Australian Privacy Principles: 13 APPs Explained

What are the Australian Privacy Principles?

The Australian Privacy Principles (APPs) are the cornerstone of the Privacy Act 1988. They regulate how APP entities (organisations with annual turnover of $3 million or more, as well as health service providers, government agencies, and others) handle personal information. There are 13 principles covering the full lifecycle of personal data from collection to destruction.

Compliance is enforced by the Office of the Australian Information Commissioner (OAIC), which can investigate complaints, conduct assessments, and impose civil penalties of up to $50 million for serious or repeated breaches.

The 13 principles

1. APP 1 — Open and transparent management

   Organisations must have a clearly expressed privacy policy and manage personal information in an open and transparent way. Publish your policy, keep it up to date, and make it freely available.

2. APP 2 — Anonymity and pseudonymity

   Give individuals the option of not identifying themselves or using a pseudonym, unless impractical or required by law.

3. APP 3 — Collection of solicited personal information

   Only collect personal information that is reasonably necessary for your functions. Sensitive information requires consent and must be directly related to your activities.

4. APP 4 — Dealing with unsolicited personal information

   If you receive personal information you didn’t solicit, determine whether you could have collected it under APP 3. If not, destroy or de-identify it as soon as practicable.

5. APP 5 — Notification of collection

   At or before the time of collection, notify individuals about the purposes of collection, who you’ll share it with, and whether it will be disclosed overseas.

6. APP 6 — Use or disclosure

   Only use or disclose personal information for the primary purpose it was collected for, or a directly related secondary purpose the individual would reasonably expect.

7. APP 7 — Direct marketing

   Personal information may only be used for direct marketing under specific conditions. Provide a simple opt-out mechanism for all marketing communications.

8. APP 8 — Cross-border disclosure

   Before disclosing personal information to an overseas recipient, take reasonable steps to ensure they comply with the APPs. You remain accountable for their handling of the information. This is why Australian data residency matters.

9. APP 9 — Adoption, use or disclosure of government identifiers

   Don’t adopt government identifiers (like TFNs or Medicare numbers) as your own identifiers unless required by law.

10. APP 10 — Quality of personal information

    Take reasonable steps to ensure personal information you collect, use, or disclose is accurate, up to date, complete, and relevant.

11. APP 11 — Security of personal information

    Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Destroy or de-identify information when no longer needed. This is where ISO 27001 provides the strongest alignment.

12. APP 12 — Access to personal information

    Individuals have the right to access their personal information held by your organisation. Respond within 30 days.

13. APP 13 — Correction of personal information

    Take reasonable steps to correct personal information to ensure it’s accurate, up to date, complete, relevant, and not misleading.

Overlap with ISO 27001

ISO 27001 and the APPs are complementary. Key areas of overlap:

• APP 1 + A.5.1 — Policies for information security align with transparent privacy management.
• APP 3 + A.5.12 — Classification of information supports the principle of minimal collection.
• APP 8 + A.5.31 — Requirements for processing in third countries align with cross-border disclosure obligations.
• APP 11 + A.8.24 — Encryption controls directly support the security of personal information.
• APP 11 + A.5.24–28 — Incident management controls support NDB obligations.

Implementing ISO 27001 provides a structured approach to meeting APP 11 and significantly reduces the risk of data breaches that trigger NDB reporting obligations.

APP 8 and data residency

APP 8 requires organisations to take reasonable steps to ensure overseas recipients of personal information comply with the APPs. If a breach occurs due to the overseas recipient’s actions, the disclosing organisation is deemed to have breached the APPs.

The simplest way to manage APP 8 risk is to keep data within Australia. This eliminates the need for complex cross-border data transfer assessments and reduces regulatory exposure. Standardise stores all data in AWS ap-southeast-2 (Sydney) for this reason.

The Notifiable Data Breaches (NDB) scheme

Since February 2018, organisations covered by the Privacy Act must report eligible data breaches to the OAIC and affected individuals. A breach is eligible if it’s likely to result in serious harm to any individual whose personal information is involved.

Once you become aware of a potential eligible breach, you have 72 hours to complete an assessment. If the breach is confirmed eligible, notification must be given “as soon as practicable.” Strong ISO 27001 incident management controls help you detect breaches early and respond within these tight timelines.

How Standardise helps

Standardise includes a dedicated APPs tracker that monitors your implementation status across all 13 principles. Combined with NDB 72-hour deadline enforcement, incident response management with automatic breach classification, and Australian data residency, Standardise provides end-to-end Privacy Act compliance support alongside your ISO 27001 ISMS.