Australian Privacy Principles: Complete Guide for Small Businesses (2026)
Everything Australian small businesses need to know about the 13 Australian Privacy Principles, NDB scheme, and staying compliant with the Privacy Act 1988.
Executive Summary
Don't have 15 minutes? Here's what you need to know:
If you're running an Australian business that collects personal information, you must comply with the 13 Australian Privacy Principles (APPs). These principles were introduced in March 2014 as part of the Privacy Act 1988 and set strict rules for how you collect, use, store, and disclose personal information. The Privacy Act was significantly updated in December 2024 with new enforcement powers, cybersecurity requirements, and penalties up to $50 million. A statutory tort for serious privacy invasions took effect in June 2025, allowing individuals to sue directly for privacy breaches.
The critical thing most businesses miss: 100% of Australian companies we analyzed—including billion-dollar businesses—fail to include the Notifiable Data Breaches (NDB) scheme in their privacy policies, despite it being mandatory since February 2018. Even sophisticated companies with substantial legal budgets average only 66% coverage of the 13 APPs.
What's coming: The small business exemption (under $3M turnover) is expected to be removed in 2026-2027, bringing 2.3 million additional businesses under these requirements. The December 2024 reforms have already strengthened enforcement, and automated decision-making transparency requirements take effect in December 2026. Read about the December 2024 reforms and what's coming next.
Table of Contents
Understanding the Framework:
The 13 Australian Privacy Principles:
- APP 1: Open and Transparent Management
- APP 2: Anonymity and Pseudonymity
- APP 3: Collection of Solicited Personal Information
- APP 4: Dealing with Unsolicited Personal Information
- APP 5: Notification of Collection
- APP 6: Use or Disclosure
- APP 7: Direct Marketing
- APP 8: Cross-Border Disclosure
- APP 9: Government Related Identifiers
- APP 10: Quality of Personal Information
- APP 11: Security of Personal Information
- APP 12: Access to Personal Information
- APP 13: Correction of Personal Information
Critical Requirements:
Taking Action:
What Are the Australian Privacy Principles?
The Australian Privacy Principles are 13 principles set out in the Privacy Act 1988 that regulate how Australian organisations collect, use, store, and disclose personal information. They were introduced through the Privacy Amendment Act 2012, which came into effect on 12 March 2014, replacing the previous National Privacy Principles (NPPs) and Information Privacy Principles (IPPs).
The APPs currently apply to any organisation with an annual turnover of more than $3 million, all private health service providers, some small businesses that trade in personal information, and credit reporting bodies. However, the December 2024 reforms signal significant changes ahead, with the small business exemption expected to be removed in upcoming legislation, meaning nearly all Australian businesses will need to comply.
Personal information includes any information about an identified individual or an individual who can be reasonably identified. This covers names, addresses, email addresses, phone numbers, dates of birth, financial information, health information, and even IP addresses in some contexts.
Why Australian Privacy Law is Different
Unlike privacy laws in the United States or Europe, Australian privacy law has unique requirements. The Privacy Act 1988 specifically requires coverage of all 13 APPs and includes the Notifiable Data Breaches scheme—requirements that most international privacy policy generators completely miss.
Many Australian businesses unknowingly use privacy policies generated by US-based tools that don't cover Australian requirements. Our research found that even billion-dollar Australian companies often have privacy policies missing critical elements like the NDB scheme, despite it being mandatory since 2018.
The December 2024 reforms have strengthened Australia's privacy framework even further, introducing new enforcement powers, enhanced cybersecurity requirements, and a statutory tort for serious privacy invasions that took effect in June 2025. These changes bring Australia closer to global privacy standards like the EU's GDPR while maintaining the distinctly Australian approach embodied in the 13 APPs.
The 13 Australian Privacy Principles Explained
APP 1: Open and Transparent Management of Personal Information
What it requires: Your organisation must have clear and up-to-date policies about how you manage personal information. These policies must be available to anyone who asks, and your privacy policy must be clear, current, and easily accessible.
In practice: You need a privacy policy that's easy to find on your website, written in plain language, and kept up to date. This policy should explain what information you collect, how you use it, who you might share it with, and how people can access or correct their information.
