In today’s digital-first economy, protecting personal information is more than just good business practice – it’s a legal obligation. The Australian Privacy Principles (APPs), set out in the Privacy Act 1988 (Cth), establish how businesses must collect, use, disclose, and manage personal data. Whether you operate a small business or a large corporation, understanding the APPs is crucial to avoid penalties and build customer trust.
This guide, prepared by our privacy and data lawyers, explains what the APPs are, when they apply, and how businesses can comply with Australian privacy legislation.
Key Takeaways
APPs are a legal framework for handling personal information in Australia.
They apply to most medium-to-large businesses and all businesses that handle sensitive information.
Compliance involves more than a privacy policy – businesses must embed APP requirements into daily operations.
The Office of the Australian Information Commissioner (OAIC) enforces compliance and can issue significant penalties.
Prosper Law helps businesses draft policies, train staff, and avoid breaches.
What are the Australian Privacy Principles (APPs)?
The 13 APPs regulate how personal information must be handled by APP entities. They are grouped into five categories:
1. Governance and Transparency (APP 1–2)
Businesses must manage data openly and transparently.
Customers should be able to deal with businesses anonymously, where reasonable.
2. Collection of Information (APP 3–5)
Only necessary personal information may be collected.
Customers must be notified about what information is collected and why.
3. Use and Disclosure (APP 6–9)
Information can only be used for its intended purpose unless consent is obtained.
Restrictions apply to disclosing information overseas or using government identifiers.
4. Integrity and Security (APP 10–11)
Businesses must ensure personal information is accurate, complete, and secure.
Security breaches can lead to Notifiable Data Breach (NDB) obligations.
If you want to understand legal responsibilities and who holds accountability for cyber incidents, read our article Data Breaches & Information Security.
5. Access and Correction (APP 12–13)
Individuals have the right to access and correct their data.
Requests must be handled promptly and transparently.
Unsure if your data practices meet the APPs? Contact Prosper Law today for a compliance review.
Do the APPs Apply to Your Business?
Not every business in Australia is automatically required to comply with the Australian Privacy Principles, but the rules extend far beyond just large corporations.
Understanding whether your business is covered is the first step toward compliance.
Businesses That Must Comply
- Organisations with turnover over $3 million: If your organisation’s annual turnover exceeds $3 million, compliance with the APPs is mandatory. This captures a wide range of medium to large businesses, including retailers, professional service firms, technology companies, and more.
- Health service providers: Health information is considered sensitive information under the Privacy Act. This means that even small operators, such as physiotherapists, dentists, allied health professionals, gyms with medical assessments, and aged care providers, must comply with the APPs regardless of their turnover.
- Credit reporting agencies: Organisations involved in credit reporting or handling financial data have specific, heightened obligations under the APPs. Because of the significant risks attached to financial data, the APPs ensure stricter oversight in this sector.
- Australian Government agencies: All Commonwealth Government departments and agencies are automatically subject to the APPs.
In short: if your business is large, works with health information, provides credit reporting services, or operates as a government agency, you must comply with the APPs.
Small Business Exemption
For most small businesses, if your turnover is $3 million or less, you are generally not required to comply with the APPs.
However, there are important exceptions where small businesses must still comply. For example:
Health service providers: Any business that handles health information (such as a GP clinic or physiotherapy practice) must comply, even if it’s a sole trader.
Businesses trading in personal information: If your business buys, sells, or otherwise trades in personal data, the exemption does not apply.
Government contractors: Small businesses providing services under contract to government agencies must comply to ensure consistency in how personal information is managed.
Legal Tip: Assuming you’re exempt without checking carefully could expose you to risk if the OAIC determines otherwise – reach out to us today to learn more.
Compliance Steps for Businesses
Understanding the APPs is one thing – putting them into practice is another. Here are the essential steps every organisation should take:
Create a Privacy Policy: Draft and publish a clear, accessible privacy policy that complies with the APPs. This document should explain what data you collect, why you collect it, how you store it, and the rights of individuals. It must be easy for customers to find, typically on your website.
If you’re drafting or revising your policy, our guide Important Things to Include in Your Privacy Policy can help.
Audit Data Practices: Conduct a full review of how your business collects, stores, uses, and shares personal information. Identify gaps, risks, or processes that may not align with the APPs, and make adjustments to bring them into compliance.
