Australian Privacy Principles: What Your Business Actually Needs to Do

The Australian Privacy Principles are 13 rules under the Privacy Act 1988 that control how you collect, store, use, and share personal information. If your business turns over more than $3 million a year, or if you handle health records or trade in personal data, you're already covered by them. And if you're under that threshold? The government has signalled that exemption is going away.

Most business owners I talk to know the Privacy Act exists. Very few have actually read the Australian Privacy Principles. Fewer still have done anything about them.

Which Australian Privacy Principles Actually Matter for Your Business

There are 13 APPs. You don't need to memorise all of them, but you do need to understand the ones that trip up businesses your size.

APP 1 requires you to have a clear, up-to-date privacy policy. Not the template you copied from another website in 2019. A real one that describes what you collect, why you collect it, and who you share it with. The OAIC expects you to review this regularly.

APP 3 says you can only collect personal information that's reasonably necessary for your business functions. If your signup form asks for date of birth and home address when all you need is an email, you're overcollecting. This is the principle most businesses break without realising it.

APP 6 limits how you use and disclose personal information. You collected someone's details for one purpose? You can't start using them for something else without consent. This comes up constantly with marketing lists.

APP 8 covers overseas data transfers. If you use SaaS tools hosted outside Australia, and you almost certainly do, you need to take reasonable steps to ensure those overseas recipients handle data in line with the APPs. That means actually reading your vendors' privacy practices. Not just ticking a box.

APP 11 is the security one. You must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. What counts as "reasonable" scales with your business size and the sensitivity of the data. For most SMEs, this means MFA on everything, proper access controls, encryption for sensitive data, and a plan for when something goes wrong.

The Small Business Exemption Won't Last

Right now, the Privacy Act exempts businesses with annual turnover under $3 million. This has been the escape hatch for most Australian SMEs.

But the Attorney-General's response to the Privacy Act Review recommended removing this exemption. When that happens, thousands of small businesses that have never thought about privacy compliance will suddenly need to comply with all 13 APPs. No privacy policy. No data inventory. No breach response plan. That's a rough starting position.

If you're under the threshold, the smart move is to start now. Not because the law requires it today, but because doing it under pressure later costs more and takes longer. A basic privacy framework takes a few weeks to set up properly. Doing it in a panic after the law changes takes months.

Penalties Are Not Theoretical

Since February 2018, the Notifiable Data Breaches scheme requires you to notify the OAIC and affected individuals when a data breach is likely to cause serious harm. You have 30 days from becoming aware of a breach to complete your assessment.

The penalty regime changed significantly in 2022. For serious or repeated interferences with privacy, the maximum penalty for a body corporate is now the greatest of: $50 million, three times the benefit obtained from the breach, or 30% of adjusted turnover in the relevant period. These numbers aren't theoretical. The OAIC commenced Federal Court proceedings against Medibank after the 2022 breach that exposed the personal and health data of millions of Australians.

Human error, things like emailing the wrong person or losing an unencrypted laptop, accounts for a significant portion of reported breaches. You don't need to be hacked to be in trouble.

What to Do This Quarter

You don't need to do everything at once. Start with four things.

Map your data. Spend an afternoon listing what personal information you collect, where it lives, who can access it, and which vendors touch it. A spreadsheet is fine.

Fix your privacy policy. Read your current one. If it's generic, outdated, or doesn't match what you actually do with data, rewrite it. The OAIC publishes guidance on what APP 1 requires.

Check your vendors. Where does your customer data actually go? Look at your CRM, email platform, analytics tools, and cloud storage. For each one hosted overseas, confirm they have adequate privacy protections that align with the APPs.

Write a breach response plan. It doesn't need to be long. It needs to exist before you need it. Cover who's responsible internally, how to assess whether a breach is notifiable, how to contact the OAIC, and how to notify affected people within the 30-day window.

If you're also working toward Essential Eight or ISO 27001, a lot of this work overlaps. The access controls, encryption, and incident response planning you build for those frameworks directly support APP 11.

Privacy compliance isn't a one-off project. But the first pass is simpler than most people expect.