Common mistakes: Hiding your privacy policy at the bottom of your website in tiny text, using overly complex legal language that customers can't understand, or failing to update the policy when your practices change.
Example: A small e-commerce business should have their privacy policy linked clearly in their website footer, in their checkout process, and in any customer communications where personal information is collected.
APP 2: Anonymity and Pseudonymity
What it requires: Individuals must have the option to interact with your organisation without identifying themselves, or by using a pseudonym, whenever it's lawful and practicable.
In practice: You should give customers the option to deal with you anonymously or using a fake name when possible. However, there are many situations where this isn't practical—for instance, you can't deliver products without a real name and address.
Common mistakes: Requiring real names and email addresses for activities where they're not necessary, like browsing a website, reading articles, or asking general questions.
Example: A business blog should allow people to read articles and post comments using pseudonyms. However, an online store legitimately needs real names and addresses to fulfill orders.
APP 3: Collection of Solicited Personal Information
What it requires: You can only collect personal information that's reasonably necessary for your business functions or activities. You must collect it fairly and lawfully, not in an unreasonably intrusive way.
In practice: Only ask for information you actually need. If you're selling products, you need names and addresses for delivery, but you probably don't need dates of birth or phone numbers unless you have a specific reason.
Common mistakes: Collecting excessive information "just in case" it might be useful later, requesting sensitive information without justification, or collecting information through deceptive means.
Example: A newsletter signup should only collect an email address, not require a full name, phone number, address, and date of birth. A courier service legitimately needs delivery addresses but doesn't need to know your medical history.
APP 4: Dealing with Unsolicited Personal Information
What it requires: If you receive personal information you didn't request (unsolicited information), you must determine whether you could have collected it under APP 3. If not, you must destroy or de-identify it as soon as practicable.
In practice: Sometimes people volunteer information you didn't ask for—perhaps a customer emails you their credit card number even though you only accept payment through a secure gateway. If you didn't need this information and couldn't have lawfully collected it, you need to delete it.
Common mistakes: Keeping all information that comes your way without considering whether you should have it, or adding unsolicited information to customer records without the customer's knowledge.
Example: If a customer emails you their credit card details even though you only accept payment through Stripe (US-based), you should delete that email immediately rather than storing the card details.
APP 5: Notification of Collection of Personal Information
What it requires: When collecting personal information, you must take reasonable steps to notify individuals about who you are, why you're collecting the information, who you might share it with, and how they can access and correct it.
In practice: This is why you need a clear privacy policy! At the point of collection (like a signup form), you should either display this information or link to your privacy policy. The notification should happen before or at the time of collection.
Common mistakes: Only mentioning your privacy practices in a policy buried somewhere on your website, collecting information before telling people how you'll use it, or providing notifications that are too vague to be useful.
Example: A contact form should include text like "By submitting this form, you agree to our Privacy Policy [link]" or a brief summary of how you'll use the information, right there on the form before someone submits it.
APP 6: Use or Disclosure of Personal Information
What it requires: You can only use or disclose personal information for the purpose you collected it (the primary purpose), unless the individual consents or an exception applies. Related secondary purposes are allowed if the individual would reasonably expect them.
In practice: If you collected email addresses to send order confirmations, you can't start sending marketing emails without separate consent. If you collected information to provide a service, you can't sell that information to third parties without explicit consent.
Common mistakes: Using customer contact information for marketing when it was provided only for transaction purposes, sharing information with partners without consent, or assuming implied consent when it doesn't exist.
Example: A medical clinic collects patient information to provide healthcare. They can use this information to send appointment reminders (related purpose) but can't sell patient lists to pharmaceutical companies without explicit consent.
APP 7: Direct Marketing
What it requires: You can only use or disclose personal information for direct marketing if certain conditions are met. The individual must reasonably expect their information to be used for marketing, or you must have consent. You must always provide a simple opt-out option.
In practice: Marketing emails need clear unsubscribe links. If someone provided their email just to complete a purchase, you generally need separate consent before adding them to marketing lists. You must stop sending marketing if someone opts out.
Common mistakes: Adding customers to marketing lists without consent, making it difficult to unsubscribe, continuing to send marketing after someone opts out, or buying email lists and sending marketing without consent.
