🍁 Proudly Canadian Owned and Operated | 🥭 Sign up now and receive our early bird discount
Australian Privacy Act 1988

Australian Privacy Act 1988

Aug 13, 2025

Australia's Privacy Act 1988 Explained

Understanding privacy laws can be convulated and often feel overwhelming. In this article we will attempt to break down Australia's Privacy Act 1988 (APP) into easy to understand, digesitble tidbits that equip you with the knowledge of how you can protect your business.

Australian Privacy Principles (APPs)

At the heart of APP are the 13 principles that set out the standards for collection, use, storage and disclosure of personal information. Let's take a quick look at what these 13 are:

  1. APP 1: Open and transparent management of personal information
    Organisations must handle personal information in a way that’s open and easy to understand, which usually means having a clear privacy policy.
  2. APP 2: Anonymity and pseudonymity
    Where possible, people should have the option to deal with you without giving their real name.
  3. APP 3 & 4: Collection of solicited and unsolicited personal information
    You can only collect personal information that’s necessary for your work, and if you receive it without asking, you must decide if you can keep it or need to delete it.
  4. APP 5: Notification of the collection of personal information
    When you collect personal data, you must tell the person what you’re collecting, why, and how it will be used.
  5. APP 6: Use or disclosure of personal information
    You can only use or share personal information for the reason it was collected unless you have permission or an exception applies.
  6. APP 7: Direct marketing
    You generally need consent to use someone’s personal information for marketing, and you must give them a way to opt out.
  7. APP 8: Cross-border disclosure of personal information
    If you send personal information overseas, you must make sure the recipient will protect it to Australian standards.
  8. APP 9: Adoption, use, or disclosure of government-related identifiers
    You can’t use identifiers like Medicare or passport numbers as your own unless the law allows it.
  9. APP 10: Quality of personal information
    You must take steps to make sure the personal information you collect or share is accurate, up-to-date, and complete.
  10. APP 11: Security of personal information
    You must protect personal data from misuse or unauthorised access, and destroy or de-identify it when no longer needed.
  11. APP 12 & 13: Access to and correction of personal information
    People have the right to see what personal information you hold about them and to have it corrected if it’s wrong.

🥭 Mango Moment:
Knowing the 13 Australian Privacy Principles is one thing, putting them into practice is another. That’s where we (MangoHR!) can help. Our training is built for Australia, so you and your team get clear, practical guidance on what the Privacy Act means in real life. From collecting data to keeping it safe, we make sure everyone knows the rules without drowning in legal talk. Sign up to receive automated training schedules of 3-5 minute videos with practical short quizzes to make sure you stay on top of what you need to do.

What happens if you do not follow these principles?

What's the OAIC?

The Office of the Australian Information Commissioner (OAIC) is the national regulator for privacy in Australia. It enforces the Privacy Act 1988, including the 13 Australian Privacy Principles, and oversees the Notifiable Data Breaches Scheme. The OAIC investigates complaints, conducts audits, and can issue significant penalties for serious or repeated breaches. It also provides guidance to help organisations understand and meet their privacy obligations.

Over the years the penalties for non-compliance have increased. If you do not protect personal information your business can face significant fines.

Recent reforms increased penalties to the greater of AUD $50 million, three times the benefit obtained, or 30% of turnover for serious/repeated breaches.

Not only could you be subject to fines, you will also tarnish your company's reputation, and individuals may be able to pursue legal action against your business.

Major Reforms to the Privacy Act 1988

  • 2000 – Private Sector Amendment
  • 2012 – Privacy Amendment (Enhancing Privacy Protection) Act
  • 2018 – Notifiable Data Breaches (NDB) Scheme
  • 2022 – Enforcement and Penalties Reform
  • 2023/2024 – Privacy Act Review (in progress)

Keep your eyes peeled for our blogs that go into each reform and how the 2024 privacy act review might change and affect the way you collect personal information!

Related Posts

Doing Business in BC? Don’t Ignore These Privacy Rules

Apr 29, 2025

Doing Business in BC? Don’t Ignore These Privacy Rules

Many businesses in BC think PIPEDA is all they need to follow—but if you're operating entirely within the province, BC's own privacy law likely applies. Here's what that means for your business, your employees, and how you train them.

Read More
How to Stay Compliant Under NZ's Updated Privacy Act 2020

Jul 21, 2025

How to Stay Compliant Under NZ's Updated Privacy Act 2020

Learn how the Privacy Act 2020 impacts New Zealand businesses and what your team needs to stay compliant. This guide breaks down key rules and easy ways to train staff.

Read More
India's Digital Personal Data Protection Act 2023

Aug 18, 2025

India's Digital Personal Data Protection Act 2023

Learn what India’s Digital Personal Data Protection Act (DPDPA 2023) means for your business. Key obligations, penalties, and compliance steps explained.

Read More
Lessons Learnt From IIT Roorkee's Data Breach

Aug 23, 2025

Lessons Learnt From IIT Roorkee's Data Breach

IIT Roorkee exposed personal data of 30,000 students and alumni for years. Learn what was leaked, why it matters, and how DPDPA applies. IIT Roorkee student data leak and DPDPA compliance India

Read More