Australian Privacy Principles(APPs)

Why this matters for your practice

The Australian Privacy Principles are the operating rules of the entire privacy regime. Almost every privacy obligation a practice has, from having a privacy policy to securing patient records to letting patients access their own information, traces back to a specific APP. Because the small-business exemption does not apply to health service providers, all 13 apply to every Australian medical and allied health practice, regardless of size.

Treating the APPs as a structured set, rather than a vague duty to "respect privacy," makes it far easier to see whether your practice is actually compliant.

The 13 principles, grouped

The APPs are usually grouped by the stage of information handling they cover:

• Consideration of personal information privacy (APP 1 to 2): having an open and transparent privacy policy, and allowing anonymity or pseudonymity where practical.
• Collection (APP 3 to 5): only collecting what you need, collecting it lawfully and fairly, dealing with unsolicited information, and notifying people when you collect their information.
• Dealing with personal information (APP 6 to 9): using and disclosing information only for permitted purposes, rules for direct marketing, cross-border disclosure, and the handling of government identifiers.
• Integrity (APP 10 to 11): keeping information accurate and, critically for health practices, taking reasonable steps to secure it (APP 11).
• Access and correction (APP 12 to 13): giving individuals access to their own information and correcting it when it is wrong.

The principles that bite hardest in healthcare

• APP 11 (security): the duty to take reasonable steps to protect personal information underpins your obligations around data breaches.
• APP 3 and 5 (collection and notice): health information is sensitive, so it generally needs consent to collect and a clear collection notice.
• APP 12 (access): patients have a right to access their health records, within set timeframes.

Common mistakes

• A privacy policy that exists but is generic, not reflecting how the practice actually handles information (APP 1).
• Weak security treated as an IT issue rather than an APP 11 legal duty.
• Refusing or delaying record access requests beyond what APP 12 allows.

Frequently Asked Questions

What are the Australian Privacy Principles?

The Australian Privacy Principles are 13 principles in the Privacy Act 1988 that set out how organisations must handle personal information, covering collection, use, disclosure, security, access, and correction. They apply to all Australian healthcare practices because the small-business exemption does not cover health service providers.

How many Australian Privacy Principles are there?

There are 13 Australian Privacy Principles. They are grouped into themes covering transparency, collection, use and disclosure, the integrity and security of information, and individuals' rights to access and correct their own personal information.

Which Australian Privacy Principle covers data security?

APP 11 covers security. It requires organisations to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. For healthcare practices, APP 11 underpins their obligations under the Notifiable Data Breaches scheme.

Last reviewed 20 June 2026