Example: An online retailer can include a checkbox at checkout: "Yes, send me marketing emails about new products and special offers." This must be unchecked by default (opt-in, not opt-out) and clearly separate from necessary order communications.
APP 8: Cross-Border Disclosure of Personal Information
What it requires: Before disclosing personal information to overseas recipients, you must take reasonable steps to ensure they'll handle it consistently with the APPs, or ensure the individual consents after being informed the overseas recipient may not comply.
In practice: If you use overseas service providers (like US-based cloud hosting, email services, or payment processors), you need to ensure they provide adequate privacy protections or disclose this in your privacy policy.
Common mistakes: Using international service providers without considering privacy implications, failing to disclose overseas transfers in your privacy policy, or not checking that overseas providers have adequate privacy protections.
Example: An Australian business using Amazon Web Services (servers in the US), Mailchimp (US-based), and Stripe (US-based) should disclose these overseas transfers in their privacy policy and explain what protections are in place.
APP 9: Adoption, Use or Disclosure of Government Related Identifiers
What it requires: You must not adopt a government-related identifier (like Medicare numbers or driver license numbers) as your own identifier for an individual, and you can only use or disclose these identifiers in specific circumstances.
In practice: Don't use someone's driver license number as their customer number in your system. Only collect and use government identifiers when legally required (like verifying age) or with the individual's consent.
Common mistakes: Using passport numbers or driver license numbers as customer reference numbers, unnecessarily collecting government identifiers, or storing these identifiers when they're no longer needed.
Example: A car rental company can ask for a driver license number to verify the customer can legally drive, but shouldn't use that license number as the customer's account number in their system.
APP 10: Quality of Personal Information
What it requires: You must take reasonable steps to ensure the personal information you collect, use, or disclose is accurate, up to date, complete, and relevant, having regard to the purpose for which it's held.
In practice: Regularly review and update customer information. Don't make important decisions based on old or inaccurate information. Provide ways for customers to update their details easily.
Common mistakes: Never updating customer records, making decisions based on outdated information, or not providing mechanisms for customers to correct their details.
Example: An online subscription service should regularly prompt customers to verify their details are current, especially if those details affect service delivery or billing.
APP 11: Security of Personal Information
What it requires: You must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. You must also take reasonable steps to destroy or de-identify information you no longer need.
The December 2024 reforms clarified that "reasonable steps" explicitly includes both technical and organisational measures, bringing Australian requirements closer to international standards like GDPR.
In practice: Use encryption, secure passwords, access controls, and other security measures appropriate to the sensitivity of the information. Delete customer data when you no longer need it for business or legal purposes.
Technical measures include:
- Encryption of sensitive data (in transit and at rest)
- Access controls and authentication
- Firewalls and intrusion detection
- Secure software development practices
- Regular security patching
Organisational measures include:
- Staff training on security and privacy
- Incident response plans
- Vendor management and security assessments
- Security policies and access management processes
- Regular security audits
Common mistakes: Storing passwords in plain text, failing to encrypt sensitive information, giving too many staff members access to customer data, or keeping customer information indefinitely "just in case."
Example: An e-commerce business should use SSL/TLS encryption for their website, encrypt customer data in databases, limit access to customer information to essential staff only, and have a policy to delete old accounts after a certain period of inactivity.
APP 12: Access to Personal Information
What it requires: If someone asks for access to their personal information you hold, you must generally provide it. You can refuse access in specific circumstances (like if it would pose a serious threat to someone's life or health), but you must give reasons for refusal.
In practice: Have a process for people to request their data. Respond to requests within 30 days. Provide the information in a usable format. You can charge a reasonable fee for providing access, but not for making the request.
Common mistakes: Ignoring access requests, making it unnecessarily difficult to request data, charging excessive fees, taking too long to respond, or refusing access without valid reasons.
Example: A gym should have a process where members can request a copy of all personal information held about them—membership details, payment history, class bookings, etc.—within 30 days.
APP 13: Correction of Personal Information
What it requires: You must correct personal information if you're satisfied it's inaccurate, out of date, incomplete, irrelevant, or misleading. If someone asks you to correct their information but you refuse, you must give reasons and attach a statement to the record if they request it.
