Australian Privacy Principles (APP)

Contributed by AjunthaThinakaran and current to 27 July 2018

The Information Commissioner issues the Australian Privacy Principles guidelines (APP guidelines) which may be updated from time to time to take account of changes in the Privacy Act or other legislation, determinations are made under s 52 of the Privacy Act and relevant tribunal and court decisions.

The APPs and the APP guidelines apply from 12 March 2014. They apply to both Australian Government agencies and organisations covered by the Privacy Act. These principles replace the National Privacy Principles (NPPs) and the Information Privacy Principles (IPPs).


The APP guidelines outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs, and matters we may take into account when exercising functions and powers under the Privacy Act.

In the link below is a complete set of APP guidelines (a PDF version), followed by a table of links to archived versions which includes a summary of significant changes between each version, followed by the current versions of each APP guidelines chapter in HTML and PDF versions.

Link: []

Application of APP

The Australian Privacy Principles (APPs), are set out in schedule 1 of the Privacy Act. The APPs outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information.

The APPs are set out broadly, and each APP entity is responsible to ensure compliance by considering how the principles apply to invidual circumstances. The principles encompass:
  • the open and transparent management of personal information including having a privacy policy
  • an individual having the option of transacting anonymously or using a pseudonym where practicable
  • the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
  • how personal information can be used and disclosed (including overseas)
  • maintaining the quality of personal information
  • keeping personal information secure
  • right for individuals to access and correct their personal information
There are also separate APPs that deal with the use and disclosure of personal information for the purpose of direct marketing (APP 7), cross-border disclosure of personal information (APP 8) and the adoption, use and disclosure of government related identifiers (APP 9).

More information is available:

Rights and responsibilities [Link: ]
FAQs — Businesses pages [Link: ]

Sensitive information

The APPs place more rigorous responsibilities on APP entities which handle ‘sensitive information’. Sensitive information is a type of personal information and includes information about an individual's:
  • health (including predictive genetic information)
  • racial or ethnic origin
  • political opinions
  • membership of a political association, professional or trade association or trade union
  • religious beliefs or affiliations
  • philosophical beliefs
  • sexual orientation or practices
  • criminal record
  • biometric information that is to be used for certain purposes
  • biometric templates.
The OAIC website provides a host of information and fact sheets. For a summary of the APPs, see the APP quick reference tool. For more detail, see the full text of the APPs. Additional information on complying with the APPs can be found in the APP guidelines. The OAIC also provides a training webinar on the APPs, aimed at people who are unfamiliar with the Privacy Act.


This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine