Select regional store:

Australian Privacy Principles

The Australian Privacy Act 1998 lists 13 APPs (Australian Privacy Principles), which give individuals greater rights relating to how entities in the Act’s scope handle their personal information.

There are two types of APP entity. Essentially:

  • Agencies are Australian and Norfolk Island government agencies.
  • Organisations are businesses and not-for-profit organisations with an annual turnover of more than AU$3 million.

These definitions are not exhaustive. For full information about the APPs’ applicability, please consult the Act itself.

What are the Australian Privacy Principles?

Part 1 – Consideration of personal information privacy

APP 1: Open and transparent management of personal information

To manage personal information openly and transparently, an APP entity must:


APP 2: Anonymity and pseudonymity


Part 2 – Collection of personal information

APP 3: Collection of solicited personal information


APP 4: Dealing with unsolicited personal information


APP 5: Notification of the collection of personal information

An APP entity must notify individuals when it collects their personal information, or otherwise make sure they are aware, of:


Part 3 – Dealing with personal information

APP 6: Use or disclosure of personal information

An APP entity should only use or disclose personal information for the purpose it was collected for. It may not use or disclose the information for a secondary purpose unless the individual consents or a number of other conditions apply.


APP 7: Direct marketing

If organisations hold personal information, they cannot use or disclose it for direct marketing (defined in the Explanatory Memorandum to the Act as “communicating directly with a consumer to promote the sale of goods and services to the consumer”) unless a number of conditions apply.


APP 8: Cross-border disclosure of personal information

Before an APP entity discloses personal information to overseas recipients, it must take reasonable steps to ensure they do not breach APPs 2–13 in relation to the information, unless a number of conditions apply.


APP 9: Adoption, use or disclosure of government related identifiers

Organisations must not:


Part 4 – Integrity of personal information

APP 10: Quality of personal information

APP entities must take reasonable steps to ensure that:


APP 11: Security of personal information


Part 5 – Access to, and correction of, personal information

APP 12: Access to personal information

APP entities must give individuals access to their personal information on request if reasonable and practicable.

There are a number of exceptions to this rule:


APP 13: Correction of personal information


Complying with the APPs

The APPs aim to reduce the risk of a personal data breach by reducing or removing risks at each stage that personal data is processed – including when it is collected, stored, used, disclosed, anonymised and destroyed.

ISO 27001 sets out the specification for a best-practice ISMS (information security management system), an organisation-wide approach that encompasses people, processes and technology. Organisations can be independently audited and certified against the Standard. If you need more guidance or advice on implementing ISO 27001, please contact us by clicking the button below.

Speak to an expert

Please contact us for further information or to speak to an ISO 27001 expert.

This website uses cookies. View our cookie policy