Which businesses must comply with the Australian Privacy Principles?

The APPs apply to Australian Government agencies and private sector organisations with annual turnover of more than $3 million. They also apply to some organisations regardless of turnover, including health service providers, organisations that trade in personal information, and those related to organisations covered by the Act.

How do the APPs differ from GDPR?

While both protect personal information, the GDPR has broader scope (applying to all organisations processing EU residents' data), requires explicit consent more often, includes a right to erasure (not currently in APPs), and has higher maximum penalties. However, proposed reforms to the Privacy Act may bring the APPs closer to GDPR standards.

What are the penalties for breaching the APPs?

The maximum civil penalty for a serious or repeated interference with privacy is the greater of $50 million, three times the value of any benefit obtained, or 30% of adjusted turnover during the breach period. The OAIC can also accept enforceable undertakings, make determinations, and seek injunctions.

Book Free Assessment Calculator

Australian Privacy Principles (APPs)

Australian Privacy Principles

Also known as:APPsprivacy principlesAustralian privacy law

The thirteen principles under the Privacy Act 1988 that regulate how Australian government agencies and organisations with annual turnover of more than $3 million handle personal information.

In-Depth Explanation

The Australian Privacy Principles (APPs) are the cornerstone of privacy regulation in Australia, established under the Privacy Act 1988 and administered by the Office of the Australian Information Commissioner (OAIC). They set out standards, rights, and obligations for the handling of personal information.

The 13 Australian Privacy Principles:

APP 1: Open and transparent management of personal information
APP 2: Anonymity and pseudonymity options for individuals
APP 3: Collection of solicited personal information
APP 4: Dealing with unsolicited personal information
APP 5: Notification of the collection of personal information
APP 6: Use or disclosure of personal information
APP 7: Direct marketing restrictions
APP 8: Cross-border disclosure of personal information
APP 9: Adoption, use, or disclosure of government-related identifiers
APP 10: Quality of personal information
APP 11: Security of personal information
APP 12: Access to personal information
APP 13: Correction of personal information

Key obligations for businesses:

Maintain a clearly expressed, up-to-date privacy policy
Only collect personal information that is reasonably necessary
Take reasonable steps to protect personal information from misuse, loss, and unauthorised access
Allow individuals to access and correct their personal information
Notify the OAIC and affected individuals of eligible data breaches (Notifiable Data Breaches scheme)

Business Context

Businesses with turnover above $3 million (and some below this threshold) must comply with the APPs or risk enforcement action, penalties, and reputational damage from the OAIC.

How Clever Ops Uses This

Clever Ops helps Australian businesses build privacy-compliant systems and workflows. We implement data handling processes that align with the APPs, including automated consent management, data access request workflows, and breach notification procedures, ensuring our clients meet their privacy obligations efficiently.