Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- Do The Australian Privacy Principles Apply To My Small Business?
The 13 Australian Privacy Principles Explained
- APP 1 - Open and Transparent Management of Personal Information
- APP 2 - Anonymity and Pseudonymity
- APP 3 - Collection of Solicited Personal Information
- APP 4 - Dealing With Unsolicited Personal Information
- APP 5 - Notification of Collection
- APP 6 - Use or Disclosure
- APP 7 - Direct Marketing
- APP 8 - Cross‑Border Disclosure
- APP 9 - Government‑Related Identifiers
- APP 10 - Quality of Personal Information
- APP 11 - Security of Personal Information
- APP 12 - Access to Personal Information
- APP 13 - Correction of Personal Information
- What Does APP Compliance Look Like Day To Day?
- Common Traps We See (And How To Fix Them)
- Special Considerations For Health And High‑Sensitivity Data
- Key Takeaways
If you collect names, emails, phone numbers, delivery details or payment information from customers, you’re handling “personal information” - and that triggers privacy obligations in Australia.
Those obligations sit in the 13 Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). They set out how businesses should collect, use, store and disclose personal information, and what rights individuals have over their data.
In this guide, we’ll break down what the 13 APPs actually mean in practice, when they apply to small businesses, and the simple steps you can take to comply without slowing down your operations.
Do The Australian Privacy Principles Apply To My Small Business?
Many small businesses assume privacy law doesn’t apply to them. Under current law, there’s a general “small business exemption” for businesses with an annual turnover of $3 million or less. However, there are important exceptions where the exemption does not apply. Your business must comply with the APPs if any of the below are true, even if your turnover is under $3 million:
- You provide a health service (e.g. allied health, fitness with health assessments) or handle health information.
- You trade in personal information (e.g. you buy, sell or rent customer data, or profile users for resale).
- You’re a contractor for a Commonwealth agency, a credit reporting body, or you handle Tax File Numbers.
- You’ve opted in to be covered by the Privacy Act (some businesses do this contractually or to build trust).
It’s also worth noting that the Federal Government has signalled reform of the Privacy Act, including removing the small business exemption (subject to consultation). In short: even if you’re currently exempt, it’s smart to get APP-ready now.
And regardless of the exemption, many customers expect transparency, security and control over their data. Having a clear Privacy Policy and solid data practices builds trust and helps you meet partner and platform requirements.
The 13 Australian Privacy Principles Explained
Here’s a plain‑English overview of each APP, plus what compliance looks like for a typical small business.
APP 1 - Open and Transparent Management of Personal Information
You must manage personal information in a clear and accountable way. Practically, this means publishing a current, easy‑to‑understand Privacy Policy that explains what you collect, why you collect it, where it is stored, who you share it with, and how people can access or correct their data or make complaints.
Tip: Keep your Privacy Policy accurate and up to date as your operations change (e.g. when you add new marketing tools or service providers).
APP 2 - Anonymity and Pseudonymity
Where it’s reasonable, give people the option to interact with you anonymously or under a pseudonym (e.g. browsing your website without an account or making a simple enquiry without full details). If identity is essential to provide the service (for example, verifying age for a regulated product), you can require it - but explain why.
APP 3 - Collection of Solicited Personal Information
Only collect personal information you actually need for your functions or activities, and do so by lawful and fair means. For “sensitive information” (like health data), you usually need clear consent and a strong reason tied to your service.
APP 4 - Dealing With Unsolicited Personal Information
If you receive personal information you didn’t ask for (for example, an applicant emails you a third party’s details), decide quickly whether you could have collected it under APP 3. If not, destroy or de‑identify it if lawful and reasonable.
APP 5 - Notification of Collection
When you collect personal information, tell people what you’re collecting, why, who you share it with, and how they can contact you. This is often done via a just‑in‑time notice on forms or a concise Privacy Collection Notice alongside your full policy.
APP 6 - Use or Disclosure
Use and disclose personal information only for the purpose you collected it (or a related purpose the person would reasonably expect). If you want to use it for a new purpose, you’ll generally need consent unless a narrow exception applies (e.g. legal obligation).
APP 7 - Direct Marketing
You can only use personal information for direct marketing if allowed by the APPs (and, separately, you must comply with the Spam Act 2003 and the Do Not Call rules). Provide easy opt‑outs and honour them promptly. If you’re unsure, review your practices against Australia’s email marketing laws before launching campaigns.
APP 8 - Cross‑Border Disclosure
If you transfer personal information overseas (for example, using a cloud tool with servers outside Australia), you must take steps to ensure the overseas recipient protects it consistently with the APPs. This often involves due diligence and a robust Data Processing Agreement with your service providers.
APP 9 - Government‑Related Identifiers
Don’t adopt, use or disclose government identifiers (like Medicare or Tax File Numbers) as your own customer identifiers, except in very limited circumstances. Treat any government identifier you encounter as highly sensitive.
APP 10 - Quality of Personal Information
Take reasonable steps to ensure personal information is accurate, up‑to‑date and complete. This could mean validating emails at sign‑up, giving users a profile portal to update their details, or confirming delivery addresses at checkout.
APP 11 - Security of Personal Information
You must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. Think access controls, encryption, staff training, and secure deletion. If you handle payments, confirm whether card data ever touches your systems and review your obligations around storing credit card details.
