What is Australia’s Privacy Act, and How is it Affecting Businesses?

Want more content?

By subscribing to our mailing list, you will be enrolled to receive our latest blogs, product updates, industry news, and more!

The Australian Privacy Act was created in 1988 but has been updated continuously since then to keep up with evolving technology. A revision to the act has been in the works since 2019. It uses 13 Australian Privacy Principles (APPs) to regulate how both businesses and governments handle personal information.  

According to the Australian Privacy Act, personal information is any information tied to an identifiable individual, regardless of its form or whether that information is true. Any business that handles personal information in Australia should be aware of the Australian Privacy Act, and the relevant legislation they must comply with. 

Examples of Personal Information Include: 

  • Name 
  • Date of Birth 
  • Address 
  • Phone Number
  • Bank Account Number
  • Location Information 
  • IP addresses 
Who Must Comply with the Australian Privacy Act? 

Companies in Australia must comply with the Australian Privacy Act, but many companies outside of Australia are subject to the act as well. If a company has an “Australian link,” the APPS extend to their acts as well. This “Australian Link” can consist of many things, including: 

  • An organization with an Australian citizen, or individual present in Australia without legal time limitations 
  • An organization with a partnership or trust created in Australia 
  • An association with central management in Australia  
  • An organization that “carries on business” (regularly conducts formal enterprise) in Australia 
  • An organization that collects or stores personal information in Australia 

If you collect information from an individual who resides in Australia, even if the website you use or your business is incorporated elsewhere, it’s safe to assume that personal information is subject to the Australian Privacy Act.  

How to Comply with the Australian Privacy Act 

The Australian Privacy Act is centered around the 13 Australian Privacy Principles (APPs) that apply to every organization subject to the Australian Privacy Act. This law is principle-based and technology neutral, made to address issues at a high level instead of keeping up with constantly evolving technologies. If you want to read them all in their entirety, you can visit the Australian Government’s website. For easy navigation, here’s a list of what each APP covers, a short overview of its purpose, and a link to in-depth guidelines from the Australian Government: 

APP 1: Open and transparent management of personal information 

The object of APP 1 is to ensure that businesses manage personal information in an open and easily accessible manner, namely, having transparent privacy policies that adhere to APP guidelines.  


APP 2: Anonymity and pseudonymity 

The object of APP 2 is to give individuals the opportunity to stay relatively anonymous or use pseudonyms when they wish.  


APP 3: Collection of solicited personal information 

The object of APP 3 is to clearly outline when and how organizations can collect personal information, especially sensitive information. 


APP 4: Dealing with unsolicited personal information 

The object of APP 4 is to clearly outline how organizations must handle personal information that has not been solicited but has been obtained. 


APP 5: Notification of the collection of personal information 

The object of APP 5 is to ensure that organizations that collect personal information notify the individuals whose information they take. 


APP 6: Use or disclosure of personal information 

The object of APP 6 is to outline how organizations can use, or disclose, the personal information they collect. 


APP 7: Direct Marketing 

The object of APP 7 is to define how organizations can use personal information for direct marketing purposes. 


APP 8: Cross-border disclosure of personal information 

The object of APP 8 is to ensure personal information is adequately protected before it is transmitted overseas. 


APP 9: Adoption, use or disclosure of government related identifiers 

The object of APP 9 is to limit the situations where organizations can use government identifiers for internal identifiers or disclose individual’s government identifiers. 


APP 10: Quality of personal information 

The object of APP 10 is to ensure that organizations take the relevant steps to keep personal information accurate and up to date. 


APP 11: Security of personal information 

The object of APP 11 is to outline the steps organizations need to take to secure personal information from misuse and loss. 


APP 12: Access to personal information 

The object of APP 12 is to outline an organization’s obligations when an individual requests access to the personal information gathered and held by the organization. 


APP 13: Correction of personal information 

The object of APP 13 is to outline an organization’s obligations to correct personal information. 


Serious or repeated violations of these guidelines can result in penalties of up to $1.8 million. If your organization operates within Australia or handles the personal information of individuals in Australia, you should be aware of all your responsibilities under the Australian Privacy Act. As updates to the Australian Privacy Act are in their final stages, now is the time to check to make sure you’re following all the current Australian Privacy Principles (APPs).  

Need to strengthen your data security solutions?