Staff Training: Compliance isn’t just about policies – it’s about people. Employees should understand their privacy obligations, know how to handle data securely, and be able to respond to privacy requests or complaints.
Data Security Measures: Strong technical and organisational safeguards are essential. This includes encryption, secure access controls, breach detection systems, and incident response plans to reduce the risk of data breaches.
When a breach happens, having a response plan matters – see the Data Breach Response Plan Checklist on our site for step-by-step guidance.
Regular Reviews: Privacy compliance is not a one-time exercise. Laws evolve, businesses change, and technology advances. Regularly review and update your privacy policies, security practices, and staff training to ensure ongoing compliance.
By following these steps, businesses can reduce their legal risks, protect customer trust, and demonstrate accountability under the APPs.
Risks of Non-Compliance
Not complying with the Australian Privacy Principles doesn’t just risk fines – it can damage every part of your business.
- Fines and Penalties: The OAIC can issue penalties of up to millions of dollars for serious or repeated breaches. For many businesses, this financial hit could be crippling.
- Reputation Damage: Customers expect their data to be safe. A single breach can make headlines, damage trust, and drive clients straight to competitors.
- Operational Disruption: Investigations and audits take time and resources. Instead of focusing on growth, your team could be tied up dealing with regulators.
- Legal Action: Individuals affected by a breach may seek compensation. Even if claims are settled, legal costs and stress can add up quickly.
Legal Tip: Non-compliance costs far more than compliance. Protect your customers and your business by getting ahead of the risks early.
Real-Life Business Examples
E-commerce Retailer: A fashion retailer collects customer emails, delivery addresses, and payment details. It must have a privacy policy explaining how this data is stored and used for marketing.
Physiotherapy Clinic: A small clinic is under the $3 million turnover threshold, but must comply because it collects sensitive health records.
Fintech Startup: A startup using customer financial data for analytics must comply regardless of turnover, due to the nature of the data.
To understand how evolving laws affect your business, check out New Privacy Laws in Australia – 2025.
Frequently Asked Questions (FAQs)
What is the penalty for breaching the APPs?
Breaches of the APPs can result in serious consequences. The OAIC has broad enforcement powers, including:
Investigations and audits into your business practices
Requiring enforceable undertakings (legally binding commitments to change your practices)
Issuing determinations that may include orders for compensation to affected individuals
Administrative fines and civil penalties, which can run into millions of dollars for serious or repeated breaches
In addition to legal penalties, the reputational damage of a privacy breach can be devastating. Customers are more likely to abandon businesses that mishandle their data.
Do small businesses need to comply with the APPs?
While most small businesses with turnover under $3 million are exempt, many exceptions apply. You must comply if your business:
Provides health services (e.g. GP clinics, allied health, aged care providers)
Buys or sells personal information (e.g. data brokers, lead generators)
Is contracted by the government to deliver services
Operates as a credit reporting body
Has chosen to “opt in” to the Privacy Act
Even if exempt, small businesses often adopt APP-compliant practices voluntarily to build trust with customers. For deeper insight into data-security strategies, see our article on Privacy by Design for SMEs.
Can I transfer customer data overseas?
Yes, but the APPs impose strict rules to protect individuals when their personal information leaves Australia. Under APP 8 (Cross-border disclosure of personal information):
You must take reasonable steps to ensure the overseas recipient complies with the APPs.
Your business may remain legally accountable if the overseas entity misuses the information.
The only exceptions are when individuals are informed and give consent, or when another APP permits the transfer.
For example, if an Australian software company uses a U.S.-based cloud provider, it must ensure the provider meets Australian privacy standards.
What should be included in a privacy policy?
An APP-compliant privacy policy should be clear, accessible, and specific to your business.
A generic privacy policy template is rarely enough. Each business must tailor its policy to reflect its actual data practices.
To ensure your policy isn’t missing anything, refer to our article on What Do I Need in a Privacy Policy?.
Who enforces the APPs in Australia?
The Office of the Australian Information Commissioner (OAIC) is responsible for regulating privacy law and enforcing the APPs.
The OAIC also oversees the Notifiable Data Breaches (NDB) scheme, which requires organisations to report certain data breaches.
Want practical guidance on how to respond to a breach? Head over to our Data Breach Risks: Recent Lessons piece.
