The 13 Australian Privacy Principles (APPs) Explained

The 13 Australian Privacy Principles (APPs) sit in Schedule 1 of the Privacy Act 1988 (Cth) and set the legal standards that bind APP entities when they handle personal information. They are principles-based, organised into five Parts, and enforced by the Office of the Australian Information Commissioner (OAIC).

For the wider framework, including penalties, the Notifiable Data Breaches scheme, the statutory tort, and pending reforms, see the Australia data privacy laws overview.

This reference page walks through the 13 APPs as they appear in Schedule 1, grouped the way the OAIC groups them. It covers who is bound, what each principle requires, and how the principles fit together, with a full table of all 13 at the end.

Where the APPs come from: Schedule 1 of the Privacy Act 1988

The 13 Australian Privacy Principles are contained in Schedule 1 of the Privacy Act 1988 (Cth). They were inserted by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) and commenced on 12 March 2014, replacing the two earlier principle sets that had applied separately to the public and private sectors. Because the APPs sit in the Act itself, a breach of an APP is an interference with the privacy of an individual under the Privacy Act, which is what enlivens the OAIC's complaint, investigation, and enforcement powers.

The principles are deliberately drafted at a high level. The OAIC describes them as principles-based and technology-neutral, which means most obligations are framed around taking steps that are reasonable in the circumstances rather than prescribing exact procedures. The trade-off is flexibility for ongoing judgement: an entity must continually assess what is reasonable for its size, the sensitivity of the information, and the risk involved.

Who the APPs bind: APP entities

The APPs apply to APP entities. Under the Privacy Act 1988 (Cth), an APP entity is an agency or an organisation. An agency is broadly a Commonwealth (federal) government department or agency, or a body established under federal law for a public purpose. An organisation is an individual (such as a sole trader), body corporate, partnership, unincorporated association, or trust, that is not a small business operator, a registered political party, an agency, a state or territory authority, or a prescribed state or territory instrumentality.

The key threshold is the small business operator exemption. A small business operator generally has an annual turnover of A$3 million or less for a financial year and is therefore not an organisation and not bound by the APPs. The OAIC has long supported removing this exemption, and reform work is ongoing, but the threshold still applies at the federal level.

Watch out: The small business exemption is riddled with exceptions, and several types of small business are bound by the APPs regardless of turnover. These include businesses that provide a health service and hold health information (other than in an employee record), businesses that trade in personal information (buy or sell it), credit reporting bodies, contracted service providers under a Commonwealth contract, and tax file number recipients. A clinic, allied health practice, or gym offering health services can be an APP entity even with turnover well below A$3 million.

Part 1: Consideration of personal information privacy (APP 1-2)

The first Part is about governance and choice before any specific dealing with information. APP 1 (open and transparent management of personal information) requires an APP entity to manage personal information in an open and transparent way and to take reasonable steps to implement practices, procedures, and systems that ensure APP compliance and enable it to deal with related inquiries and complaints. APP 1 also requires a clearly expressed and up-to-date APP privacy policy describing how the entity handles personal information, which the entity must make available free of charge.

APP 2 (anonymity and pseudonymity) gives individuals the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity. The option does not apply where the entity is required or authorised by law (or a court or tribunal order) to deal with identified individuals, or where it is impracticable for the entity to deal with an unidentified or pseudonymous individual.

Part 2: Collection of personal information (APP 3-5)

Part 2 governs the front door, that is, how and when information may be collected. APP 3 (collection of solicited personal information) provides that an APP entity must not collect personal information (other than sensitive information) unless it is reasonably necessary for, or directly related to, one or more of the entity's functions or activities. Sensitive information generally requires the individual's consent on top of that test. The Act defines sensitive information to include health, genetic, and biometric information, as well as racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal record.

APP 4 (dealing with unsolicited personal information) applies when an entity receives personal information it did not ask for. The entity must decide whether it could have collected that information under APP 3. If it could not, and the information is not in a Commonwealth record, the entity must destroy or de-identify it as soon as practicable if lawful and reasonable to do so. APP 5 (notification of the collection of personal information) requires the entity, at or before collection (or as soon as practicable after), to take reasonable steps to notify the individual of specified matters, including the entity's identity and contact details, the purposes of collection, the consequences of not providing the information, any usual disclosures, and how the individual can access and correct their information or complain.

Part 3: Dealing with personal information (APP 6-9)

Part 3 is the largest grouping and covers what an entity may do with information once it holds it. APP 6 (use or disclosure of personal information) is the core limit: information collected for a primary purpose may generally only be used or disclosed for that purpose, unless the individual consents, or a secondary purpose applies that the individual would reasonably expect and that is related (or directly related, for sensitive information) to the primary purpose, or another exception applies.

APP 7 (direct marketing) provides that an organisation must not use or disclose personal information for direct marketing unless an exception applies, and even then must provide a simple means to opt out and must honour opt-out requests. APP 8 (cross-border disclosure of personal information) requires an entity, before disclosing personal information to an overseas recipient, to take reasonable steps to ensure the recipient does not breach the APPs. Critically, an accountability rule means the disclosing entity can be treated as responsible for the overseas recipient's acts. APP 9 (adoption, use or disclosure of government related identifiers) restricts organisations from adopting, using, or disclosing a government related identifier (such as a tax file number or Medicare number) as their own identifier except in limited circumstances.

Part 4: Integrity of personal information (APP 10-11)

Part 4 is about keeping information accurate and secure. APP 10 (quality of personal information) requires an APP entity to take reasonable steps to ensure the personal information it collects is accurate, up to date, and complete, and that information it uses or discloses is, having regard to the purpose, accurate, up to date, complete, and relevant.

APP 11 (security of personal information) requires an entity to take reasonable steps to protect personal information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure. APP 11 also requires the entity to take reasonable steps to destroy or de-identify personal information once it is no longer needed for any purpose for which it may be used or disclosed under the APPs, and the information is not in a Commonwealth record or required to be retained by law. APP 11 is the principle most often at the centre of data breach enforcement.

Part 5: Access to, and correction of, personal information (APP 12-13)

The final Part confers the two main individual rights inside the APPs. APP 12 (access to personal information) requires an APP entity to give an individual access to the personal information it holds about them on request, unless a specific exception applies (for example, where access would pose a serious threat to life, health, or safety, or unreasonably affect another person's privacy). An agency that refuses generally relies on Freedom of Information grounds, while an organisation must give access within a reasonable period and may charge only for reasonable cost recovery, not for making the request.

APP 13 (correction of personal information) requires an entity to take reasonable steps to correct personal information to ensure it is accurate, up to date, complete, relevant, and not misleading, either where the entity is satisfied it is inaccurate or where the individual requests correction. If the entity refuses, it must give written reasons and notify the individual of available complaint mechanisms, and, on request, take reasonable steps to associate a statement with the information that the individual believes it is inaccurate.

All 13 Australian Privacy Principles at a glance

The OAIC publishes detailed APP Guidelines that explain how each principle is interpreted in practice, and these are the starting point for any entity working out what reasonable steps look like for its own circumstances.

This page presents general legal information about the Australian Privacy Principles as set out in the Privacy Act 1988 (Cth). It is not legal advice. The law continues to evolve through reform and OAIC guidance, so consult a lawyer admitted in the relevant Australian jurisdiction for advice on your specific situation.