Australian Privacy Principles
The thirteen Australian Privacy Principles are the operational requirements of the Privacy Act 1988 — the specific obligations that determine how organizations must handle personal information at every stage.
The Australian Privacy Principles (APPs) are thirteen legally binding principles contained in Schedule 1 of the Privacy Act 1988. They govern the complete lifecycle of personal information handling: APP 1 (open and transparent management), APP 2 (anonymity and pseudonymity), APP 3 (collection of solicited personal information), APP 4 (dealing with unsolicited information), APP 5 (notification of collection), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 9 (government-related identifiers), APP 10 (data quality), APP 11 (data security), APP 12 (access to personal information), and APP 13 (correction of personal information).
The engineering-critical APPs are APP 3 (limiting collection to what is reasonably necessary), APP 6 (use and disclosure only for the primary purpose or with consent), APP 8 (cross-border transfer protections), APP 11 (security safeguards against misuse, interference, loss, and unauthorized access), APP 12 (providing access within 30 days), and APP 13 (correcting inaccurate data). Each creates specific system capabilities: collection controls, purpose limitation in data pipelines, transfer agreements, security architecture, access request workflows, and correction propagation across all data stores.
APP 11 is the most frequently litigated Australian privacy principle. It requires organizations to take reasonable steps to protect personal information from misuse, interference, and loss, and from unauthorized access, modification, or disclosure. The OAIC has consistently found that "reasonable steps" means more than perimeter security — it includes encryption at rest and in transit, access controls with least privilege, vulnerability management programs, and staff training. Organizations that have suffered breaches have faced OAIC findings that their APP 11 measures were not reasonable even when the security architecture appeared conventionally adequate.
We implement the Australian Privacy Principles at the data architecture level — designing collection controls that enforce APP 3 data minimization, building purpose limitation into data pipeline logic, implementing APP 11 security through encryption and access controls, and creating APP 12/13 access and correction workflows as system capabilities. Our APP implementations are designed for OAIC examination and prepare for the enhanced APP obligations in the proposed Privacy Act reforms.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.