Standardise
PricingSupportSign inGet started

Privacy Act & Australian Privacy Principles

Understand the Privacy Act 1988, the 13 APPs, OAIC oversight, and how Standardise tracks your compliance posture against each principle.

Overview

The Privacy Act 1988 is the primary federal legislation governing the handling of personal information in Australia. It applies to Australian Government agencies, private sector organisations with an annual turnover of more than $3 million, and certain other organisations regardless of turnover (including health service providers, businesses that trade in personal information, and those related to a larger organisation).

At the core of the Privacy Act are the 13 Australian Privacy Principles (APPs), which set the standards for how APP entities collect, store, use, disclose, and manage personal information. The APPs are technology-neutral and principles-based, giving organisations flexibility in how they achieve compliance while maintaining clear obligations.

The 13 Australian Privacy Principles

The APPs are grouped into five functional areas that cover the full lifecycle of personal information:

Part 1 — Consideration of Personal Information (APPs 1-5)

  • APP 1 — Open and transparent management of personal information. Requires a clearly expressed, up-to-date privacy policy that is freely available.
  • APP 2 — Anonymity and pseudonymity. Individuals must have the option of not identifying themselves unless identification is required by law or is impracticable.
  • APP 3 — Collection of solicited personal information. Only collect information that is reasonably necessary for your functions or activities. Sensitive information requires consent.
  • APP 4 — Dealing with unsolicited personal information. If you receive information you did not solicit, determine whether it could have been collected under APP 3. If not, destroy or de-identify it.
  • APP 5 — Notification of the collection of personal information. At or before the time of collection, notify individuals of who is collecting, why, and how they can access and correct their information.

Part 2 — Use and Disclosure (APPs 6-9)

  • APP 6 — Use or disclosure of personal information. Only use or disclose for the primary purpose of collection, unless the individual consents or an exception applies.
  • APP 7 — Direct marketing. Personal information may only be used for direct marketing where the individual would reasonably expect it, with a simple opt-out mechanism.
  • APP 8 — Cross-border disclosure of personal information. Before disclosing to an overseas recipient, take reasonable steps to ensure they comply with the APPs. You remain accountable for their handling.
  • APP 9 — Adoption, use or disclosure of government related identifiers. Organisations must not adopt a government identifier (such as a TFN or Medicare number) as their own, and can only use or disclose it in limited circumstances.

Part 3 — Data Quality, Security, Access, and Correction (APPs 10-13)

  • APP 10 — Quality of personal information. Take reasonable steps to ensure information is accurate, up-to-date, complete, and relevant before use or disclosure.
  • APP 11 — Security of personal information. Protect information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Destroy or de-identify when no longer needed.
  • APP 12 — Access to personal information. Individuals have the right to access their personal information on request, with a response required within 30 days.
  • APP 13 — Correction of personal information. Correct information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. Notify third parties of corrections where prior disclosure has occurred.

The Role of the OAIC

The Office of the Australian Information Commissioner (OAIC) is the independent statutory authority that oversees the Privacy Act. The OAIC investigates complaints, conducts assessments of APP compliance, provides guidance, and can issue determinations and enforceable undertakings. The Australian Information Commissioner has the power to apply to the Federal Court for civil penalties of up to $50 million for serious or repeated interferences with privacy.

ISO 27001 Alignment

Many of the APPs align directly with ISO 27001:2022 controls. For example, APP 11 (security of personal information) maps to Annex A controls for information security, while APP 1 (open and transparent management) aligns with policy and procedure requirements. Maintaining an ISO 27001-certified ISMS provides strong evidence of compliance with the security-related APPs.

How Standardise Helps

The AU Compliance Hub includes a dedicated APP Tracker tab that lists all 13 Australian Privacy Principles with their key requirements. For each APP, you can:

  • Record your current compliance status (compliant, partially compliant, non-compliant, or not applicable)
  • Document the specific measures your organisation has implemented to address each principle
  • Track progress over time with an overall compliance percentage across all 13 APPs
  • Link APP compliance to supporting evidence, policies, and ISO 27001 controls in other modules

Related Articles

Australian Compliance
Notifiable Data Breaches Scheme
Understand the NDB scheme under the Privacy Act, the 72-hour assessment deadline, OAIC notification requirements, and how Standardise tracks breaches with countdown badges.
ISMS Modules
Australian Compliance Hub
Track compliance with Australian Privacy Principles, Essential Eight maturity, Notifiable Data Breaches, and IRAP readiness — all in one place.
ISO 27001 Guide
What is ISO 27001:2022?
An introduction to the international standard for information security management, why it matters, the benefits of certification, and what changed in the 2022 revision.
← Back to Help Center