Australian Privacy Principle 6: Use and Disclosure Explained

If your business collects customer details, chances are you’re already handling “personal information.” Under the Privacy Act 1988 (Cth), Australian Privacy Principle 6 (APP 6) controls when you can use or disclose that personal information.

APP 6 is one of the easiest principles to get wrong - especially when you want to repurpose data for marketing, hand data to a supplier, or respond quickly to a police request. The good news? With a clear plan and the right documents, you can comply confidently and keep your customers’ trust.

In this guide, we’ll explain what APP 6 requires in plain English, when you can use or disclose personal information, and the practical steps small businesses can take to comply day‑to‑day.

What Is Australian Privacy Principle 6?

APP 6 sets the boundaries for using and disclosing personal information you’ve collected. The core rule is simple: only use or disclose personal information for the “primary purpose” it was collected for - unless an exception applies.

“Use” means handling the information internally (for example, putting someone’s email address into your CRM to send an order update). “Disclosure” means making the information available outside your business (for example, giving a courier the delivery address).

To meet APP 6, your business should be clear about the primary purpose at the time of collection and make sure your team and systems stay aligned with that purpose.

Important: Some small businesses are exempt from the Privacy Act (generally those with annual turnover under $3 million), but many still need to comply because they provide health services, trade in personal information, or have compliance obligations through contracts. Even if you qualify for the exemption, aligning with APP 6 is best practice and often expected by customers and partners.

When Can You Use Or Disclose Personal Information?

APP 6 allows use or disclosure if it is for the primary purpose of collection, or if one of the limited exceptions applies. Here’s how to assess your situation.

1) It’s For The Primary Purpose

If you’re doing what you said you would do with the information, you’re generally fine. For example, if you collected a delivery address to ship a purchase, providing that address to your courier aligns with the primary purpose.

Make sure your Privacy Collection Notice (and your internal processes) clearly describe this primary purpose so there’s no ambiguity later.

2) The Person Consented To The New Use/Disclosure

If you want to use or disclose personal information for a different purpose, you can do so with valid consent. Consent needs to be informed, voluntary, current and specific. Keep records of who consented and when.

For sensitive information (e.g. health information), the threshold is higher and consent is often required unless a specific exception applies. Consider obtaining written consent, supported by a clear Privacy Consent Form, if you need to repurpose sensitive data.

3) The Person Would Reasonably Expect It (Related Purpose)

You may use or disclose information for a secondary purpose if it’s “related” to the primary purpose and the individual would reasonably expect it. For sensitive information, the secondary purpose must be “directly related.”

For example, if a customer gives you their email to buy a product, using it to send a delivery update is typically within reasonable expectation. But using that email for ongoing promotional emails requires careful consideration and usually triggers separate rules under APP 7 for direct marketing (see our guide to email marketing laws).

4) Required Or Authorised By Law

You may use or disclose personal information if required or authorised by an Australian law or a court/tribunal order. If you receive a request from law enforcement or a regulator, verify the legal basis, keep a record, and disclose no more than necessary.

5) Permitted General Situations

APP 6 also recognises limited “permitted general situations,” such as to deal with serious threats to life, health or safety, or suspected unlawful activity or serious misconduct. Apply these narrowly, document your reasoning, and seek advice if in doubt.

6) De-Identified Information

APP 6 applies to personal information. If you genuinely de-identify the data so an individual can’t be reasonably identified, you may be able to use it more flexibly (for analytics, for example). Ensure the de-identification is robust and re-identification risk is managed.

Practical Steps To Comply With APP 6

The easiest way to comply with APP 6 is to design your processes around purpose, consent and control. Here’s a practical checklist you can put into action.

Map Your Data And Define Primary Purposes

• Identify what personal information you collect (e.g. names, emails, phone numbers, payment details).
• Document the primary purpose for each collection point (sale fulfilment, customer support, account access, etc.).
• Align your systems and staff workflows to those purposes so data isn’t repurposed on the fly.

Be Transparent At Collection

Make it clear why you’re collecting information, who you’ll share it with and how customers can contact you. Publish a current, plain‑English Privacy Policy and present an appropriate Privacy Collection Notice wherever you collect data (online forms, checkout pages, onboarding flows).

Use Consent Properly (And Record It)

• Ask for consent where APP 6 (or other APPs) require it - especially for secondary uses, sensitive information, or certain marketing activities.
• Keep timestamped records of opt-ins and opt-outs, and honour preferences across all channels.

Limit Internal Access And Uses

• Grant staff access on a “need to know” basis aligned to the primary purpose.
• Set clear internal rules about when personal information can be used or exported.
• Reinforce these rules in training and your Information Security Policy.

Vendor Management And Contracts

If suppliers or software platforms process personal information for you (payments, cloud storage, CRM, marketing tools), treat them as extensions of your business. Ensure contracts include privacy and security obligations consistent with APP 6 and other APPs.

Use a tailored Data Processing Agreement to set out permitted purposes, security standards, breach notification timelines, and deletion/return of data after the engagement ends.

Handle Requests And Incidents Consistently

• Set a process to handle requests from law enforcement, courts or regulators, and verify the legal basis before disclosing.
• Prepare for incidents with an up-to-date Data Breach Response Plan. Quick, well‑documented responses reduce risk and demonstrate accountability.
• Adopt sensible retention and deletion policies - see our guide to data retention laws in Australia.

