How Many Australian Privacy Principles Are There?

If you run a small business or you’re building a startup, it’s almost impossible to avoid handling personal information. Even if you’re not a “tech company”, you might still collect customer names, emails, phone numbers, delivery addresses, staff records, payment details, or marketing data.

That’s where the Australian Privacy Principles (APPs) come in. They’re the core rules under Australia’s privacy regime, and they set expectations for how businesses should collect, use, store and disclose personal information.

So, how many Australian Privacy Principles are there, and what do they actually mean for your day-to-day operations?

In this guide, we’ll answer that question clearly (and practically), then walk through what you need to do to build privacy compliance into your business from the start. This article is general information only and doesn’t take into account your specific circumstances - if you need advice about your setup, it’s best to get tailored legal advice.

How Many Australian Privacy Principles Are There?

There are 13 Australian Privacy Principles.

These 13 principles sit in the Privacy Act 1988 (Cth) and apply to organisations that fall within the Act (most commonly, businesses that are “APP entities”).

When people ask how many privacy principles there are in Australia, they’re usually referring to these 13 APPs. Together, they cover:

• how you collect personal information (and what you tell people when you do)
• how you use and disclose personal information
• direct marketing rules
• cross-border disclosures (for example, when you share personal information with an overseas service provider)
• data security and destruction
• access and correction rights

Importantly, the APPs aren’t just “paperwork rules”. They affect the systems you set up, the tools you use, the marketing you run, and what you do if something goes wrong (like a data breach).

Do The Australian Privacy Principles Apply To Your Business?

Before you spend time mapping the 13 principles, it’s worth checking whether your business is likely to be covered by the Privacy Act.

What Is An “APP Entity”?

The APPs generally apply to:

• most Australian Government agencies, and
• many private sector organisations (including companies and not-for-profits) that meet certain criteria.

For small businesses and startups, the key issue is usually whether you fall under the small business exemption.

What Is The Small Business Exemption?

In broad terms, a “small business operator” may be exempt from the Privacy Act if it has an annual turnover of $3 million or less.

However, this is not a “set and forget” exemption. Many businesses with turnover under $3 million can still be covered by the Privacy Act because of what they do, not just their size.

Common Reasons A Small Business Still Has Privacy Obligations

Depending on your business model, you may be covered if you:

• provide a health service and handle health information
• deal in personal information (for example, you collect and disclose personal information for some kind of benefit, service or advantage - not just because you use customer data internally)
• are a credit reporting body or credit provider (or are otherwise involved in credit reporting)
• are a contracted service provider for a government contract
• choose to “opt in” to the Privacy Act

Even if you are exempt, the APPs are still a strong baseline for “good privacy practice”. In practical terms, customers, enterprise clients, and investors often expect you to treat privacy seriously anyway.

And if you’re planning to scale, your privacy processes should scale with you. It’s usually much easier to design privacy compliance early than to bolt it on later.

What Are The Australian Privacy Principles (And What Do They Mean In Practice)?

Now, to the heart of the question: what are the Australian Privacy Principles?

Below is a practical overview of the 13 APPs, written from a small business perspective. This isn’t meant to replace tailored legal advice, but it will help you understand what the principles are pushing you to do operationally.

APP 1: Open And Transparent Management Of Personal Information

You must manage personal information in an open and transparent way. Practically, this usually means you need a clear Privacy Policy that explains what you collect, why you collect it, and how people can contact you about privacy concerns.

APP 2: Anonymity And Pseudonymity

Where reasonable, individuals should have the option to interact with you anonymously or using a pseudonym (for example, browsing your website, making general enquiries, or reading your content without logging in).

APP 3: Collection Of Solicited Personal Information

You should only collect personal information that is reasonably necessary for your business functions. For example, if you’re running a newsletter signup, you likely don’t need someone’s date of birth.

APP 4: Dealing With Unsolicited Personal Information

If you receive personal information you didn’t ask for, you need to decide whether you could have collected it under APP 3. If not, you may need to destroy it or de-identify it (unless an exception applies).

