Get up to 30% off your annual plan for a lifetime!
(Ends June 30)

Get up to 30% off your annual plan for a lifetime! (Ends June 30)

A Definitive Break-Down of the 13 Australian Privacy Principles

A Definitive Break-Down of the 13 Australian Privacy Principles

Written by

Ilyas Omari

The Australian Privacy Principles national principles outline how information should be gathered, used, and protected by APP entities (as defined by the act). These principles have been compiled from the Privacy Amendment (Enhancing Privacy Protection) Act 2012. In this article, we’ll provide a breakdown of each of the 13 Australian Privacy Principles. 

Read along!

Table of Contents

What is an APP entity?

According to section 6 of the Privacy Act 1988, an APP entity is an organisation or an entity. 

What are the 13 Privacy Principles?

1. Open and Transparent Management of Personal Information

This principle states that APP entities are required to handle personal information openly and transparently. 

Furthermore, it states that APP entities are required to develop systems, procedures, and practices in relation to their activities that will ensure their compliance with Australian privacy principles and registered APP codes binding to the entity. 

Additionally, entities need to ensure they can manage any complaints or inquiries they receive from individuals who have concerns about the entity’s compliance with the Australian Privacy Principles or APP codes.

This principle also states that entities are required to have a privacy policy that outlines how personal information will be managed. This policy must include the following information:

  • The type of personal information the entity collects and maintains
  • The methods that the entity uses to obtain information
  • The reasons why the entity collects, uses, and discloses the personal information
  • How individuals are able to access the personal information the entity has collected about them and how individuals can ask the entity to correct any incorrect information
  • How individuals can make complaints against the entity for any breaches of Australian Privacy Principles or APP codes
  • Whether the entity intends to share information with foreign bodies and the foreign bodies they intend to share the information to

APP entities are required to make accessing the privacy policy free and in an appropriate form. Furthermore, if an individual requests an entity’s privacy policy in a specific form, the entity must provide the form in the format that it has been requested.

2. Anonymity and Pseudonymity

APP entities must accept that people can be anonymous or use a pseudonym when dealing with them regarding specific problems. However, there are some circumstances where this principle cannot be applied. 

Individuals cannot use pseudonyms or remain anonymous when dealing with an APP entity if the entity is required by a court order, tribunal order, or Australian law to only deal with identified individuals. Furthermore, individuals cannot remain anonymous or use pseudonyms if it is unreasonable for the APP entity to deal with them anonymously. 

3. Collection of Solicited Personal Information

This principle states that APP entities are prohibited from collecting personal information (other than sensitive information) if the information isn’t directly related to the entity’s activities or functions or if the information isn’t reasonably required to be collected by the entity.

In regard to sensitive information, the law slightly differs depending on whether the entity is an agency or an organisation. This principle states that APP entities can’t obtain sensitive information from individuals unless they have provided consent. More specifically, agencies can only collect sensitive information unless it’s necessary or related to one of their activities or functions.

Contrastingly, organisations are only allowed to collect sensitive information if it is reasonably required for one of their activities or functions.

Want more?

Sign up for our newsletter and be the first to find hand-picked articles on topics that we believe are crucial to successfully scale your unique small business.

By clicking on 'Sign up to our newsletter' you are agreeing to the Lawpath Terms & Conditions

4. Dealing with Unsolicited Personal Information

In a situation where an APP entity receives personal information they did not ask for, they will be required to, within a reasonable period of time, determine whether they would have been able to obtain this information pursuant to principle three if they had requested it. This determination will determine whether the APP entity can use or disclose the unsolicited information that they have received. 

If the APP entity makes a finding that they wouldn’t have been able to collect this information using principle three and that the information can’t be found in a Commonwealth record, the entity must take either of the following steps. The entity can choose to erase the information provided that it’s reasonable and legal, or they can choose to de-identify the information. 

