Publish a Privacy Policy compliant with APP 1
Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
Who must comply
All APP entities. If the small business exemption is removed in a future reform tranche (proposed, not yet law), ~2M additional businesses would be captured.
What triggers it
Being an APP entity that handles personal information.
When due
Before collecting personal information. Reviewed regularly.
Evidence required
Published Privacy Policy with version history.
Max penalty
Civil penalties up to $50M for serious or repeated interferences with privacy
Summary
APP 1.3 requires every APP entity to have a clearly-expressed and up-to-date Privacy Policy. APP 1.4 prescribes minimum content: kinds of personal information collected, how it is collected and held, purposes, disclosure (including overseas), complaint handling, and access/correction processes. Policies must be made freely available.
Enforced by
Source legislation
Industries
Topics
Related obligations
- CWLTHNotifiable Data Breach (NDB) schemeUnder the NDB scheme, APP entities must notify the OAIC and affected individuals of an eligible data breach likely to cause serious harm — assessed within 30 days.
- CWLTHAPP 3 collection of sensitive informationAPP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
- CWLTHProvide an APP 5 collection notice at or before collectionAPP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.
- CWLTHAPP 8 cross-border disclosureBefore disclosing personal information overseas, APP 8 requires reasonable steps so the recipient meets the APPs — unless an exception applies. Steps and exceptions.
- CWLTHAPP 12 & APP 13 access and correction requestsIndividuals can ask to access (APP 12) and correct (APP 13) the personal information you hold — the strict response times, allowable refusals and how to comply.
- CWLTHAPP 7 direct marketingAPP 7 restricts using or disclosing personal information for direct marketing and requires a simple opt-out — when it applies, the exceptions and penalties.
Frequently asked questions
- Who must comply with Publish a Privacy Policy compliant with APP 1?
- All APP entities. If the small business exemption is removed in a future reform tranche (proposed, not yet law), ~2M additional businesses would be captured.
- What triggers Publish a Privacy Policy compliant with APP 1?
- Being an APP entity that handles personal information.
- When is Publish a Privacy Policy compliant with APP 1 due?
- Before collecting personal information. Reviewed regularly.
- What is the maximum penalty for Publish a Privacy Policy compliant with APP 1?
- Civil penalties up to $50M for serious or repeated interferences with privacy
- What evidence is required for Publish a Privacy Policy compliant with APP 1?
- Published Privacy Policy with version history.
Source: https://oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference. Rules Mate is not a law firm. Always verify against the live regulator source before acting.