APP 12 - Access to Personal Information
Individuals can request access to their personal information. You should respond within a reasonable time, provide access in a suitable format, and explain any lawful reasons for refusal (rare). Have a clear contact channel for these requests.
APP 13 - Correction of Personal Information
If personal information is wrong or incomplete, take reasonable steps to correct it. If you’ve shared incorrect data with a third party (e.g. a delivery partner), consider whether you should notify them of the correction.
What Does APP Compliance Look Like Day To Day?
Compliance isn’t just a policy sitting on your website - it’s a set of simple habits embedded into your processes. The following practices help most small businesses stay on the right side of the APPs.
- Publish and maintain clear privacy documentation. A tailored Privacy Policy and short, context‑specific collection notices at your forms or checkout pages cover APP 1 and APP 5.
- Map your data flows. Know what you collect, the lawful basis, where it’s stored, who can access it, and which external tools receive it (email platforms, CRMs, analytics, helpdesks).
- Lock down your vendors. Use a Data Processing Agreement (or similar) with service providers that handle personal information or store it overseas.
- Secure your systems and train your team. Use MFA, role‑based access, device security and periodic staff training. Have a playbook for handling suspicious emails and data requests.
- Have a plan for incidents. A tested Data Breach Response Plan and, if needed, rapid data breach notification support are essential if something goes wrong.
- Minimise data and delete it when no longer needed. Build retention schedules and disposal routines into your workflow. Our overview of data retention laws in Australia is a helpful starting point.
- Respect marketing rules. Ensure consents, opt‑outs, and contact lists comply with APP 7 and the Spam Act. Review your flows against Australia’s email marketing laws before scaling campaigns.
Common Traps We See (And How To Fix Them)
- Collecting more data than you need. Extra fields feel useful now but create risk later. Trim forms to the essentials and add optional fields only if you genuinely need them.
- Using new tools without checking privacy impacts. Before rolling out a new CRM, analytics tool or AI add‑on, run a lightweight review or a simple privacy impact assessment plan.
- Assuming your vendors are “compliant” by default. Many SaaS tools are international and involve cross‑border disclosures. Confirm where data is hosted and lock in privacy obligations via contract.
- Forgetting to give just‑in‑time notices. A standalone policy isn’t enough. Put collection notices next to the form fields so people know what’s happening at the point of collection.
- Holding on to old data “just in case”. If you don’t need it, don’t keep it. Data minimisation reduces both your risk and your costs.
- Copy‑pasting a generic policy. If your policy doesn’t match your actual practices, you can mislead customers. Tailor your documentation to your tech stack and workflows.
- Scraping or aggregating public data without guardrails. Public doesn’t mean free to use. If you rely on scraped datasets or AI training, consider whether web scraping rules and privacy obligations are triggered.
How To Get Started With An APP Compliance Plan
You don’t need a big budget or a compliance team to get this right. Here’s a practical roadmap you can action this month.
1) Audit What You Collect and Why
List each collection point (website forms, sign‑ups, POS, customer support, partner referrals) and note what you collect, the purpose, the lawful basis, and where it goes (systems, vendors). Mark anything sensitive (e.g. health information).
2) Tidy Up Your Forms and Flows
Remove unnecessary fields, add clear labels, and put short collection notices next to key fields. If you rely on consent (e.g. for health information or direct marketing), make it explicit and easy to withdraw.
3) Update Your Privacy Documentation
Draft or refresh your Privacy Policy so it matches your current stack and overseas disclosures, and create tailored collection notices for key touchpoints.
4) Lock Down Vendors and Security
Sign a Data Processing Agreement with key providers, enable MFA and role‑based access, and document simple security standards for staff. Confirm where your data is stored and whether cross‑border disclosure rules are triggered.
5) Build Your Incident Playbook
Adopt a Data Breach Response Plan and run a short tabletop exercise so your team knows what to do if an incident occurs.
6) Set Retention and Deletion Routines
Define how long you keep different data types and build automated or quarterly clean‑ups. Align this with your operational needs and any legal retention requirements in your sector.
7) Train Your Team
Deliver a short privacy and security briefing for anyone who touches customer data. Cover phishing, handling access requests, and how to escalate a suspected breach.
Special Considerations For Health And High‑Sensitivity Data
If you’re a health service provider or you handle sensitive information, you’ll likely be covered by the APPs regardless of turnover and you’ll face higher expectations for consent, security and disclosures. Your policy and notices should reflect this, and your staff training should be more robust.
In these cases, consider a sector‑specific policy such as a health service provider privacy policy, and double‑check your processes for collecting, storing and sharing sensitive records.
Key Takeaways
- The 13 Australian Privacy Principles set the rules for how you collect, use, store and disclose personal information in Australia.
- Even if you’re under the $3 million turnover threshold, you may still be covered - and reform could remove the small business exemption, so it pays to get APP‑ready now.
- Practical compliance starts with mapping your data, publishing a tailored Privacy Policy and collection notices, and minimising what you collect.
- Lock down your vendors (especially overseas tools) with a Data Processing Agreement and maintain strong security practices across your team.
- Plan for incidents with a Data Breach Response Plan and align everyday operations with data retention, access and correction processes.
- Marketing and growth don’t need to conflict with privacy - build consent, opt‑outs and accurate records into your systems from day one.
If you’d like a consultation on getting your business APP‑compliant - including drafting your Privacy Policy, collection notices or vendor agreements - you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.