APP 5: Notification Of The Collection Of Personal Information

When you collect personal information, you generally need to tell people key details (like who you are, what you’re collecting, why, and who you might disclose it to). Many businesses handle this through a Privacy Collection Notice at the point of collection (for example, on checkout pages, lead forms, or account signup screens).

APP 6: Use Or Disclosure Of Personal Information

You generally must use or disclose personal information only for the purpose you collected it for (the “primary purpose”), unless an exception applies (like consent or a related secondary purpose the person would reasonably expect).

From a startup standpoint, this is where privacy issues often arise: teams collect data for onboarding, then later want to use it for upsells, marketing, partnerships, or product analytics. It’s important to map these use cases early.

APP 7: Direct Marketing

This sets rules about when you can use personal information for direct marketing and how you provide an “opt out”. If you’re building an email marketing funnel, this is directly relevant.

Even if privacy law doesn’t apply to you due to an exemption, you should still be mindful of marketing compliance generally (including spam rules). A clear privacy position also builds customer trust.

APP 8: Cross-Border Disclosure Of Personal Information

If you disclose personal information to an overseas recipient, you may need to take reasonable steps to ensure the overseas recipient doesn’t breach the APPs.

In practice, this matters when personal information is shared with (or can be accessed by) an overseas organisation - for example, when you use:

• overseas cloud hosting (depending on how the provider stores and accesses data)
• international SaaS tools (CRM, email marketing, analytics)
• offshore customer support teams

This is a common pain point for startups, because many popular tools store data outside Australia or enable overseas access. Whether a particular arrangement is a “disclosure” can depend on the setup and the provider relationship, so it’s worth checking your vendor terms and data flows carefully.

APP 9: Adoption, Use Or Disclosure Of Government Related Identifiers

You generally can’t adopt or use government identifiers (like Medicare numbers) as your own identifier for individuals, unless a specific exception applies.

APP 10: Quality Of Personal Information

You must take reasonable steps to ensure personal information is accurate, up-to-date, and complete (especially before you use or disclose it).

For example: if you’re sending goods, you should have a process for customers to update delivery details. If you’re managing staff records, you should keep employment details current.

APP 11: Security Of Personal Information

You must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.

This principle is where “privacy” and “cyber security” overlap. Practical steps might include:

• strong access controls (including role-based access)
• MFA on key systems
• secure password practices
• vendor risk checks for your software providers
• processes for deleting data when you no longer need it

If your business accepts payments online, privacy security also connects to how you handle payment data. For many businesses, it’s safer to avoid storing payment data at all unless it’s necessary and you’re properly set up to do it. If this is relevant to you, it’s worth thinking through storing credit card details carefully.

APP 12: Access To Personal Information

Individuals generally have the right to request access to the personal information you hold about them (subject to some exceptions).

APP 13: Correction Of Personal Information

Individuals generally have the right to request corrections if the information you hold is inaccurate, out of date, incomplete, irrelevant, or misleading.

From a process standpoint, APP 12 and APP 13 mean you should have a simple, documented way to receive and handle privacy requests. This might be as simple as a dedicated email address and an internal checklist.

What Small Businesses Usually Need To Do To Comply (Without Overcomplicating It)

Knowing how many Australian Privacy Principles there are is a good start, but the real question is: what do you need to actually implement?

For most small businesses and startups, privacy compliance becomes manageable when you break it into a few practical workstreams.

1) Map What You Collect And Why

Start with a simple inventory:

• What personal information do we collect?
• Where does it come from (website forms, sales calls, app, support inbox)?
• Why do we collect it (primary purpose)?
• Who do we share it with (software providers, contractors, delivery partners)?
• Where is it stored (and is any of that storage or access overseas)?

This mapping exercise tends to answer half your APP compliance questions on its own.

2) Put The Right Customer-Facing Documents In Place

Most privacy issues start at the point of collection. If you’re collecting personal information online (even through a basic landing page), you should think about having:

• Privacy Policy (APP 1) - this is your baseline public explanation of how you handle personal information.
• Privacy Collection Notice (APP 5) - this is what you show people at the moment you collect their information (often more specific and “just in time”).
• Website terms - helpful for setting rules around your website use and reducing disputes about how your platform operates; many businesses include Website Terms and Conditions as part of their core website legal set.

If you use cookies or similar tracking tools (for analytics, ads, or user experience), you’ll also want to consider a Cookie Policy approach that matches what your website is actually doing.

3) Build A Simple Internal Privacy Process

You don’t need a huge compliance department to take privacy seriously. Many small businesses can cover the basics by implementing:

• a process for access/correction requests (APP 12 and 13)
• clear rules for staff about sharing customer data internally and externally
• reasonable “need to know” access controls (APP 11)
• a retention and deletion process (don’t keep personal information forever “just in case”)

If your team uses internal tools (Slack, Google Workspace, project management platforms), it can also help to set expectations for safe handling of information in a simple policy, like an Acceptable Use Policy.

4) Be Ready For A Data Breach

Even businesses doing the right thing can have incidents happen. What matters is how you respond.

If you’re covered by the Notifiable Data Breaches (NDB) scheme (which generally applies to APP entities and certain other regulated organisations), certain breaches may need to be notified to affected individuals and the Office of the Australian Information Commissioner (OAIC). Even if you’re not covered, having a plan can prevent a bad situation from becoming a business-ending one.

Two practical building blocks here are:

• a data breach notification approach for when notification is required, and
• a documented data breach response plan so your team knows who does what, and when.

Common Privacy Pitfalls For Startups (And How To Avoid Them)

Startups move quickly, and privacy can accidentally become an afterthought. These are some of the most common issues we see when businesses grow faster than their legal foundations.

Assuming “We’re Small, So Privacy Doesn’t Matter”

Even if you’re exempt today, you might not be tomorrow. Turnover can grow quickly, and business models can change (for example, you start handling more sensitive data, or you sign enterprise clients who expect privacy controls).

Taking the APPs seriously early can save you a painful (and expensive) compliance scramble later.

Collecting Too Much Data “Just In Case”

Collecting unnecessary personal information increases your risk, because you now have more data to secure and more data that could be exposed if something goes wrong. It can also create trust issues with customers if you can’t clearly explain why you need that information.

As a simple rule: only collect what you reasonably need, and regularly review whether you still need it.

Using Overseas Tools Without Thinking About Cross-Border Disclosure

Many common business tools store data in the US or elsewhere. That’s not automatically “wrong”, but you should understand whether your setup involves a cross-border disclosure (for example, giving an overseas provider access to personal information), and reflect your approach in your privacy communications (and ideally, your vendor checks and contracts).

Privacy Documents That Don’t Match Reality

A privacy policy that says “we don’t share your data” while your business uses third-party email marketing tools, analytics platforms, or delivery partners can create serious legal and reputational risk.

The goal is not to have the “strictest” privacy policy - it’s to have an accurate one that reflects what your business actually does.

Key Takeaways

• There are 13 Australian Privacy Principles, and they set the baseline rules for how covered businesses handle personal information.
• If you’re asking how many Australian Privacy Principles there are, the answer is “13” - but your real task is translating them into practical business processes.
• Many small businesses may be exempt under the small business exemption, but this can change depending on turnover and what you do (and good privacy practice is still important).
• The APPs cover the full lifecycle of personal information: collection, notice, use, marketing, overseas disclosures, security, access, and correction.
• Most startups can make meaningful privacy progress by mapping data flows, putting the right documents in place, and setting up simple internal processes.
• Being prepared for a data breach (even with a basic response plan) can dramatically reduce the impact on your business if an incident occurs.

If you’d like help getting your business privacy-ready (including privacy policies, collection notices, and practical compliance advice), you can reach Sprintlaw at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.