Australian Privacy Principles - Australian Government

Service summary

You will be required to comply with the Australian Privacy Principles (APP) if you intend to handle or collect personal/sensitive information. Subject to some exceptions, you will be required to comply with the Australian Privacy Principles if you are a:

  • Private sector organisation with an annual turnover of $3 million or more;
  • Private sector health service provider, including child care centre, private school or private tertiary educational institution;
  • Employee association registered or recognised under the Fair Work (Registered Organisations) Act;
  • Business that sells or purchases personal information;
  • Credit reporting body;
  • Business that handles personal information in the course of providing services under a government contract;
  • Reporting entity under the Anti Money Laundering and Counter Terrorism Financing regime;
  • Business that handles consumer credit information, tax file numbers, information on old convictions or health records; or a
  • Business that has opted-in to the Privacy Act.

The Principles are not prescriptive, but you must consider how they apply to your operations. They broadly cover the collection, use, disclosure and storage of personal information and regulate the way this information is handled. More stringent obligations apply to you if you intend to handle sensitive information about somebody's health, race, ethnicity, political opinions, membership of political or trade associations, religion, sexual orientation, criminal record or biometric information.

Handling your employees' or former employees' personal information is exempt from the APP, provided that it is within the scope of the employment relationship. For example, an employer could not sell a list of their employees to another organisation for marketing purposes. Please consult the Agency Contact Officer for more information and to ascertain the level of compliance (if any) that may be required by your business.

Service type

Code of Practice

A code of practice can be either a legal requirement or non-legal requirement. Legal codes of practice are defined as a result of legislation. Non-legal codes of practice are defined by industry regulators and bodies.

Other resources

Comply Australian Privacy Principles Opens in a new browser window

Administering agency

Attorney-General's Department
Office of the Australian Information Commissioner
Regulation and Strategy Branch

Act(s) name

Privacy Act 1988 (Australian Government)

Regulation(s) name

Privacy Regulations 2006 (Australian Government)

Contact details

Attorney-General's Department
Office of the Australian Information Commissioner
Regulation and Strategy Branch

Operating address:
Level 3
175 Pitt Street
New South Wales 2000
Mailing address:
GPO BOX 5218
Sydney, New South Wales 2001




02 92849749


02 92849666

Supporting information


The information contained on the Australian Business Licence and Information Service (ABLIS) web site, or via packages or other sources is intended for general guidance only.

To the full extent permitted by law, the Federal, State, Territory and Local Governments make no representations or warranties (expressed or implied) in relation to the information, including its accuracy, currency or completeness.

The business information provided does not constitute professional or legal advice, nor is the use of any third party resource an endorsement of the information contained, the associated organisation, product or service. It is recommended that you obtain appropriate professional and /or independent legal advice to ensure that the material provided here is relevant to your particular circumstances.

To the full extent permitted by law the Federal, State, Territory and Local Governments, their employees and agents do not accept any liability for any reason, including without limitation, liability in negligence, to any person for the general information which is provided herein, or in respect of anything, including the consequences of anything done, or not done, by any such person in whole or partial reliance upon the information.