In practice: Make it easy for customers to update their information. When someone tells you their information is wrong, fix it promptly. If you've shared their information with others, inform them of the correction.
Common mistakes: Refusing to correct obvious errors, making it difficult for customers to update their details, not updating information across all systems, or not informing third parties when you've shared incorrect information.
Example: If a customer moves house and updates their address with you, you should update it everywhere in your systems and, if you've shared their old address with delivery partners for ongoing orders, inform those partners of the change.
The Notifiable Data Breaches (NDB) Scheme
The NDB scheme became mandatory on 22 February 2018, but our research shows that 100% of analysed Australian companies—including billion-dollar businesses—fail to include it in their privacy policies.
What is a Notifiable Data Breach?
A notifiable data breach occurs when:
- There's unauthorised access to or disclosure of personal information held by your organisation
- The information is lost in circumstances where unauthorised access or disclosure is likely to occur
- The breach is likely to result in serious harm to affected individuals
What Constitutes "Serious Harm"?
Serious harm includes physical harm, psychological harm, emotional harm, economic harm, and harm to reputation. For example:
- Identity theft
- Financial fraud
- Significant embarrassment or humiliation
- Threats to physical safety
- Loss of employment opportunities
- Damage to personal reputation
Your Obligations Under the NDB Scheme
Assessment (30 days): When you become aware of a potential breach, you have 30 days to assess whether it's a notifiable data breach.
Notification (as soon as practicable): If it's notifiable, you must notify:
- Affected individuals (directly, or via public statement if impracticable)
- The Office of the Australian Information Commissioner (OAIC)
What to include in notifications:
- Your identity and contact details
- Description of the breach
- The kind of information involved
- Recommendations for steps individuals should take
- Your contact details for further information
Preventing Data Breaches
Security measures you should implement:
- Encryption of sensitive data (in transit and at rest)
- Strong access controls and authentication
- Regular security audits and penetration testing
- Staff training on security and privacy
- Incident response plans
- Regular software updates and patches
- Secure disposal of information
- Vendor security assessments
Common Breach Scenarios
Lost or stolen devices: Laptop, USB drive, or mobile device containing customer data is lost or stolen. This is notifiable if the data wasn't encrypted.
Ransomware attacks: Hackers encrypt your data and demand payment. This is notifiable if customer data was accessed or exfiltrated.
Phishing attacks: Staff member falls for phishing email, giving hackers access to customer data.
Insider threats: Current or former employee accesses customer data without authorisation.
Third-party breaches: A service provider you share data with experiences a breach affecting your customers' information.
Penalties for Non-Compliance
The December 2024 reforms significantly increased penalties for privacy breaches. Failing to notify affected individuals and the OAIC of a data breach can now result in:
- Civil penalties up to $2.5 million for individuals
- Civil penalties up to $50 million for companies (or 30% of adjusted turnover, or three times the benefit obtained—whichever is greater)
December 2024 Reforms and What's Coming
The Privacy and Other Legislation Amendment Act 2024 (POLA) received Royal Assent on 10 December 2024, marking the first substantial changes to Australia's privacy framework since 2012.
What Changed in December 2024 (Now in Effect)
Enhanced OAIC enforcement powers: The OAIC can now issue infringement notices up to $66,000 per contravention, compliance notices, and has expanded search and seizure powers.
Tiered civil penalties: New penalty structure with mid-tier penalties (up to $3.3M for companies) and serious/repeated breach penalties (up to $50M for companies)—a 2,250% increase from the previous maximum.
Cybersecurity requirements clarified: APP 11 now explicitly states that "reasonable steps" include both technical and organisational measures.
Anti-doxxing criminal offences: Up to 7 years imprisonment for intentionally sharing personal information to cause physical or mental harm.
Emergency data breach declaration regime: Attorney-General can allow information sharing during large-scale breaches.
What Took Effect in June 2025 (Now in Effect)
Statutory tort for serious invasions of privacy: Individuals can now sue organisations or individuals directly for serious privacy invasions without needing to prove damage first. This has opened the door to privacy class actions and individual lawsuits.