Train Your Team

People compliance is privacy compliance. Train staff on the boundaries set by APP 6, how to recognise a permitted purpose, what counts as consent, and how to escalate tricky requests.

Working With Third Parties And Overseas Disclosure

APP 6 often comes into play when you share information with external parties. Before you disclose, confirm your lawful basis (primary purpose, consent, reasonable expectation, or legal requirement). Then address these two areas.

Engage Processors On Clear Terms

Make sure any service provider only uses personal information to deliver services to you and does not repurpose it for their own marketing or analytics without your direction. Your Data Processing Agreement should:

• Limit processing to documented instructions (the “purpose limitation” rule).
• Set confidentiality and security standards, including sub-processor approvals.
• Require prompt breach notifications and cooperation with investigations.
• Provide for secure deletion or return of data at the end of the contract.

Cross-Border Disclosure Considerations

If you disclose personal information overseas (for example, to a cloud provider’s international data centre), APP 8 imposes additional steps. You’ll usually need to take reasonable steps to ensure the overseas recipient handles the data in a way that’s consistent with the APPs.

Practically, this means careful due diligence, contract clauses, and transparency in your Privacy Policy and collection notices. Only disclose what’s necessary, and confirm where data will be stored and accessed.

Direct Marketing Is Different

Direct marketing is addressed specifically under APP 7, with its own consent and opt‑out requirements. If you want to send promotions to existing customers using data collected for a sale, assess APP 7 as well as APP 6, and make sure your channels comply with spam and email marketing laws.

Examples: Common APP 6 Scenarios For Small Businesses

Example 1: Sharing Customer Data With A Courier

You collect a customer’s name, phone number and address to ship their order. Sharing those details with your courier is for the primary purpose and allowed under APP 6. Don’t add them to a separate marketing list unless APP 7 allows it and you’ve obtained consent or provided a clear opt‑out.

Example 2: Using A SaaS CRM

You sign up for a cloud CRM to manage leads and support tickets. Disclosing customer details to the CRM provider is allowed if it’s part of your primary purpose and consistent with your collection notices. Lock this down with a strong Data Processing Agreement and confirm whether any data is stored overseas.

Example 3: Police Request For Information

You receive an email from someone claiming to be police, asking for customer records. APP 6 allows disclosure if required or authorised by law. Verify the request (ask for reference numbers, a formal notice or order), disclose the minimum necessary, and keep a record of the legal basis and what you provided.

Example 4: Repurposing Data For A New Product

You collected emails for product A and want to use them to launch product B. If customers wouldn’t reasonably expect this secondary use, get consent first (or provide an easy opt‑in) and update your Privacy Collection Notice and Privacy Policy to reflect the new purpose.

What Legal Documents Should You Have?

Good privacy compliance is built into your documents and processes. These documents help you meet APP 6 and demonstrate accountability.

• Privacy Policy: Explains what you collect, why, who you share it with, where it’s stored, and how individuals can contact you or make complaints.
• Privacy Collection Notice: Presents key information about collection and use at the point of data capture (e.g. checkout, sign-up form).
• Data Processing Agreement: Contract with service providers that process personal information on your behalf, limiting use to agreed purposes and setting security and breach terms.
• Information Security Policy: Internal rules for access control, data handling and security practices aligned with your APP 6 obligations.
• Data Breach Response Plan: Step‑by‑step process to identify, contain and assess suspected breaches, and to notify where required.
• Privacy Consent Form: A clear record of informed consent when you need permission to use or disclose information for secondary purposes or sensitive data.

Depending on your operations, you may also need tailored customer terms, platform rules, or supplier agreements that dovetail with your privacy position and reinforce purpose limitations.

Common Pitfalls (And How To Avoid Them)

• Assuming consent you don’t have: Pre‑ticked boxes or buried notices are risky. Use clear, affirmative opt‑ins when you need consent.
• “Function creep”: Teams start using data for convenient secondary purposes over time. Stop this by defining and policing primary purposes.
• Sharing too much: Disclose only what’s necessary for the job (data minimisation) and remove or mask fields where possible.
• Not documenting exceptions: If you rely on a permitted situation or a legal request, keep a record of your assessment and the basis for disclosure.
• Ignoring downstream processors: Your obligations don’t end when data leaves your system. Keep control through contracts, audits and offboarding requirements.

Key Takeaways

• APP 6 limits the use and disclosure of personal information to the primary purpose of collection unless a specific exception applies.
• If you need to use information for a secondary purpose, ensure you have consent or a clear “reasonable expectation” that meets APP 6 (and check APP 7 for any direct marketing plans).
• Build compliance into your operations with a transparent Privacy Policy, strong Privacy Collection Notices, and tight vendor controls via a Data Processing Agreement.
• Limit access internally, document decisions, and prepare for incidents with an Information Security Policy and a Data Breach Response Plan.
• Overseas disclosures demand extra care - confirm where data goes, contract for protections, and be transparent with customers.
• Training and clear processes prevent “function creep” and keep your team within the APP 6 boundaries.

If you’d like a consultation on complying with Australian Privacy Principle 6 for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.