Advice on Optus data breach. Learn more
Main menu
Close
- About us
-
Privacy
- For individuals
- For organisations and agencies
- Law
-
Freedom of information
- For individuals
- For agencies
- Law
- Information policy
-
Consumer Data Right
- For consumers
- For participants
- Law
Australian Privacy Principles guidelines
The Australian Privacy Principles (APP) guidelines outline the mandatory requirements of the APPs, how we’ll interpret the APPs, and matters we may take into account when exercising our functions and powers under the Privacy Act 1988 (Privacy Act).
Both the APPs and the APP guidelines apply to any organisation or agency the Privacy Act covers. The Privacy Act covers Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations.
22 July 2019
Chapters of the APP guidelines are updated individually. This page contains archived versions of each chapter, and notes on the changes between versions for each chapter.
22 July 2019
The purpose of the APP guidelines and which organisations and agencies the APPs cover.
22 July 2019
Key words and phrases used in the Privacy Act and the APPs.
Tags: key words and phrasesdefinitions
22 July 2019
The information handling requirements imposed by some APPs do not apply if a ‘permitted general situation’ exists. This exception applies to the collection of sensitive information (APP 3), the use or disclosure of personal information (APPs 6 and 8), and the use or disclosure of a government-related identifier (APP 9). It is nevertheless open to an APP entity to comply with the APP requirements even though an exception applies.
Tags: permitted general situations
22 July 2019
The information handling requirements imposed by APP 3 and APP 6 do not apply to an organisation if a ‘permitted health situation’ exists. This exception applies to the collection, use or disclosure of health information or genetic information by an organisation. The exception applies only to organisations, and not to agencies. It is open to an organisation to comply with the APP requirements even though an exception applies.
Tags: permitted health situation
An APP entity must manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.
Tags: privacy policyopen and transparent managementAPP1
22 July 2019
An APP entity must give an individual the option of not identifying themselves or of using a pseudonym. Limited exceptions apply.
Tags: APP2anonymity and pseudonymity
Outlines when an APP entity can collect solicited personal information. Higher standards apply to the collection of sensitive information.
Tags: collectionAPP3sensitive informationsolicited personal information
Outlines how an APP entity must deal with unsolicited personal information.
Tags: APP4unsolicited personal information
An APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters.
Tags: APP5notificationcollection
An APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.
Tags: APP6use and disclosure
22 July 2019
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
Tags: APP7direct marketing
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
Tags: APP8cross-border disclosure
Outlines the limited situations when an organisation may adopt a government-related identifier of an individual as the organisation’s own identifier, or use or disclose a government-related identifier of an individual.
Tags: APP9government-related identifiersuse and disclosure
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
Tags: APP10quality of personal informationcollectionuse or disclosure
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An APP entity has obligations to destroy or de-identify personal information in certain situations.
Tags: APP11security of personal information
Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the APP entity. This includes a requirement to provide access unless a specific exception applies.
Tags: APP12access
Outlines an APP entity’s obligations for correcting the personal information it holds about individuals.
Tags: APP13correction