What's Coming in December 2026
Automated decision-making transparency requirements: Organisations must disclose in privacy policies when they use automated decision-making systems.
Children's Online Privacy Code: Mandatory code for services "likely to be accessed by children" (under 18) must be registered by 10 December 2026.
What's Coming in Tranche 2 (Expected 2026-2027)
Removal of small business exemption: Expected to bring approximately 2.3 million additional businesses under Privacy Act requirements.
Updated definition of "personal information": Broader definition to capture technical identifiers, inferred data, and deceased individuals.
New "fair and reasonable" test: Collection, use, and disclosure must be fair and reasonable regardless of consent.
Stronger consent requirements: Consent must be voluntary, informed, current, specific, and unambiguous.
For a complete breakdown of the December 2024 reforms and what's coming next, read our comprehensive guide to Australia's Privacy Law Reforms.
Compliance Checklist for Australian Businesses
Use this checklist to ensure you're meeting your obligations under the Privacy Act:
Essential Requirements
- ☐ Privacy policy is published and easily accessible on your website
- ☐ Privacy policy is current and reflects your actual practices
- ☐ All 13 APPs are addressed in your privacy policy
- ☐ NDB scheme procedures are documented and included in your policy
- ☐ December 2024 reforms are reflected in your privacy practices
- ☐ Collection notices are provided at or before the point of collection
- ☐ Consent mechanisms are in place where required (especially for marketing)
- ☐ Security measures include technical and organisational controls
- ☐ Access and correction procedures are established and communicated
- ☐ Staff training on privacy obligations is conducted regularly
- ☐ Data retention and destruction policies are documented and followed
Recommended Best Practices
- ☐ Privacy impact assessments conducted for new projects or systems
- ☐ Vendor contracts include privacy and security obligations
- ☐ Regular privacy audits to ensure ongoing compliance
- ☐ Incident response plan tested and updated regularly
- ☐ Privacy by design principles incorporated into business processes
- ☐ Record-keeping system for privacy-related decisions and consents
- ☐ Designated privacy officer or responsible person identified
- ☐ Customer communication about privacy practices and rights
- ☐ Preparation for upcoming reforms including small business exemption removal
How to Stay Compliant
Step 1: Understand Your Obligations
Determine whether you're covered by the Privacy Act. Currently, the threshold is $3 million annual turnover, but this is expected to change. Understand what personal information you collect, why you collect it, and what you do with it.
Step 2: Create or Update Your Privacy Policy
Your privacy policy must cover all 13 APPs, the NDB scheme, and reflect the December 2024 reforms. It should be written in plain English at approximately Grade 10 reading level, so customers can actually understand it.
Step 3: Implement Proper Procedures
Have clear procedures for:
- Collecting personal information (with appropriate notices)
- Storing and securing information (technical and organisational measures)
- Providing access to individuals who request their information
- Correcting information when requested or when errors are found
- Responding to data breaches
- Deleting information when no longer needed
Step 4: Train Your Team
Everyone in your organisation who handles personal information should understand:
- What personal information is
- Their obligations under the Privacy Act and recent reforms
- Your organisation's policies and procedures
- How to identify and respond to potential data breaches
- Who to contact if they have questions or concerns
Step 5: Regular Reviews
Privacy compliance isn't a one-time task. Review and update:
- Your privacy policy (at least annually, or when practices change)
- Your security measures (regularly, and after any incidents)
- Your staff training (annual refresher training)
- Your data retention practices (ongoing, with regular purges of old data)
- Your readiness for upcoming reforms
Step 6: Document Everything
Keep records of:
- Privacy policy versions and when they were updated
- Staff training sessions and attendees
- Privacy impact assessments
- Data breach assessments and notifications
- Access and correction requests and your responses
- Decisions about consent, collection, use, and disclosure
Common Mistakes Australian Businesses Make
Using US-Based Privacy Policy Generators
Most international generators don't cover Australian requirements. They might mention "Australia" but don't actually address all 13 APPs or include the NDB scheme, and they definitely don't reflect the December 2024 reforms.
Collecting Too Much Information
Only collect information you actually need. Don't ask for dates of birth, phone numbers, or physical addresses unless you have a specific, legitimate reason.
