Australian Privacy Act

Simple, practical steps to meet Australia’s privacy law

The Australian Privacy Act sets the standard for how organisations collect, use, and protect personal information. BrightShield makes it achievable for small businesses, without the complexity of enterprise solutions.

Benefits

Why the Privacy Act matters

It’s the law

If your business has an annual turnover over AUD $3 million, or falls into certain categories (like health services or trading in personal data), you must comply.

Protects your customers

Strong privacy practices show people you respect their rights and keep their data safe.

Avoids penalties and risk

The Office of the Australian Information Commissioner (OAIC) can impose significant fines for non-compliance.

Builds stronger trust

Meeting Privacy Act obligations boosts confidence with customers, partners, and regulators.
Three business professionals collaborating over documents in a bright modern office with laptops and coffee
How We Help

BrightShield takes the complexity out of Privacy Act compliance.

Pre-Built Policy Templates

Compliant privacy policies, data protection rules, breach procedures, and more — ready to adapt.

Step-by-Step Guidance

Clear guides for handling access and correction requests, responding to breaches, and managing cross-border data disclosures.

Quick Wins First

We highlight easy improvements — like publishing a privacy policy — that make the biggest difference.

Progress Tracking

See where you stand against the 13 Australian Privacy Principles and track improvements over time.

Evidence Storage

Keep request logs, breach notifications, and vendor agreements in one secure place.
Why us

The BrightShield Advantage

Your partner in making Privacy Act compliance simple, practical, and achievable. We give you clear steps, smart priorities, and steady progress — so you can protect data with confidence.

Practical, not overwhelming

We turn the Privacy Act legal obligations into plain, actionable tasks.

Built for small businesses

BrightShield is designed for smaller teams, making the biggest impact with the resources you already have.

Confidence, not just compliance

Go beyond avoiding penalties. Build trust and resilience with privacy practices that last.

Frequently asked questions

What is the Australian Privacy Act?
The Privacy Act 1988 is Australia’s main privacy law. It includes 13 Australian Privacy Principles (APPs) covering how organisations handle personal information — from collection and use, to storage, disclosure, and access rights.
Does the Privacy Act apply to my business?
Small businesses with turnover under $3 million that don’t handle sensitive personal data, trade in data, or provide health services are usually exempt.

The Privacy Act applies to all Australian businesses with an annual turnover above AUD $3 million. It also applies to your small business (or non-profit) with less than $3 million annual turnover if you:

  • Provide health services (e.g. GPs, physios, psychologists, aged care).
  • Trade in personal information (buying, selling, or disclosing for a benefit).
  • Are a contractor to the Australian Government.
  • Are credit reporting bodies, or related to one.
  • Issue or handle Tax File Numbers (TFNs).
  • Are private sector employee associations (like trade unions).
  • Run residential tenancy databases.
  • Provide services under the My Health Record system.
What are the Australian Privacy Principles (APPs)?
The 13 Australian Privacy Principles (AAPs) are:
  • APP 1 – Open and transparent management of personal information
    You must have a clear, accessible privacy policy and manage personal information openly
  • APP 2 – Anonymity and pseudonymity
    Individuals should have the option to remain anonymous or use a pseudonym where practicable.
  • APP 3 – Collection of solicited personal information
    Only collect personal information that is necessary and lawful for your business activities.
  • APP 4 – Dealing with unsolicited personal information
    If you receive personal information you didn’t ask for, you must decide if you can keep it lawfully — otherwise, you need to destroy it
  • APP 5 – Notification of the collection of personal information
    When collecting personal information, you must tell people what you’re collecting, why, and how it will be used.
  • APP 6 – Use or disclosure of personal information
    You can only use or disclose personal information for the purpose it was collected, unless an exception applies.
  • APP 7 – Direct marketing
    Limits how personal information can be used for direct marketing — and gives individuals the right to opt out.
  • APP 8 – Cross-border disclosure of personal information
    If you send personal information overseas, you must ensure the recipient protects it to the same standard as the Privacy Act.
  • APP 9 – Adoption, use or disclosure of government related identifiers
    Businesses generally cannot use identifiers like Tax File Numbers or Medicare numbers as their own.
  • APP 10 – Quality of personal information
    You must take reasonable steps to ensure personal information you collect, use, or disclose is accurate, up-to-date, and complete.
  • APP 11 – Security of personal information
    Reasonable steps must be taken to protect personal information from misuse, interference, loss, and unauthorised access — and to destroy or de-identify it when no longer needed.
  • APP 12 – Access to personal information
    Individuals have the right to access their personal information, and businesses must provide it on request (with some exceptions).
  • APP 13 – Correction of personal information
    If personal information is inaccurate, incomplete, or outdated, individuals have the right to request corrections — and organisations must take reasonable steps to update it.
How hard is it to comply with the Privacy Act?
It depends on your starting point. Publishing a privacy policy and setting up unsubscribe options can be simple. Building processes for access requests, breach reporting, and vendor management requires more effort. BrightShield makes it easier by giving you templates, playbooks, and a clear roadmap.
What happens if I don’t comply?
The Office of the Australian Information Commissioner (OAIC) can investigate complaints, issue determinations, and impose significant penalties — especially for serious or repeated breaches. Non-compliance can also harm your reputation and customer trust.
How does BrightShield support Privacy Act compliance?
BrightShield helps you meet Privacy Act compliance by:

  • Policy templates mapped to the APPs.
  • Playbooks for access requests, breach response, and data handling.
  • Quick wins to close gaps fast.
  • Evidence tracking to show compliance.
Let's Talk

Privacy compliance, made simple

BrightShield gives you the policies and procedures you need to meet the Australian Privacy Act, protect personal information, and build trust with your customers.

Book a Call