personal information is data that your business actively requests.

For instance, if you request a client’s financial details to facilitate a transaction, that information is considered solicited. Ensure that any collection of such data is done lawfully, fairly, and is reasonably necessary for your business activities. Exercise particular caution when collecting sensitive information, which includes:

  • Health information
  • Racial or ethnic origin
  • Sexual orientation
  • Criminal record
  • Political opinion
  • Religious beliefs

When collecting sensitive information, it is imperative to obtain the individual’s explicit consent.

APP 4: Dealing With Unsolicited Personal Information

Unsolicited personal information is any personal data received without having actively requested it. For example, you may receive a forwarded email containing someone’s personal details.

Upon receiving unsolicited information, your options are:

  1. Determine if the information could have been lawfully collected as ‘solicited personal information’ under APP 3, or if it falls within another permitted category (for further guidance, you might review our privacy compliance resources).
  2. If not, destroy or de-identify the personal information as soon as practically possible, provided that doing so is both lawful and reasonable.
  • For example, removing the email chain from your servers can be an effective way to eliminate unsolicited information.

APP 5: Notification of the Collection of Personal Information

When your business collects personal information, you must take reasonable steps to notify the individual about several important details, including:

These details include:

  • Your business’s contact details
  • The purpose for collecting their personal information
  • Information about your business’s Privacy Policy
  • Whether their information might be disclosed to overseas recipients

APP 6: Use or Disclosure of Personal Information

When your business collects personal information, it is expected that you only use that information in ways that the individual would reasonably anticipate. Typically, data is collected for a ‘primary purpose’ (for example, collecting financial details to complete a transaction). In such cases, you must provide a Privacy Collection Notice.

You may only use or disclose personal information for a secondary purpose if an exception applies. Exceptions include:

  • The individual has consented to the secondary use or disclosure
  • The individual would reasonably expect such secondary use or disclosure
  • The use or disclosure is required or authorised under law

More specifically, personal information may only be disclosed when it is ‘reasonably necessary for the establishment, exercise or defence of a legal or equitable claim’. It is also permitted where you reasonably believe that disclosure is ‘reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body.’ Make sure to document such disclosures in writing.

APP 7: Direct Marketing

Direct marketing involves using an individual’s personal information to directly promote goods and services. Generally, you should avoid using personal data for direct marketing unless an exception applies.

The primary exception is if the individual, at the time of providing their information, reasonably expected it to be used for direct marketing purposes.

Even if this exception applies, you must:

  • Provide a clear ‘opt out’ or ‘unsubscribe’ option
  • Respect any request to opt out or unsubscribe promptly

Additionally, ensure you remain compliant with the Spam Act 2003 (Cth) by taking proactive steps to prevent the sending of spam. For more on avoiding spam, click here.

APP 8: Cross-Border Disclosure of Personal Information

If your business engages with overseas businesses or contractors—common in today’s globalised market—it is vital that you take all reasonable steps to ensure that overseas recipients do not breach the APPs. For example, when engaging an overseas marketing firm, ensure their practices align with APP 7.

Should an overseas recipient breach the APPs, your business will be held accountable for the breach, so robust contractual safeguards and regular compliance checks are recommended.

APP 9: Adoption, Use or Disclosure of Government Related Identifiers

APP 9 restricts the adoption, use, and disclosure of government-related identifiers unless an exception applies. Examples of government-related identifiers include:

  • Passport number
  • Medicare number
  • Driver’s licence number
  • Centrelink reference number

Exceptions include using a government-related identifier if it is necessary to identify an individual for your business activities or if authorised by Australian law.

APP 10: Quality of Personal Information

Your business must take all necessary steps to ensure that the personal information it collects is accurate, up-to-date, complete, and relevant. In 2025, many businesses are leveraging automated data verification systems to help maintain the quality of their data.

Here are some practical steps to ensure your data quality remains high:

  • Prompt individuals to update their information whenever they engage with your business
  • Regularly contact customers to confirm their details are current
  • Consistently monitor and refresh records, utilising digital tools such as our Privacy Impact Assessment Plan for ongoing compliance

APP 11: Security of Personal Information

It is your business’s responsibility to protect the personal information it holds. This means ensuring that such information is not misused, interfered with, or lost. In 2025, with heightened cyber threats, upgrading both physical and digital security measures is non-negotiable.

Key steps to secure personal information include:

  • Regularly updating both physical and technological security measures
  • Monitoring for and responding promptly to data breaches (consider reviewing our Data Breach Response Plan)
  • Ensuring procedures and training are up-to-date
  • Maintaining rigorous security standards across all business activities

APP 12: Access to Personal Information

If your business holds personal information about an individual and that individual requests access, you are generally required to provide that access. It is important to verify the individual’s identity before granting access, ensuring that the information is only released to the appropriate party—such as the individual themselves or an authorised representative (for further guidance, visit our Access Request Form page).

There are certain circumstances when you can refuse access, for example, if providing access would unreasonably impact another individual’s privacy, be unlawful, or pose a serious threat to health and safety. In such cases, you must provide written notice outlining your reasons and inform the individual of their right to lodge a complaint.

APP 13: Correction of Personal Information

Your business is required to correct personal information to ensure it is accurate, up-to-date, complete, relevant, and not misleading. This may involve:

  • Actively initiating corrections when you identify inaccuracies, or
  • Correcting personal information upon a valid request by the individual

Taking all reasonable steps to maintain the accuracy of the personal information you hold not only helps you comply with the Privacy Act but also reinforces the trust and confidence your customers have in your business.

Need More Help?

The APPs can seem like a lot to absorb, but it’s vital that your business complies with them. The above guide is a great starting point for understanding your obligations under the APPs.

If you’re feeling overwhelmed by the details or concerned about how these principles apply to your business in today’s fast-changing digital landscape, it may be a good idea to speak with a lawyer. Our team is here to provide expert advice and support to ensure your business remains fully compliant.

If you need any further help, reach out to our team for a free, no-obligation chat at team@sprintlaw.com.au or call us on 1800 730 617.

As we progress through 2025, regulatory updates and heightened cyber security standards require ongoing vigilance. Regularly reviewing your internal policies and compliance procedures—perhaps utilising our Legal Health Check service—can help ensure that your business stays ahead of changes and continues to uphold best practices in handling personal information.

Bella Duncan
Bella has experience in boutique and large law firms with particular interest in privacy and business law. She is currently studying a double degree in Law and Psychology at Macquarie University.
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0 Review Stars
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is hidden when viewing the form
  • This field is for validation purposes and should be left unchanged.

Related Services

Employee Privacy Handbook

Get an Employee Privacy Handbook
Learn More

Data & Privacy Lawyers

Specialist data & privacy lawyers
Learn More

Online Data & Privacy Lawyers

Get expert help from our online data & privacy lawyers
Learn More

Privacy Advice

Understand your legal risks around privacy.
Learn More

Privacy Policy (Health Service Provider)

Privacy policies tailored to health service providers.
Learn More
Related Articles
Spam and Your Business: Understanding Its Impact and How to Combat It
Posted 2nd March, 2025
Commercial in Confidence Demystified: Safeguarding Your Business’s Sensitive Data
Posted 2nd March, 2025
The Compliance Officer’s Role in Australia: Essential Insights for Businesses
Posted 2nd March, 2025
Personally Identifiable Information in Australia: A Comprehensive Business Guide
Posted 2nd March, 2025
Protecting Confidential Trade Items: A Comprehensive Guide for Australian Businesses
Posted 2nd March, 2025
Spam Act 2003 in Australia: Your Comprehensive Compliance Guide for E-Commerce Businesses
Posted 2nd March, 2025