Assuming Implied Consent
In many situations, you need explicit, informed consent. Don't assume that because someone visits your website or makes a purchase, they've consented to marketing emails or data sharing.
Ignoring the NDB Scheme
Your privacy policy must explain how you'll respond to data breaches. You must have procedures in place to detect, assess, and respond to potential breaches within the required timeframes.
Writing Policies That Are Too Complex
If your customers can't understand your privacy policy, it's not compliant. Use plain English, clear structure, and avoid unnecessary legal jargon.
Not Updating Policies
When your business practices change, your privacy policy must change too. Review it regularly and update it whenever you add new services, data collection, or third-party integrations. The December 2024 reforms may also require policy updates.
Inadequate Security
Security isn't optional—APP 11 requires reasonable steps to protect personal information, now explicitly including both technical and organisational measures. This means encryption, access controls, secure disposal, and other measures appropriate to the sensitivity of the data.
Not Preparing for Upcoming Changes
With the small business exemption expected to be removed and other significant changes coming in Tranche 2, businesses should start preparing now rather than waiting for the last minute.
Getting Help with Australian Privacy Compliance
When to Get Legal Advice
Consider consulting a privacy lawyer if you:
- Handle sensitive information (health, financial, children's data)
- Have complex data sharing arrangements
- Operate in highly regulated industries
- Have suffered a data breach
- Are facing a privacy complaint or investigation
- Need to understand how new reforms affect your specific situation
OAIC Resources
The Office of the Australian Information Commissioner provides:
- Website: oaic.gov.au
- Privacy enquiries line: 1300 363 992
- Detailed guidance on each APP
- Templates and resources for small businesses
- Information about December 2024 reforms
ComplianceKit
ComplianceKit generates privacy policies specifically for Australian businesses, covering all 13 APPs, the NDB scheme, and the December 2024 reforms. Unlike US-based generators, it's built from the ground up for Australian privacy law and stays current with legislative changes.
The generator asks questions about your business and how you handle information, then creates a customised policy in plain English. You can download it in multiple formats and update it anytime if your business changes.
For businesses that want to ensure ongoing compliance as reforms continue, Managed Compliance provides automatic updates when Australian privacy law changes, hosted policies with version history, and email notifications when your policy is updated.
Conclusion
Understanding and implementing the Australian Privacy Principles doesn't have to be overwhelming. The key is to:
- Know what information you collect and why
- Be transparent about your privacy practices
- Implement reasonable security measures (technical and organisational)
- Respect individuals' rights to access and correct their information
- Stay current with reforms and upcoming changes
The December 2024 reforms and the June 2025 statutory tort have made privacy compliance more important than ever. With enhanced enforcement powers, significantly higher penalties, and the threat of direct lawsuits, privacy is now a board-level business priority.
But privacy isn't just about avoiding penalties—it's about building trust with your customers. In an era of increasing data breaches and privacy concerns, demonstrating strong privacy practices can be a competitive advantage.
For a detailed explanation of the December 2024 reforms, what's in effect now, and what's coming next, read our complete guide to Australia's Privacy Law Reforms.
Ready to Ensure Compliance?
ComplianceKit generates privacy policies specifically for Australian businesses, already updated for the December 2024 reforms and the June 2025 statutory tort.
Generate Once - $79 one-time:
- Complete policy covering all 13 APPs
- NDB scheme included
- December 2024 and June 2025 reforms reflected
- Download in 4 formats (PDF, DOCX, HTML, TXT)
- Update anytime for free
Managed Compliance - +$29/year:
- Automatic updates for December 2026 and Tranche 2
- Hosted at secure URL
- Email notifications when updated
- Complete version history
- One-click regeneration when your business changes
Generate Your Compliant Privacy Policy →
Last updated: February 6, 2026
This guide provides general information about Australian privacy law. It's not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer.
Generate Your Compliant Privacy Policy
ComplianceKit automatically includes all 13 Australian Privacy Principles and the NDB scheme. Generate your policy in 5 minutes.
Get Started →Last updated: 6 February 2026
This guide provides general information about Australian privacy law. It's not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer.