Australian Privacy Principles (APPs)


The Privacy Act 1988 (Cth) contains 13 Australian Privacy Principles (APPs) which outline how applicable entities must handle, use and manage personal information. These principles are legislative requirements and hold legal force.

The LPA Guide to the Australian Privacy Principles provides guidance on how the APPs generally apply to LPA Members, which can be accessed by logging on to the Members' Area.


  • The Australian Privacy Principles (APPs) apply to all private sector and not-for-profit organisations with an annual turnover of more than $3 million, and most Australian Government agencies. The APPs do not apply to state, territory and local government entities. Most of these jurisdictions have privacy principles in place for government entities which are similar to the APPs.

  • The APPs do not apply to small businesses with an annual turnover of less than $3 million, unless they trade in personal information. LPA recommends that organisations not bound to comply with the APPs should use the APPs as a best practice guide for managing personal information.
  • The only person who ‘owns’ personal information is the individual to whom the information belongs. No organisation (producer, venue, ticketing company etc.) owns the personal data of consumers.
  • Personal information can only be collected by organisations where it is reasonably necessary for one or more of the organisation’s functions or activities. Personal information can only be provided by the individual it relates to (and not a third party), unless it is unreasonable or impracticable to do so.
  • Individuals can choose to deal with organisations anonymously or under a pseudonym, except in instances where it is impractical for the organisation to deal with individuals who have not identified themselves.
  • Organisations must inform individuals of their privacy and data collection practices, such as what information is collected, how the information is used, and whether information is likely to be disclosed to overseas recipients. This may be partially or wholly covered by developing a privacy policy made available to individuals free of charge (e.g. online).
  • Personal information can only be used or disclosed for the specific purpose it was collected, except when the individual has consented to or would reasonably expect that the personal information would be used for a secondary use or disclosure.
  • Organisations must take reasonable steps to protect personal information from a range of risks, such as but not limited to misuse, interference or loss.

  • Organisations may use personal information (other than sensitive information) about an individual for direct marketing purposes if the individual has consented to or would reasonably expect that their personal information would be used for direct marketing, and the organisation has provided a simple means for the individual to opt-out of receiving direct marketing communications.
  • Organisations can use personal information collected by third parties (e.g. venue or ticketing company) or share personal information with third parties (e.g. promoter) for direct marketing where consent to use or disclose the information for this purpose has been provided by the individual.
  • Organisations must only collect sensitive information (e.g. racial or ethnic origin) about an individual if the individual consents to the collection and the information is reasonably necessary for the organisation’s functions or activities, or an exception applies.

Should you have any queries in regard to the Australian Privacy Principles (APPs), please contact the LPA Policy Team.