Summary of version changes to APP guidelines

Updated references to OAIC and external publications for new website launch

Inclusion of new [A.4] and [A.29]–[A.32] to explain that the APP guidelines may provide relevant guidance to Australian Capital Territory public sector agencies.

Updated references to OAIC and external publications for new website launch

• Clarified the circumstances in which small business operators are treated as organisations and therefore APP entities ([B.7])
• Revised and expanded discussion about ‘carries on business in Australia’, a component of the test for whether an APP entity has an ‘Australian link’ ([B.13–B.21])
• Small clarifications to the discussion about ‘disclosure’, including the addition of a new footnote reference to an AAT decision ([B.64] and [B.68])
• Minor stylistic change ([B.104])
• Updated discussion about ‘sensitive information’ to explain that information may be sensitive information where it clearly implies one of the matters listed in the definition of ‘sensitive information’ in s 6(1) ([B.139])

Amended text to reflect Privacy Act amendment to definition of sensitive information re; sexual orientation... [B.132]

Updated references to OAIC and external publications for new website launch

Updated references to OAIC and external publications for new website launch

• High-level updates to reflect amendments to the Privacy Act 1988 made by the Privacy and Other Legislation Amendment Act 2024. The changes include new obligations about automated decisions in APP privacy policies, commencing December 2026 (Key points and call-out boxes after [1.2] and [1.43]).
• Minor changes for clarity and readability and currency of references.

Updated references to OAIC and external publications for new website launch

Updated references to OAIC and external publications for new website launch

1.2

13 May 2026 to …

The updates expand guidance on existing requirements to help make it easier for entities to comply. The updates reflect recent determinations, and key positions from other OAIC guidance. Each update is explained in detail in the following list:

• New Figure 1 (flow chart) demonstrating at a high level each of   the APP 3 requirements and how they relate to each other ([3.4])
• Updates to clarify that publicly available personal information is   still subject to APP 3 and the APPs once collected (Key point 8, [3.6])
• Clarifying changes to reflect how proportionality is implicit in   the APP 3 requirements, requiring entities to take a data minimisation   approach (Key point 9, [3.26], [3.87] at footnote 51)
• Additional guidance to clarify that personal information created   with reference to, or generated, inferred or observed from, other information   the entity holds, is a ‘collection’ of personal information that APP 3   applies to ([3.7])
• Updates to clarify that an APP entity ‘collects’ personal information   even if it only holds the information momentarily (e.g. for milliseconds)   ([3.8])
• Clarifications on liability for where an entity engages a third   party to collect personal information ([3.10] and accompanying ‘Privacy tip’)
• New contemporary examples of solicited personal information   collected by an entity, including via AI, tracking pixels, facial recognition   technology, data broking, data scraping and web crawling ([3.11])
• Addition of ‘analytics’ as an example of an ‘activity’ of an   agency or organisation ([3.15], [3.18])
• Expanded guidance on how the functions and activities of an agency   or organisation are to be determined objectively ([3.17], [3.20]–[3.21])
• New example of collecting personal information that is ‘directly   related to’ an agency’s functions or activities ([3.23])
• Emphasising that for the collection of personal information to be   ‘reasonably necessary’, it would not be sufficient for the collection to be   merely helpful, desirable or convenient ([3.25])
• Expanded guidance on the requirement to only collect personal   information that is ‘reasonably necessary’ for an entity’s ‘functions and   activities’, including an additional factor to be considered (dot point 4 of   [3.27]) and new examples that clarify these considerations ([3.27]–[3.29])
• Additional guidance on the relationship between the requirement to   only collect personal information that is ‘reasonably necessary’, and the   requirement to collect only by lawful and fair means ([3.30], [3.88])
• Expanded guidance on seeking consent for the collection of   sensitive information ([3.33]–[3.34])
• Additional guidance on automated collection methods and the   collection of sensitive information ([3.35])
• Expanded guidance, including a new example, on collecting   sensitive information ‘as required or authorised by law’ ([3.39]–[3.41])
• Additional guidance on collecting sensitive information where a ‘permitted   general situation’ exists ([3.45]–[3.48] regarding ‘Lessening or preventing a   serious threat to life, heath or safety’ and [3.50]–[3.52] regarding ‘Taking   appropriate action in relation to suspected unlawful activity or serious   misconduct’)
• Additional, revised and expanded guidance about collecting by   ‘fair means’, including factors that may influence whether a collection is by   ‘fair means’ ([3.83]–[3.88])
• New example on when it would not be ‘unreasonable or impractical’   to collect personal information directly from the individual ([3.90])
• Minor changes for clarity and readability

Updated references to OAIC and external publications for new website launch

Updated references to OAIC and external publications for new website launch

Updated references to OAIC and external publications for new website launch

New reference to legislated family violence information sharing schemes in [5.7]

• Updates to reflect amendments to the Privacy Act 1988 made by the Privacy and Other Legislation Amendment Act 2024. The changes include a new exception regarding cross-border disclosure (Key points, [8.3–8.4], [8.10], [8.18–8.19] and [8.28–8.30]).
• Minor changes for clarity, readability and currency of references.

• Revised discussion of the circumstances where an APP entity may be taken to breach the APPs, when it provides personal information to an overseas contractor as a ‘use’, and the information is mishandled overseas ([8.15])
• Revised and expanded discussion about the circumstances in which the ‘international agreement’ exception in APP 8.2(e) applies ([8.47]–[8.51])
• Minor amendments to footnotes to correct website references ([8.1], [8.21])

• Updates to reflect amendments to the Privacy Act 1988 made by the Privacy and Other Legislation Amendment Act 2024. The changes include that reasonable steps, for the purposes of ensuring the security of personal information and destroying or de-identifying personal information that is no longer needed, include technical and organisational measures(Key points, [11.4], [11.10–11.15], [11.34] and [11.44–11.46]).
• Amendment of discussion about relevant considerations in taking reasonable steps to destroy or de-identify personal information that is no longer needed ([11.30–11.31]).
• Minor clarifications to examples of unauthorised access ([11.25]).
• Minor changes for clarity, readability and currency of references.

• New reference to the OAIC Guide to Securing Personal Information (2015) [Key point 3, [11.10] and ([11.34])
• Consolidation and amendment of discussion, about relevant considerations in taking ‘reasonable steps’, for consistency with OAIC Guide to Securing Personal Information (2015) ([11.7]–[11.10])
• Minor stylistic changes ([11.11 and 11.42])
• Small clarifications to examples of ‘loss’, ‘unauthorised access’, ‘unauthorised modification’ and ‘unauthorised disclosure’ including in footnotes ([11.15]–[11.21])
• Minor amendment to footnote to correct reference to Australian Government Information Security Manual and to Australian Signals Directorate website ([11.37])