The Privacy Act 1988 (Cth) is Australia's national privacy law, and its thirteen Australian Privacy Principles (APPs) set the rules for how organisations collect, hold, use, disclose, and secure personal information. For decades it was easy to treat as a policy on a shelf. That era is over: penalties now reach into the tens of millions, the Notifiable Data Breaches scheme puts incidents on the public record, individuals can sue directly under the new statutory tort, and the regulator – the OAIC – has both new powers and a visible appetite to use them. As an Australian company, this is our home ground, and it is the framework we get asked about most.
Who the Act coversLink to this section
The APPs bind APP entities: Australian Government agencies and private-sector organisations with annual turnover above A$3 million – plus many smaller businesses regardless of turnover, including private health service providers, businesses that trade in personal information, and credit reporting bodies. Contracted service providers to the Commonwealth are also caught. If you sit under the threshold today, don't get comfortable: removing the small business exemption is squarely on the reform agenda, and enterprise customers increasingly demand APP-level practices from suppliers of any size through contract anyway.
The APPs in practiceLink to this section
The thirteen principles run the full life cycle of personal information – from whether you should collect it at all (APP 3), to telling people you have (APP 5), using it only as expected (APP 6), keeping it accurate and secure (APPs 10–11), and giving individuals access and correction rights (APPs 12–13). Two deserve special mention:
- APP 1 is the accountability principle. It requires practices, procedures, and systems that ensure compliance – the OAIC reads this as governance, appointed responsibility, and a trained workforce, not just a published policy.
- APP 11 is where breaches are born. "Reasonable steps to protect" is judged with hindsight after an incident, and the 2024 reforms clarified that it includes technical and organisational measures – which puts security controls and staff training explicitly inside the legal obligation.
The Notifiable Data Breaches schemeLink to this section
Since 2018, an eligible data breach – unauthorised access, disclosure, or loss likely to result in serious harm – must be notified to the OAIC and to affected individuals. You get a maximum of 30 days to assess a suspected breach, which is not long when you're doing it for the first time under pressure. The organisations that come through NDB events well are the ones that rehearsed: a documented response plan, a practised assessment process, and staff who recognise and escalate incidents quickly. That last part is a training problem, and it's the difference between a contained event and a headline.
Enforcement now has real teethLink to this section
The penalty regime was overhauled in late 2022: serious or repeated interferences with privacy now attract civil penalties up to the greater of A$50 million, three times the benefit obtained, or 30% of adjusted turnover in the relevant period. The 2024 reforms added a tiered penalty structure so the OAIC can also pursue mid-range and administrative breaches (like deficient privacy policies) without needing the "serious" threshold – meaning smaller compliance gaps are now independently actionable.
The reform era – what's live and what's comingLink to this section
Privacy reform is arriving in tranches, and the first is already law:
- Statutory tort for serious invasions of privacy – in force since June 2025. Individuals can now sue directly for intentional or reckless invasions of privacy; class actions are the obvious vector.
- Criminal doxxing offences and expanded OAIC enforcement and investigation powers.
- Automated decision-making transparency – by 10 December 2026, privacy policies must disclose the kinds of decisions made (or substantially informed) by computer programs and the personal information used. If you're deploying AI on customer data, this deadline is yours.
- Tranche 2 on the horizon – a "fair and reasonable" handling test, expanded individual rights, and the likely narrowing of the small business and employee-records exemptions are all flagged. Building good practice now is far cheaper than retrofitting it later.
How the Privacy Act relates to other frameworksLink to this section
The APPs are the legal floor; frameworks are how you operationalise them. ISO 27701 gives you a certifiable privacy management system that maps cleanly onto APP obligations; ISO 27001 and the Essential Eight substantiate APP 11's "reasonable steps"; and if you serve European or global customers, the APPs share DNA with the GDPR – aligned once, you can evidence both.
How we helpLink to this section
Privacy compliance fails at the human layer far more often than the technical one – a mis-sent spreadsheet, an over-shared CRM export, a phished credential. That's why our approach pairs advisory with workforce capability:
- Gap assessment against all thirteen APPs. A prioritised, plain-language report of where you stand, what the OAIC would find, and what to fix first.
- Policies and notices that hold up. Privacy policy, collection notices, and internal procedures written to be followed – and defensible under the new tiered penalties.
- Privacy training for the whole workforce. Practitioner-led courses covering the APPs, data handling, and breach recognition – for the lawyers, marketers, and frontline staff who actually touch personal information, not just IT.
- NDB readiness. A response plan, a 30-day assessment playbook, and tabletop exercises so your first real breach isn't your first rehearsal.
- Evidence, always. Every enrolment, completion, and certificate lands in our platform's tamper-evident training ledger – so when the OAIC (or a customer, or an insurer) asks how you meet APP 1.2 and APP 11, you export the proof instead of assembling it.
The table below walks through each of the thirteen APPs and how we help you meet it.
The thirteen Australian Privacy Principles
Consideration of personal information privacy
| APP | Principle | How we help |
|---|---|---|
| APP 1 | Open and transparent management of personal information | We draft a clear, current privacy policy and – more importantly – the internal practices, procedures, and systems APP 1.2 actually requires behind it, including the staff training that makes them real. |
| APP 2 | Anonymity and pseudonymity | We review your customer journeys to identify where individuals must be offered anonymous or pseudonymous interaction, and document the exceptions you rely on. |
Collection of personal information
| APP | Principle | How we help |
|---|---|---|
| APP 3 | Collection of solicited personal information | We map what you collect against what you genuinely need, tighten over-collection (the single most common finding), and set special rules for sensitive information and consent. |
| APP 4 | Dealing with unsolicited personal information | We build a simple triage procedure so staff know what to do when personal information arrives uninvited – assess, retain lawfully, or destroy and de-identify, with the decision recorded. |
| APP 5 | Notification of the collection of personal information | We write layered collection notices that satisfy APP 5's matters without burying users in legalese, and embed them at every collection point – forms, calls, apps, and third-party sources. |
Dealing with personal information
| APP | Principle | How we help |
|---|---|---|
| APP 6 | Use or disclosure of personal information | We document your primary purposes and test every secondary use against them, so marketing, analytics, and AI initiatives don't quietly drift outside what individuals would expect. |
| APP 7 | Direct marketing | We align your marketing stack with APP 7 (and the Spam Act) – consent capture, opt-out mechanics that actually work, and source records for every marketing list. |
| APP 8 | Cross-border disclosure of personal information | We inventory every offshore disclosure (including SaaS and cloud), apply the accountability test, and put contractual and due-diligence measures in place so APP 8 doesn't surprise you in an incident. |
| APP 9 | Adoption, use or disclosure of government related identifiers | We check where TFNs, Medicare numbers, and other government identifiers flow through your systems and lock their use down to the permitted purposes. |
Integrity of personal information
| APP | Principle | How we help |
|---|---|---|
| APP 10 | Quality of personal information | We define data-quality controls proportionate to how the information is used – especially where decisions about individuals (increasingly automated ones) depend on it. |
| APP 11 | Security of personal information | We translate "reasonable steps" into a concrete control set – now explicitly including technical and organisational measures – covering access control, encryption, retention and destruction, and the workforce training that underpins all of it. |
Access to and correction of personal information
| APP | Principle | How we help |
|---|---|---|
| APP 12 | Access to personal information | We stand up an access-request procedure with clear timeframes, identity verification, and exception handling, and train the staff who will actually field the requests. |
| APP 13 | Correction of personal information | We pair correction handling with your data-quality controls, so corrections propagate to every system and third party that received the original information. |