Homeโ€บBlogโ€บWhat Is the Australian Privacy Act?
๐Ÿ›ก๏ธ Cybersecurityโฑ 8 min read

What Is the Australian Privacy Act?
A Plain-English Guide for Business Owners

If your business collects customer names, emails, phone numbers, or payment details โ€” the Australian Privacy Act almost certainly applies to you. Penalties for non-compliance reach $50 million. This guide explains what the law requires, who it covers, and how to comply โ€” without the legal jargon.

What the Privacy Act actually is

The Privacy Act 1988 is Australian federal legislation that regulates how organisations collect, use, store, and disclose personal information. It applies to most businesses, government agencies, and not-for-profit organisations operating in Australia.

The Act is built around 13 Australian Privacy Principles (APPs) โ€” the rules your business must follow when handling personal information. Personal information is any data that could identify a person: names, email addresses, phone numbers, physical addresses, dates of birth, financial details, IP addresses, and more.

Does it apply to your business?

The Privacy Act applies to your business if any of the following are true:

  • Your annual turnover is $3 million or more
  • You provide health services (including allied health, pharmacy, gym/fitness)
  • You trade in personal information (sell, share, or exchange customer lists or data)
  • You're a credit reporting body or credit provider
  • You're a contractor providing services to a Commonwealth government agency
  • You're related to an organisation already covered by the Act
  • You've opted in to coverage

Important: The $3 million threshold is under active review. The Australian Government has proposed removing it entirely, which would bring every Australian business under the Privacy Act regardless of turnover. Even if you're technically under the threshold now, operating as if the Act applies is the safest and smartest approach.

The 13 Australian Privacy Principles โ€” in plain English

Here's what each principle requires, without the legal language:

APP 1 โ€” Open and transparent management

You must have a clearly written privacy policy that explains what data you collect, why, and how you handle it. It must be freely available โ€” typically published on your website.

APP 2 โ€” Anonymity and pseudonymity

Where practical, give people the option to interact with your business without identifying themselves. Not always possible (you need a name to send an invoice), but where it's feasible, you should offer it.

APP 3 โ€” Collection of solicited information

Only collect personal information that's reasonably necessary for your business functions. Don't collect data "just in case." If you run a plumbing business, you need a customer's name, address, and phone number โ€” you don't need their date of birth.

APP 4 โ€” Dealing with unsolicited information

If you receive personal information you didn't ask for, you must decide whether you could have collected it under APP 3. If not, destroy or de-identify it.

APP 5 โ€” Notification of collection

When you collect personal information, tell people โ€” who you are, why you're collecting it, who you'll share it with, and how they can access or correct it. This is usually handled through your privacy policy and collection notices on forms.

APP 6 โ€” Use or disclosure

Only use personal information for the purpose you collected it for. If you collected someone's email for a quote, you can't add them to a marketing mailing list without consent.

APP 7 โ€” Direct marketing

You can only use personal information for direct marketing if the person would reasonably expect it, and you provide an easy way to opt out. Every marketing email needs an unsubscribe link. No exceptions.

APP 8 โ€” Cross-border disclosure

If you send personal information overseas (using a US-based CRM, cloud storage, or email provider), you must take reasonable steps to ensure the overseas recipient complies with the APPs. Using Mailchimp, HubSpot, or Salesforce? This applies to you.

APP 9 โ€” Government identifiers

Don't adopt government identifiers (like Tax File Numbers or Medicare numbers) as your own customer identifier. Don't use them unless legally required.

APP 10 โ€” Quality of personal information

Keep personal information accurate, up-to-date, and complete. If you're making decisions based on customer data, make sure it's correct.

APP 11 โ€” Security of personal information

Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. This is the APP that directly connects to cybersecurity โ€” weak passwords, unpatched software, and missing encryption all violate this principle.

You must also destroy or de-identify personal information when it's no longer needed. If a customer cancelled their account three years ago, you shouldn't still be holding their data without a lawful reason.

APP 12 โ€” Access to personal information

When someone asks to see the personal information you hold about them, you must provide access within a reasonable timeframe โ€” usually 30 days.

APP 13 โ€” Correction of personal information

If personal information is inaccurate, out of date, or incomplete, you must correct it when asked.

What happens if you don't comply

The penalties are severe and increasing:

  • Up to $50 million for serious or repeated interferences with privacy
  • Or three times the benefit obtained from the breach
  • Or 30% of adjusted turnover โ€” whichever is greatest
  • The OAIC can issue infringement notices, enforceable undertakings, and public findings
  • Individuals can seek compensation through the courts for privacy breaches

Beyond the financial penalties, a privacy breach causes reputational damage that no marketing budget can repair. Customers don't come back to businesses that lose their data.

The most common compliance failures

Based on OAIC enforcement actions and investigations, the most frequent failures are:

  1. No privacy policy โ€” or a policy that's out of date and doesn't reflect actual practices
  2. Collecting more data than necessary โ€” forms that ask for information you don't need
  3. Weak security measures โ€” no MFA, unpatched systems, no encryption at rest
  4. No data retention policy โ€” keeping customer data indefinitely without a lawful reason
  5. Overseas transfers without safeguards โ€” using US SaaS tools without understanding APP 8 obligations
  6. No breach response plan โ€” when a breach occurs, the business has no process for assessment or notification

How to get compliant

Privacy compliance isn't a single document โ€” it's an ongoing programme. Here's where to start:

  1. Get a privacy health check โ€” assess where you stand against the 13 APPs
  2. Write (or update) your privacy policy โ€” it must be current, accurate, and specific to your business
  3. Map your data โ€” know what personal information you hold, where it's stored, who has access, and how long you keep it
  4. Secure your data โ€” implement technical controls that satisfy APP 11 (encryption, access controls, patching, MFA)
  5. Prepare for breaches โ€” build an NDB-compliant response plan with templates, contact lists, and escalation procedures
  6. Train your team โ€” everyone who handles personal information needs to understand their obligations

Not sure if you're compliant?

RabbiiCo Studio's free Privacy Health Check assesses your business against the Australian Privacy Principles and identifies the gaps that matter most. No obligation, no jargon โ€” just a clear picture of where you stand.

Get your free Privacy Health Check โ†’