Hands typing on a keyboard

Australian privacy principles and data security

Australian Privacy Principles regulate your handling of personal information by private, non-profit and government organisations – styled “APP entities”. There are thirteen categories and they will by definition enlighten your business record keeping.

Compliancy navigation begins with a slew of first or foundation principles. There’s no need to reinvent the proverbial cartwheel when it comes to establishing an ordnance list of privacy guidelines for your business or “entity” since all thirteen categories are published by OAIC, the Office of the Australian Information Commissioner.

Australia has a permanent interest in open and transparent management of personal information. We thrive here on our vast island dependant upon an armada of data from local and global hubs. Privacy breaches and attacks lobbed from afar on Australian consumer privacy are all too frequent.

So, when it comes to safeguarding privacy and data security management, it makes good sense to be a stickler on principle. Does safeguarding privacy and the integrity of data security play a significant role in your business strategy?

There’s no better time than the the present to reaffirm or revisit the privacy policy of your business or organisation. It behoves you to be aware of and implement policies that comply with the thirteen principles of privacy management and data security.

Here’s the full list of Australian Privacy Principles from the OAIC:

APP 1 — Open and transparent management of personal information
Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.

APP 2 — Anonymity and pseudonymity
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

APP 3 — Collection of solicited personal information
Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.

APP 4 — Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information.

APP 5 — Notification of the collection of personal information
Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.

APP 6 — Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

APP 7 — Direct marketing
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

APP 8 — Cross-border disclosure of personal information
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

APP 9 — Adoption, use or disclosure of government related identifiers
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

APP 10 — Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

APP 11 — Security of personal information
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

APP 12 — Access to personal information
Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

APP 13 — Correction of personal information
Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.

Keen to dig deeper on privacy and data security compliance? The AOIC has more information here.

The challenge for your business or organisation of course, is how to implement them.

Here at Cicom we advocate for these Australian Privacy Principles and other data security regulations. We can help you to implement these privacy and data security policies within your business or organisation through Managed IT solutions, sound IT governance, IT Audits, Data Security measures and Business Continuity plans.

For a confidential discussion on Data Security and Privacy Compliance, contact us on 1300 324 266 or email

Got questions? We have answers.

Feel free to give us a call or use the form below to get in touch.