5. Notification of the Collection of Personal Information

When an individual’s personal information is collected by an APP entity, the entity is required to during, before or after (within a reasonable period of time), notify the individual of the following matters or make sure they’re aware of the following matters: 

  • The identity and contact details of the entity
  • If the entity obtained the individual’s information from someone else, and how they collected the information
  • If the collection of the information was required by or authorised by an Australian law or court order
  • The reason why the entity has collected the information
  • In the event that the APP entity does not collect all or some of the individual’s personal information, what the primary consequences are for the individual (if any)
  • The other APP entities, bodies, or individuals the APP entity provides the information they collect how the individual can access the information
  • How an individual can make a complaint against the APP entity where they have breached a privacy principle or an APP code
  • Whether the entity will share the information with an overseas body and in which countries these overseas bodies reside in

6. Use or Disclosure of Personal Information

This principle states that information that has been collected by an APP entity for a particular purpose which is its primary purpose isn’t used or disclosed for a secondary purpose. There are two exceptions to this principle that allows the use or disclosure of personal information for a secondary purpose. These are:

  • When the individual has provided consent for the information to be used or disclosed for a secondary purpose; or
  • If subclause 6.2 or 6.3 of this privacy principle is applicable regarding the disclosure or use of the information.

Subclause 6.2 states that personal information can be used or disclosed in the following situations:

  • The APP entity can disclose or use information where the individual would have a reasonable belief that the entity will use the information for a secondary purpose that directly relates to its primary purpose if the information is sensitive. Or if the individual has a belief that if the information is not sensitive that it will be used or disclosed for a reason relating to the primary purpose 
  • If disclosing or using the information is authorised or required by a court order, tribunal order, or an Australian law
  • There is a permissible general situation regarding APP entity’s use or disclosure of information
  • The APP entity can use or disclose the information if they are an organisation and the use or disclosure of the information relates to a permissible health situation
  • The APP entity can use or disclose the information if they have a reasonable belief that it is required by, or on behalf of, an enforcement body to conduct its enforcement activities

Subclause 6.3 allows an agency to disclose personal information regarding an individual in the following circumstances:

  1. Agencies that aren’t enforcement bodies can disclose personal information
  2. Where the information is biometric templates or biometric information
  3. Agencies can disclose personal information to enforcement bodies
  4. Disclosure is permitted where the disclosure of information has been performed according to guidelines that have been created by the Commissioner

The APP entity can only use information relevant to its purpose. This is unless the individual has consented. The information can be used or disclosed if the individual expects it to be used for another person as long as:

  • The information relates to the main purpose;
  • If it’s required pursuant to Australian law or court decisions; or
  • Other reasons.

The information can also be used if the entity is not an enforcement body and the information is biometric, the receiver is an enforcement body, and the use of it complies with the guidelines of the Commissioner. These rules do not apply to direct marketing or government-related identifiers.

7. Direct Marketing

Organisations generally can’t use an individual’s personal information they have for direct marketing. However, there are a few exceptions to this principle, these include the following:

  • Where the individual had consented to the collection of the personal information
  • Where the individual reasonably expected that the organisation was going disclosure or use the information for marketing purposes
  • If the organisation provides individuals with a simple method that allows them to ask the agency to stop sending direct marketing communications or where the individual hasn’t asked the organisation to stop sending direct marketing communications

The individual should be able to make a request not to receive direct marketing communications free of charge.

8. Cross-border Disclosure of Personal Information

Prior to when an APP entity discloses personal information to an overseas recipient, they will need to ensure that the overseas recipient will not breach Australian Privacy Principles. Overseas recipients refer to individuals or entities that aren’t located in Australia or an external territory and who aren’t the app entity or individual. 

However, there are several exceptions to this principle. These include the following:

  • If the entity has a reasonable belief that the recipient of the information will protect the information in a similar manner as to how the information would be protected by Australian Privacy Principles due to the recipient being bound by law or scheme
  • Where the individual whose information has been disclosed to an overseas recipient has the ability to take action against the recipient through the law or scheme that’s governing the overseas recipient

The entity must make sure that any overseas recipient of the information complies with the Privacy Principles, except for where they are bound by laws that protect information. However, this must be similar to the protection provided by the Principles. Similarly, if the individual gives consent to the disclosure or if the disclosure is necessary under Australian law, they are also exempt.

9. Adoption, Use, or Disclosure of Government-Related Identifiers

Organisations can’t adopt an individual’s government-related identifier as their own unless an exception applies. The exceptions are that the adoption was necessary or authorised by a court order, tribunal order, or by Australian law.

Furthermore, organisations are prevented from using or disclosing an individual’s government-related identifier unless an exception applies. The exceptions that can apply include the following:

  1. If it is reasonably required for an organisation to verify the identity of the individual for its functions or activities, the use or disclosure of the identifier is permitted
  2. Organisations can use or disclose identifiers if it’s reasonable for them to do so, so they can meet obligations they owe to state or territory authorities or agencies 
  3. Using or disclosing an identifier is permitted if its use or disclosure is required by a court order, tribunal order, or an Australian law
  4. The use or disclosure of an identifier is permitted in permissible general situations
  5. The organisation can use or disclose the identifier if they have a reasonable belief that it is required by, or on behalf of, an enforcement body to conduct its enforcement activities

10. Quality of Personal Information

Any information obtained by the APP entity must be correct, complete, and up to date. An APP entity can only disclose and use the information once they ensure it’s accurate, relevant, and complete.

11. Security of Personal Information

An APP entity must protect information from misuse, loss, interference, disclosure, modification, or unauthorised access. Furthermore, if an APP entity is holding an individual’s personal information, they must destroy the information or de-identify the information if the following conditions apply:

  • Commonwealth records do not contain the information;
  • An Australian law, court order, or tribunal order states that the entity isn’t allowed to keep the information; and
  • It is no longer necessary for the entity to use or disclose the information for any purpose under this Schedule.

12. Access to Personal Information

Individuals must be able to access their personal information when they request it. However, APP entities can refuse or be required to refuse an individual’s access to their personal information if they’re authorised or permitted to do so under the Freedom of Information Act or any Commonwealth act. 

This means that APP entities can refuse an individual’s request to access personal information in the following circumstances: 

  1. Where they have a reasonable belief that if they do so, there is a serious threat to the safety, health, or life of any individual, or to the public’s safety or health 
  2. Where they believe that providing access could potentially negatively impact other individuals’ privacy
  3. Where they believe that the request is meaningless or causes annoyance 
  4. Where the information that has been requested is related to current or pending legal proceedings between the individual and entity. Furthermore, another ground the entity can refuse to provide the information is if the information can’t be obtained through the discovery process during proceedings
  5. Where the entity believes that if they provide access to the information their intentions will be revealed in regard to negotiations that they’re having with the individual in a way that causes them a disadvantage in relation to the negotiations
  6. Where it is illegal to provide the information
  7. Where refusing access to the information is authorised or required by a court order, tribunal order, or by an Australian law

13. Correction of Personal Information

The entity must ensure that they are satisfied the information they collect about individuals are accurate, up-to-date, complete, relevant, and not misleading. APP entities must also correct information about an individual if the information is incorrect. 

Furthermore, APP entities must also notify other affected APP entities of the changes and corrections to the information. If an APP entity refuses to correct information, then they must notify the individual and provide a written explanation as to why there was a refusal to correct the information. The written notice must also outline how an individual can make a complaint about the refusal to correct the information.

When a request to correct information is made by an individual, agencies must respond to the request within 30 days. Whereas organisations are required to respond to a request within a reasonable period. 


These 13 principles are essential for any business, company, or organisation that deals with the personal information of individuals to understand.  Privacy is a very serious matter, and the penalties for not complying are severe. 
You should use our privacy policy template to outline how your business will manage and deal with personal information.

Get a free legal document when you sign up to Lawpath

Sign up for one of our legal plans or get started for free today.

Register for our free live webinar today!

Funding and Legal Checklist for Your Business

12:00pm AEDT
Tuesday 25th June 2024

By clicking on 'Register for webinar' you are agreeing to the Lawpath Terms & Conditions

You may also like

Want to open a pet shop but not sure how? This article teaches
Want to know how to start a podcast? This article delves into all the steps you need to take to start a podcast.

Thank you!

Your registration is confirmed. Keep an eye on your inbox for an email with details on how to watch the webinar.