Home / Privacy

Australian Privacy Principles guidelines

RSS feed

The Australian Privacy Principles (APP) guidelines outline the mandatory requirements of the APPs, how we’ll interpret the APPs, and matters we may take into account when exercising our functions and powers under the Privacy Act 1988 (Privacy Act).

Both the APPs and the APP guidelines apply to any organisation or agency the Privacy Act covers. The Privacy Act covers Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations.

Download the complete print version (combined July 2019)

Summary of version changes to APP guidelines

22 July 2019
Chapters of the APP guidelines are updated individually. This page contains archived versions of each chapter, and notes on the changes between versions for each chapter.
Read more: Summary of version changes to APP guidelines

Preface

24 February 2014
Preliminary pages and preface by John McMillan.
Read more: Preface

Chapter A: Introductory matters

22 July 2019
The purpose of the APP guidelines and which organisations and agencies the APPs cover.
Read more: Chapter A: Introductory matters

Chapter B: Key concepts

22 July 2019
Key words and phrases used in the Privacy Act and the APPs.
Tags: key words and phrases definitions
Read more: Chapter B: Key concepts

Chapter C: Permitted general situations

22 July 2019
The information handling requirements imposed by some APPs do not apply if a ‘permitted general situation’ exists. This exception applies to the collection of sensitive information (APP 3), the use or disclosure of personal information (APPs 6 and 8), and the use or disclosure of a government-related identifier (APP 9). It is nevertheless open to an APP entity to comply with the APP requirements even though an exception applies.
Tags: permitted general situations
Read more: Chapter C: Permitted general situations

Chapter D: Permitted health situations

22 July 2019
The information handling requirements imposed by APP 3 and APP 6 do not apply to an organisation if a ‘permitted health situation’ exists. This exception applies to the collection, use or disclosure of health information or genetic information by an organisation. The exception applies only to organisations, and not to agencies. It is open to an organisation to comply with the APP requirements even though an exception applies.
Tags: permitted health situation
Read more: Chapter D: Permitted health situations

Chapter 1: APP 1 — Open and transparent management of personal information

22 July 2019
An APP entity must manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.
Tags: privacy policy open and transparent management APP1
Read more: Chapter 1: APP 1 — Open and transparent management of personal information

Chapter 2: APP 2 — Anonymity and pseudonymity

22 July 2019
An APP entity must give an individual the option of not identifying themselves or of using a pseudonym. Limited exceptions apply.
Tags: APP2 anonymity and pseudonymity
Read more: Chapter 2: APP 2 — Anonymity and pseudonymity

Chapter 3: APP 3 — Collection of solicited personal information

22 July 2019
Outlines when an APP entity can collect solicited personal information. Higher standards apply to the collection of sensitive information.
Tags: collection APP3 sensitive information solicited personal information
Read more: Chapter 3: APP 3 — Collection of solicited personal information

Chapter 4: APP 4 — Dealing with unsolicited personal information

22 July 2019
Outlines how an APP entity must deal with unsolicited personal information.
Tags: APP4 unsolicited personal information
Read more: Chapter 4: APP 4 — Dealing with unsolicited personal information

Chapter 5: APP 5 — Notification of the collection of personal information

22 July 2019
An APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters.
Tags: APP5 notification collection
Read more: Chapter 5: APP 5 — Notification of the collection of personal information

Chapter 6: APP 6 — Use or disclosure of personal information

22 July 2019
An APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.
Tags: APP6 use and disclosure
Read more: Chapter 6: APP 6 — Use or disclosure of personal information

Chapter 7: APP 7 — Direct marketing

22 July 2019
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
Tags: APP7 direct marketing
Read more: Chapter 7: APP 7 — Direct marketing

Chapter 8: APP 8 — Cross-border disclosure of personal information

22 July 2019
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
Tags: APP8 cross-border disclosure
Read more: Chapter 8: APP 8 — Cross-border disclosure of personal information

Chapter 9: APP 9 — Adoption, use or disclosure of government related identifiers

22 July 2019
Outlines the limited situations when an organisation may adopt a government-related identifier of an individual as the organisation’s own identifier, or use or disclose a government-related identifier of an individual.
Tags: APP9 government-related identifiers use and disclosure
Read more: Chapter 9: APP 9 — Adoption, use or disclosure of government related identifiers

Chapter 10: APP 10 — Quality of personal information

22 July 2019
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
Tags: APP10 quality of personal information collection use or disclosure
Read more: Chapter 10: APP 10 — Quality of personal information

Chapter 11: APP 11 — Security of personal information

22 July 2019
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An APP entity has obligations to destroy or de-identify personal information in certain situations.
Tags: APP11 security of personal information
Read more: Chapter 11: APP 11 — Security of personal information

Chapter 12: APP 12 — Access to personal information

22 July 2019
Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the APP entity. This includes a requirement to provide access unless a specific exception applies.
Tags: APP12 access
Read more: Chapter 12: APP 12 — Access to personal information

Chapter 13: APP 13 — Correction of personal information

22 July 2019
Outlines an APP entity’s obligations for correcting the personal information it holds about individuals.
Tags: APP13 correction
Read more: Chapter 13: APP 13 — Correction of personal information