Who must comply with the APPs?

They apply to Australian Government agencies and most private sector organisations with annual turnover above $3 million, as well as some smaller entities handling sensitive data.

What is the OAIC Privacy Foundations Self-Assessment Tool?

It is a free tool that helps organisations assess their privacy maturity, identify gaps, and create an action plan to improve privacy practices.

Why is privacy compliance not enough?

Compliance alone does not prevent risks. Modern privacy issues arise from poor processes, unclear ownership, and disconnected systems, not just lack of policies.

What happens if an organisation breaches an APP?

A breach can lead to investigations, enforceable undertakings, and penalties of up to $50 million for serious violations.

Australian Privacy Principles (APPs) Guide

Q: What are the Australian Privacy Principles (APPs)?

The APPs are 13 legally binding principles under the Privacy Act 1988 that govern how organisations collect, use, disclose, and protect personal information in Australia.

Most Australian organisations don’t fail privacy because they don’t care. They fail because privacy lives in documents, not in decisions.

A policy exists. A register exists. A response plan exists, but somewhere.
But when teams launch a new service, integrate a system, outsource a function, or automate a decision, privacy is often an afterthought.

That gap, between intent and execution, is where privacy risk actually lives.

Privacy in Australia has moved well beyond policies, pop‑ups, and paperwork. Today, how your organisation handles personal information is a visible signal of trust, maturity, and accountability.

If your organisation operates in Australia and handles personal information, the Australian Privacy Principles (APPs) set the baseline for what “good” looks like. And with the release of The Office of the Australian Information Commissioner (OAIC) Privacy Foundations Self‑Assessment Tool, organisations now have a practical way to understand where they stand, and where they need to go next.

In this guide, we will discuss 13 Australian Privacy Principles and how the OAIC’s new self‑assessment tool can help organisations move from reactive compliance to confident, embedded privacy practices.

What Are the Australian Privacy Principles (APPs)?

The Australian Privacy Principles are 13 legally binding principles contained in the Privacy Act 1988 (Cth). They apply to:

Australian Government agencies.
Most private sector organisations with an annual turnover above $3 million.
Smaller entities that handle sensitive information or provide health‑related services.

Unlike rigid, prescriptive rules, the APPs are principles‑based and technology‑neutral. This gives organisations flexibility to apply them in ways that fit their operating models, systems, and risk profiles, while still holding them accountable for outcomes.

Importantly, a breach of an APP is legally considered an interference with the privacy of an individual. In serious cases, this can lead to regulatory investigations, enforceable undertakings, and civil penalties of up to $50 million for a body corporate.

The 13 Australian Privacy Principles: What They Mean in Practice

Understanding the APPs is not just a legal exercise. Each principle shapes day‑to‑day decisions across systems, processes, and people.

APP 1: Open and transparent management

Your organisation must have a clearly accessible privacy policy and internal practices for managing personal information.

APP 2: Anonymity and pseudonymity

Where practical, individuals should have the option to interact with your organisation anonymously or using a pseudonym.

APP 3: Collection of solicited personal information

Only collect personal information that is reasonably necessary for your functions or activities.

APP 4: Unsolicited personal information

If you receive information you didn’t ask for, you must assess whether you could have lawfully collected it, and destroy or de‑identify it if not.

APP 5: Notification of collection

Individuals must be informed about the collection of their personal information at or before the time of collection.

APP 6: Use or disclosure

Personal information can only be used or disclosed for its primary purpose unless a clear exception applies.

APP 7: Direct marketing

Strict conditions apply when using personal information for marketing, including mandatory opt‑out mechanisms.

APP 8: Cross‑border disclosure

Before sharing personal information overseas, reasonable steps must be taken to ensure the recipient complies with the APPs.

APP 9: Government identifiers

Government‑related identifiers (such as TFNs) cannot be adopted or misused unless authorised by law.

APP 10: Quality of personal information

Organisations must take reasonable steps to ensure personal information is accurate, up‑to‑date, and complete.

APP 11: Security of personal information

Personal information must be protected from misuse, loss, unauthorised access, or disclosure.

APP 12: Access

Individuals have the right to access their personal information, subject to limited exceptions.

APP 13: Correction

Organisations must correct personal information when requested to ensure it is accurate and not misleading.

Why “Compliance” Alone Is No Longer Enough

The Australian Privacy Principles (APPs) have been in place for years.
Most organisations covered by the Privacy Act know of them. Many can even point to where they’re documented.

Yet privacy maturity across Australia remains uneven.

During Privacy Awareness Week 2025, the OAIC reinforced this message with the theme “Privacy — it’s everyone’s business.” While nine in ten Australians understand why privacy matters, many still feel uncertain about how their information is actually being protected.

This matters because modern privacy risk doesn’t come from obvious misconduct. It comes from:

Disconnected systems sharing more data than intended.
Teams collecting “just in case” information.
Vendors handling data without clear accountability.
Staff unsure when something is a privacy issue, until it’s too late.

Privacy failures today are rarely malicious. They are structural.

Introducing the OAIC Privacy Foundations Self‑Assessment Tool

To help organisations strengthen those foundations, the OAIC released the Privacy Foundations Self‑Assessment Tool during Privacy Awareness Week in 2025.

This free resource is designed to help organisations understand their current privacy posture and identify practical improvement areas, without jumping straight into legal complexity.

Who the Tool Is For

The tool is ideal for organisations that:

Are early in their privacy journey.
Want to have a genuine privacy culture, not just policies.
Need a structured way to review existing practices.
Want clarity before investing in formal compliance work.

What the Tool Covers

The assessment focuses on core privacy fundamentals, including:

Accountability: who owns privacy obligations internally.
Transparency: how clearly privacy practices are communicated.
Collection practices: whether data collection is proportionate and necessary.
Data breach readiness: preparedness to detect, respond, and notify.

How It Works

The tool has two simple stages:

Step 1: Questionnaire

A guided set of practical questions with plain‑language explanations and real‑world examples. Most organisations complete it in 15–20 minutes.

Step 2: Action Planning

Based on responses, the tool provides a privacy maturity score and customised recommendations that can feed directly into a Privacy Management Plan.

Important:

This tool does not assess legal compliance under the Privacy Act. It is a foundation‑building exercise, not a replacement for legal advice or formal audits.

What to Do After the Self‑Assessment

For most organisations, the self‑assessment is the starting point, not the finish line.

Build or Refine Your Privacy Management Plan

Use your results to document governance structures, training programs, data handling processes, and breach response procedures.

Go Deeper Where Needed

If you require a more detailed assessment against the APPs, particularly for government agencies, the OAIC also offers an Interactive Privacy Management Plan Tool.

Why Exigo Tech

At Exigo Tech, we work with Australian organisations that understand privacy is not a one‑off project; it’s an ongoing operational capability.

We help organisations move beyond surface‑level compliance by:

Translating the APPs into practical, role‑based actions.
Designing privacy‑by‑design processes across systems and services.
Supporting privacy maturity uplift through training and governance.
Aligning privacy foundations with broader digital, security, and CX strategies.

Whether you are using the OAIC self‑assessment tool for the first time or looking to strengthen your privacy framework in line with evolving reforms, our team helps turn insight into execution.

Key Takeaways

The Australian Privacy Principles apply broadly and carry serious enforcement consequences.
Privacy maturity in Australia remains a work in progress across most sectors.
The OAIC Privacy Foundations Self‑Assessment Tool is a practical, low‑risk starting point.
Strong privacy foundations are built through people, process, and culture, not policies alone.

Privacy in Practice: A Practical Guide to the Australian Privacy Principles (APPs)